Privacy Policy

This Privacy Policy explains how MerchantFlow Pty Ltd (ABN 94 693 972 208), a company registered in Australia (“MerchantFlow”, “we”, “us”, “our”), collects, uses, shares, and protects your information when you use TrustProfit at trustprofit.io. TrustProfit is operated as a sub-brand of MerchantFlow.

When you sign in to TrustProfit through a Shopify or WooCommerce store, a corresponding MerchantFlow tenant is provisioned under the same account so that we can verify your store metrics. The same MerchantFlow Privacy Policy applies to that tenant; this policy describes the TrustProfit-specific surface on top of it.

By using TrustProfit you agree to the collection and use of information as described below.

What information we collect

Account information

• Email address— for sign-in (magic link), transactional notifications, and offer routing.
• Name and optional profile image— for personalisation and identification in deal threads.
• We do not store a password. Sign-in is by emailed magic link only.

Federation identifiers

If you sign in through Shopify or WooCommerce we store identifiers that link your TrustProfit account to your MerchantFlow tenant: MerchantFlow user ID, MerchantFlow tenant ID, your connected shop domain, and the primary sign-in method you used. Any OAuth tokens associated with the integration are stored encrypted at rest and used only to verify the metrics shown on your listing.

Listings you submit

When you submit a store to the leaderboard we collect the store name, domain, country, platform, category, monthly revenue, monthly profit, monthly orders, sale status, and (if applicable) asking price. These fields are publiconce the listing is posted — that is the product. You can request a listing be hidden or deleted at any time.

Anonymous listings

If you mark a listing as anonymous, your real store name and domain are still stored on our servers but are masked behind a seller-chosen alias and a deterministic pseudo-handle on the public leaderboard. Your identity is revealed to a specific buyer only after that buyer signs the NDA on your listing. Anonymity is conditional, not absolute.

Verified metrics

For stores connected to a MerchantFlow tenant, monthly revenue, profit, and order counts shown on the chart are pulled from the live Shopify or WooCommerce data MerchantFlow already holds for that store. This is what the “Verified by MerchantFlow” badge means. Verified figures override anything self-reported on the same listing.

Offers, messages, and NDAs

• Offer amounts, offer structure (cash, earnout, equity, etc.), counter-offers, and accepted-deal terms.
• Free-text message bodies you send in deal threads, plus optional buyer name and buyer company you choose to share.
• For each NDA you sign in-app, the typed signature name, the IP address at the time of signature, the document version, and the signed-at timestamp — retained as the legal record of the signature.
• An activity log of state changes on each thread (offer made, NDA signed, identity revealed, escrow opened, deal accepted, etc.).

Escrow data

When you open an escrow on an accepted deal we store the Escrow.com transaction ID, the hosted-page URL, the amount, the fee split, and the inspection and release timestamps. The KYC documents, payment instruments, and identity verification needed to fund and release the escrow are collected by Escrow.com on its own hosted pages — we never see or store that material.

Session and device data

For each active session we store an opaque session token, the IP address the session was created from, the browser user agent string, and an expiry timestamp. We also set a short-lived CSRF cookie during the MerchantFlow sign-in handshake.

How we use your data

• Operate the public leaderboard, ranking, and store detail pages.
• Verify metrics for connected stores against live MerchantFlow data.
• Route offers between buyer and seller, gate identity reveal behind NDA signature, and surface unread threads in the inbox.
• Maintain the legal record of NDA signatures (signed name + IP + timestamp) for dispute defence.
• Hand off accepted deals to Escrow.com and reconcile transaction state via webhooks and polling.
• Send transactional email (magic links, offer notifications, NDA receipts, escrow status). You cannot opt out of transactional email while your account is active.
• Detect abuse, investigate suspicious activity, and fix bugs.

What is public

By design, the following data is public on TrustProfit and may be indexed by search engines: a listing’s rank, public name (or anonymous alias), category, platform, country, sale status, monthly revenue, monthly profit, monthly orders, trend chart, and whether the listing is verified by MerchantFlow. Public listings of recently acquired stores include acquirer information that the parties agreed to disclose.

Anything else — including the contents of deal threads, offer amounts on private offers, NDA signatures, and Escrow.com transaction details — is private to the parties on the deal.

Sharing and subprocessors

We share data only with service providers necessary to operate TrustProfit:

• Postmark— delivery of transactional email (magic-link sign-in, offer notifications, NDA receipts).
• MerchantFlow— the parent platform. Same legal entity, called out separately for transparency. Used for federated sign-in and to verify Shopify or WooCommerce metrics for connected stores.
• Escrow.com— KYC, payment processing, and funds custody for accepted deals. Escrow.com’s own privacy policy governs what they collect on their hosted pages.
• Hosting and queue infrastructure— application hosting, the Postgres database, and the Redis queue that holds short-lived job payloads (refresh, rank recompute, notification dispatch, escrow polling).

MerchantFlow does not sell, rent, or trade your personal information or business data to any third party.

We may disclose data when required by a valid court order or government request, to protect the rights and safety of users or the public, or to enforce our Terms of Service.

Data security

• All traffic is served over HTTPS (TLS 1.2 or higher).
• Federation OAuth tokens are encrypted at rest.
• Magic-link tokens expire after 5 minutes; the sign-in CSRF cookie expires after 10 minutes. Sessions expire on the schedule set by our auth library and are revocable from the sign-out flow.
• Listings, threads, NDAs, and escrow rows are isolated per user; row-level access checks run on every API route.
• Escrow.com webhooks are HMAC-verified before any state change.

Your rights

You can:

• Access a copy of the personal data we hold about you.
• Correct account or listing details that are wrong.
• Delete your account. Deleting your account cascades through your listings, threads, messages, NDAs, sessions, and federated account links. A minimal activity log of any deal that reached escrow is retained for accounting and dispute defence for the period required by Australian law.
• Export your data on request.
• Object to specific processing.

To exercise any of these rights, email [email protected]. We respond within 30 days.

GDPR

If you are located in the European Union or European Economic Area, additional rights apply under the GDPR including rectification, erasure, data portability, restriction of processing, objection, and withdrawal of consent. Our legal bases for processing are contract performance, legitimate interests (running and securing the marketplace), consent (where you provided it), and legal obligation.

For full GDPR detail covering the underlying MerchantFlow platform, see docs.merchantflow.ai/legal/gdpr.

Cookies

TrustProfit currently sets only essential cookies: a session cookie issued by our auth library so you stay signed in, and a short-lived CSRF cookie (tp_oauth_state) used during the MerchantFlow sign-in handshake. We do not use advertising, cross-site tracking, or third-party analytics cookies on TrustProfit at this time. Your theme preference is stored in browser local storage, not in a cookie.

Data retention

• Sessions— expire automatically on the schedule set by the auth library.
• Magic-link tokens— valid for 5 minutes.
• Sign-in CSRF cookie— expires after 10 minutes.
• Queue job payloads— retained 24 hours on success, up to 7 days on failure for debugging.
• Closed accounts— 30-day grace period during which you can reactivate, then the account and its associated data are permanently deleted from primary storage. Backups are purged within 90 days.
• NDA signatures and escrowed deal records— retained for the period required by Australian law to support audit and dispute resolution, even after account closure.

Children's privacy

TrustProfit is not directed at individuals under the age of 18 and we do not knowingly collect personal information from children.

Changes to this policy

Material changes are communicated by email and in-app notification with at least 30 days’ notice. Continued use after the change takes effect constitutes acceptance.

Contact

• Privacy inquiries: [email protected]
• General contact: [email protected]