Information Security Policy

FlowHelen (sole proprietorship) — Effective date: June 12, 2026 — Last reviewed: June 12, 2026

1. Purpose and scope

This policy describes how FlowHelen protects the information it handles, including customer and order data processed through our e-commerce platforms (Shopify and TikTok Shop). It applies to the owner and to any future personnel or contractors with access to FlowHelen systems.

2. Data we handle

FlowHelen processes customer names, shipping addresses, email addresses and order details strictly to fulfill orders and provide customer support. We do not sell personal data. Payment card data is processed by our payment providers (Shopify Payments / PayPal) and is never stored on FlowHelen systems.

3. Access control

Access to systems containing personal data is restricted to authorized personnel only (currently the owner). Each account uses a unique, strong password and multi-factor authentication where the platform supports it. Access rights are reviewed when roles change and are revoked immediately when no longer needed.

4. Device and network security

Work devices are protected with screen locking, up-to-date operating systems, and active antivirus/anti-malware protection. Automatic security updates are enabled. Data in transit is protected with TLS/HTTPS on all platforms we use.

5. Data storage and encryption

Customer data resides within the secured infrastructure of our platform providers (Shopify, TikTok Shop), which maintain industry-standard encryption at rest and in transit. Data is physically stored and processed in the United States.

6. Vulnerability and threat management

Operating systems, browsers and applications are kept current with automatic updates. Security advisories from our platform providers are reviewed and applied. Suspicious activity (unexpected logins, phishing attempts) is investigated immediately.

7. Incident response

If a security incident affecting personal data is suspected or identified, FlowHelen will: (a) contain and assess the incident, (b) notify affected platforms (e.g., TikTok Shop, Shopify) and affected individuals without undue delay and within 72 hours of confirmation, and (c) document the incident and corrective actions taken.

8. Data retention and deletion

Personal data is kept only as long as needed to fulfill orders, meet legal obligations, and handle disputes. We honor verified requests to delete, update or provide a copy of personal data. At the end of a contractual relationship with a platform, collected customer data from that platform is deleted from our systems.