Privacy Policy

1. Data Controller

The party responsible for data processing on this website and in the app is:

A Data Protection Officer is not required pursuant to Art. 37 GDPR in conjunction with § 38 BDSG. For data protection inquiries, please contact: datenschutz@shopipixel.de

2. Scope

This privacy policy covers the processing of personal data when using the Shopify app "ShopiPixel" (app.shopipixel.de). For data processing on our marketing website shopipixel.de, please see our separate privacy policy.

2a. Minimum Age

ShopiPixel is a B2B service aimed exclusively at entrepreneurs within the meaning of §14 BGB (German Civil Code). We do not knowingly collect personal data from persons under 16 years of age. Should we become aware that data from a person under 16 has been collected, we will delete it immediately.

3. What data do we process?

3.3 Shop Data (App Users)

When installing the app, we process:

• Shop domain (e.g., myshop.myshopify.com)
• Shop name
• Email address of the shop owner
• Currency and timezone

Legal basis: Art. 6(1)(b) GDPR (contract fulfillment)

3.3a Platform Credentials

To connect the advertising platforms configured by the store owner, we store:

• OAuth tokens (refresh tokens) for authentication with third-party platforms (e.g., Google Ads, Microsoft Ads via Azure Active Directory) as well as API access tokens (bearer tokens) for other platforms (e.g., LinkedIn)
• Platform account information (account ID, account name)
• Platform-specific configuration data (e.g., conversion actions, UET Tag IDs, conversion goals, pixel IDs)
• API keys and access tokens (as entered by the store owner)

All credentials are stored encrypted on our own servers in Germany. Each store has its own encryption key.

When a platform connection is disconnected or the app is uninstalled, the associated tokens are revoked at the respective platform and all stored credentials are deleted.

When connecting via Microsoft Account (Azure Active Directory) OAuth, the Microsoft Account ID of the store owner is used in the OAuth token exchange with Microsoft Corporation (USA). Legal basis: Art. 6(1)(b) GDPR (performance of contract). Microsoft is certified under the EU-US Data Privacy Framework (see §4.3).

Note on Microsoft Ads: Microsoft (Azure Active Directory) does not provide a server-side token revocation endpoint (RFC 7009 is not supported). Upon disconnection or uninstallation, ShopiPixel removes the refresh token from its own database; a server-side revocation at Microsoft by ShopiPixel is technically not possible. Store owners can additionally revoke the app authorization at Microsoft at any time via https://account.microsoft.com/privacy/app-access — this ensures complete deletion at Microsoft.

For Microsoft Ads, we additionally use the Microsoft Advertising Offline Conversions API: Upon orders, cryptographically hashed email addresses and phone numbers (Enhanced Conversions) are transmitted to Microsoft together with the Microsoft Click ID (msclkid) to attribute ad conversions.

Credentials and data retrieved via APIs are used exclusively to provide the commissioned service and are never sold or shared with third parties for other purposes.

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

3.4 Tracking Data

To provide server-side tracking, we process on behalf of the store owner:

• Event type (e.g., PageView, AddToCart, Purchase)
• Event timestamp
• Product IDs and names
• Order values and currencies
• URL of the visited page

Legal basis: Art. 6(1)(b) GDPR (performance of contract). ShopiPixel processes this data as a data processor pursuant to Art. 28 GDPR on behalf of the shop owner. The legal basis for the processing of end-customer data is determined by the shop owner as the controller.

3.5 Browser Identifiers

To attribute events, we process:

• Client ID (GA4)
• Pixel IDs (_fbp, _ttp)
• Click IDs (_fbc, gclid, wbraid, gbraid, ttclid, msclkid, epik, scid, li_fat_id)

Click IDs and cookie IDs are stored as pseudonymous identifiers. In combination with platform data, these enable attribution, but are not directly personal data on their own. Email addresses and phone numbers are pseudonymized using state-of-the-art methods before storage. Browser identifiers are stored as first-party cookies on the shop's domain. They do not contain real names or directly identifying data, but pseudonymous identifiers (UUIDs and click IDs) for cross-platform event attribution. To improve attribution quality, the end customer's IP address and user agent are captured server-side and transmitted to the configured advertising platforms (Meta, TikTok, Pinterest in plaintext; Snapchat in hashed form; Microsoft Ads receives no IP address as the UET tag operates browser-side and the Offline Conversions API does not transmit IP). This data is not stored in our database but processed exclusively at the time of transmission.

Legal basis: Art. 6(1)(b) GDPR (performance of contract). ShopiPixel processes this data as a data processor pursuant to Art. 28 GDPR on behalf of the shop owner. The legal basis for the processing of end-customer data is determined by the shop owner as the controller.

3.6 End Customer Data

During checkout events, we process:

• Email address (hashed)
• Phone number (hashed, if available)
• First and last name (hashed)
• Shipping address (country/region only)

Customer Enrichment (Scale/Enterprise) To improve Event Match Quality, Scale and Enterprise plans can retrieve additional customer data (email, phone, first/last name, city, region, zip code, country — where not already available in the event) via the Shopify Admin API. This data is temporarily cached for a maximum of 24 hours and then automatically deleted. No permanent storage of this plaintext data occurs in our database.

Legal basis: Art. 6(1)(b) GDPR (performance of contract). ShopiPixel processes this data as a data processor pursuant to Art. 28 GDPR on behalf of the shop owner. The legal basis for the processing of end-customer data is determined by the shop owner as the controller.

3.6a Audience Synchronization

On instruction of the store owner, ShopiPixel may transmit hashed customer data to advertising platforms for the creation of Custom Audiences. The following data is processed:

• Email addresses (cryptographically hashed)
• Phone numbers (cryptographically hashed, if available)

Only state-of-the-art hashed values are transmitted. Plaintext data is never sent to the recipient platforms.

Recipients: Meta Platforms Ireland Ltd. (Custom Audiences API), Google LLC (Customer Match API), TikTok Technology Limited (Custom Audiences API) and Pinterest, Inc. (Customer Lists API) — only the platforms configured by the store owner in the app settings.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in measuring advertising effectiveness; balancing test documented in internal procedural records). The legal basis vis-à-vis end customers is determined and ensured by the store owner as controller (typically consent pursuant to Art. 6(1)(a) GDPR via the cookie banner of the store). Insofar as ShopiPixel acts as a processor pursuant to Art. 28 GDPR, the processing is carried out on documented instruction of the store owner.

3.6b Customer Journey Analysis

To optimize conversion funnels, ShopiPixel analyzes the sequence of events (e.g. PageView → AddToCart → Purchase) at shop level.

• Pseudonymized journey identifier (not traceable to individual persons)
• Click IDs of advertising platforms (for channel attribution)
• Event types and timestamps

No email addresses, names or other directly identifying data is used for the journey analysis. Results are presented exclusively in aggregated form.

Legal basis: Art. 6(1)(b) GDPR (contract performance). Insofar as ShopiPixel acts as a processor, the processing is carried out on instruction of the store owner.

3.6c Ad Spend Import

On instruction of the store owner, ShopiPixel may retrieve aggregated financial data from advertising platforms:

• Ad spend per campaign
• Impressions and clicks (aggregated)
• Campaign names

Only aggregated financial data without personal reference is retrieved. This data is used to calculate advertising efficiency metrics (e.g. ROAS).

Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.6d Cohort Analysis

To determine long-term customer value (LTV), ShopiPixel computes cohort statistics:

• Pseudonymized customer identifier (in memory only, not stored in database)
• Cohort assignment by first purchase date
• Aggregated revenue and purchase frequency data per cohort

Individual customer data is processed exclusively in memory and not permanently stored. Only aggregated results at cohort level are stored in the database (e.g. "customers with first purchase in January: average X purchases").

Legal basis: Art. 6(1)(b) GDPR (contract performance). Insofar as ShopiPixel acts as a processor, the processing is carried out on instruction of the store owner.

3.6e Custom Reports

Store owners can configure custom reports based on aggregated statistics:

• Aggregated daily statistics (conversions, revenue, events)
• Platform-specific performance metrics

Reports are based exclusively on already aggregated data and do not contain any personal end customer data.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.6f Data Export

Store owners can export event data for further processing:

• Event metadata (type, timestamp, platform)
• Aggregated order data (value, currency)

Before export, personal data is removed or pseudonymized. The export may contain pseudonymized visitor IDs (cryptographically hashed with a server-side key) that cannot be linked to individuals without the server-side key. The store owner determines the destination and frequency of the export.

Legal basis: Art. 6(1)(b) GDPR (contract performance). Insofar as ShopiPixel acts as a processor, the processing is carried out on instruction of the store owner.

3.6g Configurable Alerts

Store owners can configure notification rules for metrics:

• Thresholds for KPIs (e.g. conversion rate, revenue)
• Delivery channel (email or webhook)

Alerts are based on aggregated shop statistics and do not contain personal end customer data. For webhook delivery, the configured URL is checked for security.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.6h Data-Driven Attribution

ShopiPixel can calculate the contribution of individual advertising channels to conversions using statistical models:

• Click IDs of advertising platforms (for channel attribution)
• Conversion paths (anonymized channel sequences)

Attribution is performed exclusively based on click IDs and channel assignments. No email addresses or other directly identifying data is used. Results are stored as weighting factors per channel.

Legal basis: Art. 6(1)(b) GDPR (contract performance). Insofar as ShopiPixel acts as a processor, the processing is carried out on instruction of the store owner.

3.6i Real-Time Events

ShopiPixel provides a real-time view of incoming events in the dashboard:

• Event type and timestamp
• Platform attribution

Real-time data is ephemeral and not permanently stored. The stream does not contain personal end customer data.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

3.6j Agency Links and Cross-Shop Data Sharing

ShopiPixel allows a shop to be linked with an agency account (ENTERPRISE customer). The link is established exclusively through a two-stage opt-in: The agency account owner sends an invitation, and the shop owner actively confirms it via the in-app dialog. Without this confirmation, no data is shared.

• Aggregated business statistics (revenue, events, ROAS, cohorts, attribution weights, audience sync status, export logs, alert history)
• Ad spend and campaign metrics from connected advertising platforms
• Shop meta data (domain, name, plan status)
• Shop owner contact email (for communication in the agency context, e.g. invitations, automatic termination notices)
• Sub-store platform configuration (which advertising and analytics platforms are connected, connection status and validation results — without the credentials themselves)
• Sub-store event and quota usage (number of orders processed per billing period, share of the agency owner's total quota)

Not shared: personal data of end customers (email, phone, name, address), Shopify access tokens, or payment data.

Two link types

• Agency-managed: The agency owner is a service provider and becomes a further recipient within the meaning of Art. 4(9) GDPR. The shop owner remains the controller of the end customer data.
• Own organization: The agency owner and the shop owner belong to the same organization (multi-shop operation). Both shops have the same controller.

Delegatable permissions (14 categories)

When confirming the invitation, the shop owner decides which of the following permissions to grant to the agency owner. Each permission is individually selectable:

• View statistics (aggregated KPIs, dashboards)
• Manage platform credentials (add, change, remove)
• Manage event configuration (event toggles, custom events)
• Manage tracking settings (collection mode, retention)
• Manage server-side Google Tag Manager
• Manage headless SDK and API keys
• Disconnect ad accounts (only removal of existing connections)
• Manage audiences and sync them to platforms
• Manage alerts and notification rules
• Manage scheduled reports
• Set up custom domain
• Download data (CSV/XLSX export, data warehouse export)
• Import data (e.g., bulk credentials import)
• Debug console and shop diagnostics

Legal basis and recipients

The data sharing is based on the explicit consent of the shop owner pursuant to Art. 6(1)(a) GDPR. The consent is documented in the consent log pursuant to Art. 7(1) GDPR.

For agency-managed links, the agency owner is a further recipient within the meaning of Art. 4(9) GDPR. They are not a sub-processor of ShopiPixel, but an independent ShopiPixel customer with their own contractual relationship.

For own-organization links, the agency owner is the same controller as the shop owner.

Storage period

Data sharing only takes place while the agency link is active. After the link ends (through revocation, cancellation of the agency account, loss of the agency owner's ENTERPRISE plan, or app uninstallation), the sharing stops immediately. Audit log entries related to the link are retained to fulfill the accountability obligation (Art. 5(2) GDPR).

Data Export Period After Termination

After termination of the agency link (through revocation, auto-revoke upon owner plan loss, or app uninstallation), ShopiPixel grants the shop owner a period of 14 calendar days for data export. During this period, the ENTERPRISE data retention rules continue to apply (365-day event retention). After the period expires, the retention period of the then-applicable standard plan automatically takes effect (FREE: 7 days). The shop owner is notified three times by email about the deadline: on the day of termination, two days before expiry, and on the day of expiry.

Right to revoke (Art. 7(3) GDPR)

The shop owner may revoke consent at any time without affecting the lawfulness of the processing carried out until the revocation. The revocation is done in the app settings under "Linked organization" via the "End link" button. The revocation takes effect immediately: the agency owner loses all access from that moment. After revocation, the shop falls back to the FREE plan.

Automatic termination upon agency owner plan loss

If the agency account owner loses their ENTERPRISE plan — for example through cancellation, downgrade, subscription expiry, charge decline, or app uninstallation — the agency link is automatically terminated. This termination is a contractually agreed automatic consequence of the loss of the owner plan and does not constitute an automated decision within the meaning of Art. 22 GDPR (no profiling, no evaluation). The sub-store plan is reset to FREE (50 events per month) and no further events are routed through the agency owner.

The affected shop owner is promptly notified by email about the automatic termination and can subsequently choose their own plan.

Legal basis: Art. 6(1)(a) GDPR (consent of the shop owner). Additionally Art. 6(1)(b) GDPR for the contractual ancillary obligations resulting from the consent (audit logging, revocation management).

3.6k Headless SDK (Server-to-Server)

The Headless SDK enables direct transmission of e-commerce events from external frontend applications (custom storefronts, PWAs) to ShopiPixel.

• Event types (PageView, AddToCart, Purchase etc.)
• Product data (IDs, names, categories, prices)
• Order data and values
• Hashed PII (email, phone, name — if transmitted)
• Browser and device identifiers

As with the standard web pixel, personal data is cryptographically hashed before storage. The shop owner controls which data is transmitted.

Legal basis: Art. 6(1)(b) GDPR (contract performance). ShopiPixel processes this data as a data processor pursuant to Art. 28 GDPR on the instructions of the shop owner.

3.6l Offline Deal Data (Enterprise Feature)

On the Enterprise plan, ShopiPixel offers the ability to transmit business deals closed outside the online shop (offline deals such as telephone contracts or offline appointments) to the advertising platforms connected by the shop owner, in order to measure the effectiveness of prior ad clicks.

Data categories (hashed or pseudonymous values only):

• Cryptographically hashed email address of the customer
• Cryptographically hashed phone number (E.164 format or digit-only depending on the target platform)
• Click identifiers from URL parameters of the original ad clicks (gclid, gbraid, wbraid, fbclid, msclkid, ttclid, epik, scid, liFatId)
• Existing browser cookie values (_fbc, _fbp, _gcl_aw, _ttp) if set during the initial visit
• Deal amount, currency and deal date
• Deal source as free-text label (e.g. "phone sale")

No plaintext contact data is transmitted to the advertising platforms. Contact data is hashed locally using state-of-the-art procedures before transmission.

Purpose: Transmission to the advertising platforms connected by the shop owner for retrospective conversion attribution (offline conversion upload). The hashed contact data additionally enables the advertising platforms to perform a direct match against their own user base (enhanced matching) — in particular for deals without a prior ad click for which no click identifier is available.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in measuring advertising effectiveness) in conjunction with § 25 TTDSG (marketing consent via the Shopify Customer Privacy API). Where ShopiPixel acts as a processor pursuant to Art. 28 GDPR, processing is carried out on the documented instructions of the shop owner.

Recipients (depending on shop owner configuration): Meta Platforms Ireland Ltd. (Ireland), Google Ireland Limited (Ireland), Microsoft Ireland Operations Ltd. (Ireland), TikTok Technology Ltd. (Ireland), LinkedIn Ireland Unlimited Company (Ireland), Snap Group Ltd. (Ireland), Pinterest Europe Ltd. (Ireland), Klaviyo, Inc. (USA).

Third-country transfers: The European entities of the advertising platforms forward data to their US parent companies. For Meta, Google, Microsoft, LinkedIn, Snap, Pinterest and Klaviyo the EU-US Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023) applies. For TikTok, EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR are used; the prior hashing of contact data serves as an additional safeguard.

Right to object (Art. 21 GDPR): The end customer can object to this processing at any time. The objection can be declared by withdrawing the marketing consent in the shop's storefront or by contacting the shop owner.

Retention: Temporarily captured contact templates (LeadCapture cache) prior to transmission are automatically deleted after 90 days (configurable up to a maximum of 180 days). Offline deal records are kept for the duration of the contract plus 30 days and are automatically deleted afterwards.

3.6m Event-Trigger and Shopify Flow Action Data (Enterprise Feature)

Also on the Enterprise plan, an event-trigger feature is available. The shop owner can define events in the storefront (e.g. form submissions, clicks on specific elements, URL matches) or events from Shopify itself (webhook mapping or a Shopify Flow action) as triggers to send a custom platform event to the connected advertising platforms.

Data categories:

• Technical trigger metadata (trigger type, URL pattern, form name, element ID)
• Event context data (event name, timestamp, currency, value if relevant)
• The browser identifiers of the end customer described in Section 3.5, where required for attribution
• Cryptographically hashed contact data — only upon explicit configuration by the shop owner, following the same principles as in Section 3.6l

Additional trigger source Shopify Flow: The shop owner can integrate ShopiPixel as an action in a Shopify Flow automation. When the action is triggered, Shopify transmits the order, customer or cart metadata selected in the flow context to ShopiPixel. Before forwarding to an advertising platform the payload runs through the same allowlist and hashing logic as a regular event trigger — plaintext contact data is not forwarded.

Purpose: Extension of the standard tracking events with custom business events for more precise measurement of advertising effectiveness.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in measuring advertising effectiveness) in conjunction with § 25 TTDSG (consent via the shop's Shopify Customer Privacy API, where browser identifiers are involved). Where ShopiPixel acts on the shop owner's behalf as a processor, processing takes place on their documented instructions (Art. 28 GDPR).

Recipients, third-country transfers and the right to object are equivalent to Section 3.6l.

Retention: Trigger configurations and trigger-log entries are retained for the duration of the Enterprise contract and are automatically deleted 30 days after termination. Delivery logs of the triggered events are subject to the event retention pursuant to Section 6 (30–365 days, plan-dependent).

3.6n Public REST API (Enterprise feature)

On the Enterprise plan, ShopiPixel provides a public REST interface for server-to-server transmission of e-commerce events. Unlike the Web Pixel (browser-based) and Shopify Webhooks (triggered by Shopify), this API allows the shop owner to make direct calls from their own server applications, backend systems or third-party systems using a bearer token for authentication.

Data categories (identical to processing via the Headless SDK, Section 3.6k):

• Event types (PageView, AddToCart, Purchase, etc.)
• Product data (IDs, names, categories, prices)
• Order data and values
• Cryptographically hashed contact data (email, phone, name — if transmitted by the shop owner)
• Browser and device identifiers

Purpose: Transmission of the events to the advertising platforms configured by the shop owner for measuring advertising effectiveness — analogous to the other ingress channels (Web Pixel, Headless SDK, Shopify Webhooks, Shopify Flow Action).

Recipients: The advertising platforms connected by the shop owner — identical to the recipients listed in Section 3.6 and 3.6l. No new sub-processors and no new third-country transfers are added.

Routing: API calls are always routed to app.shopipixel.de (Hetzner Online GmbH, Falkenstein data centre, Germany), regardless of whether a custom domain is configured for the shop. Any configured custom domain serves storefront-side tracking integration only and is not used for the API.

Legal basis: Art. 6(1)(b) GDPR (contract performance vis-à-vis the shop owner). ShopiPixel processes this data as a data processor pursuant to Art. 28 GDPR on the instructions of the shop owner. Where browser identifiers or hashed contact data are forwarded to advertising platforms, the end-customer consent via the Shopify Customer Privacy API (§ 25 TTDSG) applies analogously to Section 3.6.

Retention: Identical to the event retention pursuant to Section 6 (30–365 days, plan-dependent).

3.7 Consent Logs

To fulfill our obligation to provide evidence (Art. 7(1) GDPR, §25 TDDDG), we log:

• Type of consent (e.g., cookie consent, terms acceptance, DPA acceptance)
• Timestamp of consent
• IP address (hashed)
• Browser identifier
• Document version of the accepted documents

Legal basis: Art. 6(1)(c) GDPR (legal obligation to provide evidence)

3.8 Email Reports

From the Growth plan, automatic email reports can be configured. These emails do not contain tracking pixels or other tracking technologies.

Legal basis: Art. 6(1)(b) GDPR (contract performance — user-configured reporting feature)

3.9 Newsletter

You can subscribe to our newsletter via the ShopiPixel app. In doing so, we process:

• Email address
• Language (German/English)
• Source of subscription (app)
• Timestamp of subscription and confirmation

We use a double opt-in process: After signing up, you will receive a confirmation email. Your subscription is only activated after clicking the confirmation link.

You can unsubscribe from the newsletter at any time via the unsubscribe link in every email. After unsubscribing, your email address will no longer be used for newsletter delivery.

Legal basis: Art. 6(1)(a) GDPR (consent via double opt-in)

3.10 Notifications About Contractual Changes

We inform you by email to the email address registered with Shopify about material changes to our Terms of Service, Data Processing Agreement (DPA) or Privacy Policy.

Data processed:

• Email address of the shop owner
• Time of notification
• Delivery status

Legal basis: Art. 6(1)(b) GDPR (contract performance — duty to inform about contractual changes) and Art. 6(1)(c) GDPR (legal obligation).

Notification records are stored for the duration of the business relationship plus the statutory limitation period.

These notifications are contractually relevant and do not require separate consent. Unsubscribing is not possible as the information is legally required.

3.11 Fraud Prevention and Security Monitoring

To protect our service and users from abuse, fraud, and unauthorized access, we employ automated security measures:

• Detection of unusual usage patterns (e.g., abnormal event volumes)
• Detection of access attempts with invalid identifiers
• Integrity checks of billing data
• Blocking of suspicious requests

Data processed in this context:

• IP address (temporary, for access pattern detection)
• Aggregated usage statistics (event volumes per shop)
• Billing data (plan consistency verification)

No profiling of natural persons takes place. Monitoring relates exclusively to technical access patterns and shop account integrity.

Temporary access data is automatically deleted after a maximum of 5 minutes. Security alerts are stored in the audit log (see Section 6).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in protecting the service from abuse and fraud)

Legal Basis Overview

4. Data Sharing with Third Parties

4.1 Advertising Platforms

On instruction of the shop owner, we transmit tracking data to:

• Meta (Facebook/Instagram)
• Google (Analytics 4, Ads)
• TikTok
• Pinterest
• Snapchat
• LinkedIn
• Microsoft Ads
• Klaviyo
• Custom Webhooks (user-defined endpoints, if configured)

For custom webhooks, the store owner determines the scope of transmitted data (minimal, standard or full). In "full" mode, all available data including email, phone, name, address, IP address and user agent is transmitted in plaintext. The store owner is responsible as the data controller for the lawfulness of data transmission to the configured endpoint.

The transmission takes place via the server-side APIs of these platforms.

Legal basis: Art. 6(1)(b) GDPR (contract fulfillment with the shop owner)

4.2 Infrastructure Providers

To provide the service, we use:

Our infrastructure data processing takes place on servers in Germany. The app server (tracking, API, dashboard) is operated by Hetzner Online GmbH in Germany. The website server (marketing website) is operated by IONOS SE. Backups are stored encrypted at Hetzner Online GmbH in Germany. The transmission of tracking data to the platforms listed under 4.1 takes place in the USA and potentially other third countries. The basis for the third-country transfer per platform is as follows: The DPF certification status of each provider is verified quarterly at https://www.dataprivacyframework.gov. In the event of loss of certification, Standard Contractual Clauses (SCCs) apply as a guarantee pursuant to Art. 46 GDPR as fallback.

Third-country transfer by platform

Status of third-country transfers for the supported advertising platforms:

• Meta Platforms, Inc. (USA): DPF-certified — EU Commission adequacy decision (Art. 45 GDPR)
• Google LLC (USA): DPF-certified — EU Commission adequacy decision (Art. 45 GDPR)
• TikTok Technology Limited (Ireland/Singapore/China): Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR and supplementary technical and organizational measures (data encryption, access restrictions)
• Pinterest, Inc. (USA): DPF-certified — EU Commission adequacy decision (Art. 45 GDPR)
• Snap Inc. (USA): DPF-certified — EU Commission adequacy decision (Art. 45 GDPR)
• LinkedIn Corporation (USA): DPF-certified — EU Commission adequacy decision (Art. 45 GDPR)
• Microsoft Corporation (USA): DPF-certified — EU Commission adequacy decision (Art. 45 GDPR)
• Klaviyo, Inc. (USA): DPF-certified — EU Commission adequacy decision (Art. 45 GDPR)

For the optional AI-powered dashboard summary feature (available from Growth plan), we use the API of Anthropic PBC (USA). The feature is disabled by default and is only activated after the shop owner's active consent via a toggle in the app settings. The consent is recorded in our consent log and can be withdrawn at any time with effect for the future (Art. 7(3) GDPR). Only aggregated, anonymous metrics are transmitted to Anthropic (total revenue, conversion count, success rate, average order value). No personal data, no shop identifiers, and no end customer data is transmitted to Anthropic. Since only anonymized, aggregated data without personal reference is transmitted, this transfer is, according to the prevailing view, likely not subject to the requirements of Art. 44 et seq. GDPR regarding third-country transfers. Additionally, Anthropic's Data Processing Addendum (DPA) includes Standard Contractual Clauses (SCCs) pursuant to EU Commission Decision 2021/914. Anthropic retains API inputs and outputs for a maximum of 30 days and does not use them for model training (per Anthropic Commercial Terms). Anthropic holds SOC 2 Type II, ISO 27001:2022, and ISO/IEC 42001:2023 certifications. The EU contact is Anthropic Ireland, Limited, Dublin, Ireland (dpo@anthropic.com). Results are cached for 24 hours. To safeguard against erroneous output, the AI text is automatically checked for implausible concrete monetary amounts before display and is suppressed in case of doubt. The number of AI requests per hour is rate-limited per shop. The legal basis is Art. 6(1)(a) GDPR (consent).

5. Data Security

5.1 Encryption

• State-of-the-art encryption of all stored data
• Each shop has its own encryption key
• Exclusively encrypted data transmission (transport encryption)
• Database backups are encrypted and stored on German servers
• Events are temporarily stored in an encrypted queue on our own servers for reliable delivery and automatically deleted after successful transmission

5.2 Shop-Isolated Encryption

• Each shop has individual encryption keys
• Personal data is pseudonymized using state-of-the-art encryption where technically possible. Klaviyo requires plaintext data for CRM profile matching — this data originates directly from the Shopify webhook or browser event and is not stored in our database but transmitted directly to Klaviyo.
• Comprehensive audit logging of all security-relevant operations: credential management, billing changes, tracking configuration, API key management, GDPR requests (data access, deletion), consent logs, app installation and uninstallation, data retention cleanup, and administrative access. Logs include timestamp, pseudonymized actor identifier, and action description. IP addresses are stored in hashed form.

5.3 Error Detection and System Stability

To ensure system stability and rapid error resolution, we use a self-hosted error detection system.

• Only technical error data is captured (error logs, error codes, affected URL).
• No personal customer data is stored in error reports.
• IP addresses are removed before storage.
• The system is self-hosted on our own servers in Germany (Hetzner Online GmbH). No data is transmitted to third parties.
• Error reports are automatically deleted after 90 days.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in maintaining and securing the service). No consent is required as the processing is necessary for the secure operation of the service.

6. Data Retention

After uninstalling the ShopiPixel app, your personal data is finally deleted no later than 30 days after uninstallation (see entry "Data after uninstallation" in this table for details on the deletion timeline and reinstall window). The deletion covers tracking data, platform credentials, configurations and statistics. Billing is handled entirely by Shopify as billing agent — ShopiPixel does not store tax-relevant billing documents. Audit logs (statutory limitation period: 3 years) and data retained for legitimate interests (Art. 6(1)(f) GDPR: abuse prevention) may be retained longer.

7. Data Subject Rights

You have the following rights regarding your personal data:

• Access (Art. 15 GDPR) - Right to information about your stored data
• Rectification (Art. 16 GDPR) - Right to correction of inaccurate data
• Erasure (Art. 17 GDPR) - Right to deletion of your data
• Restriction (Art. 18 GDPR) - Right to restriction of processing
• Data Portability (Art. 20 GDPR) - Right to receive your data in a machine-readable format
• Objection (Art. 21 GDPR) - Right to object to processing

We process data subject requests without undue delay, within one month of receipt at the latest (Art. 12(3) GDPR). The deadline may be extended by two further months if the complexity or number of requests requires it. We will inform you of any extension within one month, stating the reasons.

To exercise your rights, contact: datenschutz@shopipixel.de

Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place that produces legal effects concerning you or similarly significantly affects you. The AI-powered analytics summaries (from Growth plan) serve exclusively for information preparation for the shop owner and do not make automated decisions.

Withdrawal of Consent

Where processing is based on consent (Art. 6(1)(a) GDPR), you have the right to withdraw this consent at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal remains unaffected. For the analytics cookie, you can withdraw your consent at any time via the cookie banner. For the newsletter, you can withdraw your consent at any time via the unsubscribe link in every email.

8. Right to Complaint

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority is in particular the supervisory authority of the federal state in which you reside, or the authority at the seat of the controller.

You have the right to lodge a complaint with any EU data protection supervisory authority — in particular at your place of habitual residence, your place of work or the place of the alleged infringement (Art. 77(1) GDPR). A list of all European supervisory authorities is available at the European Data Protection Board: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

For our seat in Baden-Württemberg:
The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart, Germany
Phone: +49 711/615541-0
www.baden-wuerttemberg.datenschutz.de (opens in new window)

9. Cookies

When using the ShopiPixel App in the user's Shopify store, the following first-party cookies are set on the store's domain:

Obtaining consent for these cookies is the responsibility of the store owner as the data controller pursuant to Art. 7 GDPR in conjunction with § 25 TDDDG. Attribution cookies are only set when the corresponding click ID is present in the visitor's URL.

Do Not Track

Some browsers transmit a "Do Not Track" signal (DNT) or a "Global Privacy Control" signal (GPC). As there is currently no uniform legal standard in the EU for the automated interpretation of these signals, our website does not currently automatically evaluate DNT and GPC signals. Cookie settings can be adjusted at any time via the cookie banner. Regardless, you can exercise your right to object at any time by email to datenschutz@shopipixel.de.

10. Necessity of Data Provision

The provision of shop data (Section 3.3) is required for contract performance. Without this data, the app cannot be provided.

11. Changes

This privacy policy may be updated from time to time. The current version is available at shopipixel.de/privacy.