1. Introduction
Marketing Pulse ("we", "our", or "us") is a Shopify public app that provides daily marketing performance reports for Shopify merchants. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have over your data.
By installing and using Marketing Pulse, you ("Merchant") agree to the practices described in this policy. If you do not agree, please uninstall the app.
Our contact email for privacy matters: support@marketing-pulse.app
2. What Data We Collect
2.1 Shopify Store Data
When you install Marketing Pulse via Shopify OAuth, we collect and store:
- Shop domain (e.g.,
yourstore.myshopify.com) — used as your unique tenant identifier. - Shopify access token — encrypted with AES-256-GCM and stored securely. Used to read orders and product data via the Shopify Admin API.
- Shopify plan and scopes — to verify what data we are authorised to access.
2.2 Order and Attribution Data
With your permission (via the read_orders scope), we receive Shopify order webhook events. For each order we store:
- Order ID, total price, and financial status (paid, pending, refunded).
- UTM parameters extracted from the order's landing URL and referring site (
utm_source,utm_medium,utm_campaign,utm_content,utm_term) — used to attribute revenue to ad campaigns.
We do not collect or store personal customer data (customer names, email addresses, shipping addresses, or payment details) beyond what is included in the UTM tracking context above.
2.3 Meta (Facebook) Ads Data
If you choose to connect a Meta Ads account, we collect via the Meta Marketing API:
- Meta OAuth token (long-lived, 60-day expiry) — encrypted with AES-256-GCM.
- Ad account IDs and names associated with your Meta Business.
- Campaign-level performance metrics: daily spend, impressions, clicks, and conversions — for display in your dashboard and daily reports.
We do not collect individual ad creative content, audience definitions, or personal data of the end users who saw your ads.
2.4 Google Ads Data
If you choose to connect a Google Ads account, we collect via the Google Ads API:
- Google OAuth access token and refresh token — encrypted with AES-256-GCM.
- Google Ads customer (account) IDs and names.
- Campaign-level performance metrics: daily spend, impressions, clicks — for your dashboard and reports.
2.5 Notification Preferences
To deliver your daily reports and alerts, you may voluntarily provide:
- Email addresses — for report delivery via Resend.
- Phone number (Pro plan only) — in E.164 format, for SMS alerts via Twilio.
- Slack Incoming Webhook URL — if you choose to connect a Slack channel, we store the webhook URL you provide. This URL is used solely to post your daily report to your designated Slack channel. We do not store any Slack user data, workspace credentials, or message history.
2.6 Technical and Usage Data
- Audit log entries — timestamped records of key actions (app installation, account connections, billing changes) for security and compliance purposes. These are purged when you uninstall the app.
- We do not use third-party analytics trackers, cookies, or browser fingerprinting on our public-facing pages.
3. How We Use Your Data
- Service delivery: Sync ad campaign data, calculate ROAS and attribution, generate daily reports, and send email/SMS notifications.
- Billing: Manage subscription status via the Shopify Billing API. We do not process payment card data.
- Security and compliance: Verify webhook signatures, prevent abuse, and maintain audit logs.
- Product improvement: Aggregate, anonymised metrics (e.g., total number of active shops) may be used to improve the product. No individual merchant data is used for this purpose.
We do not sell, rent, or share your data with third parties for advertising purposes.
4. Third-Party Data Processors
We use the following sub-processors to operate the service. All are bound by appropriate data processing agreements.
| Processor | Purpose | Data Shared |
|---|---|---|
| Supabase (supabase.com) | PostgreSQL database hosting (EU region) | All app data described in §2 |
| Vercel (vercel.com) | Next.js application hosting and serverless functions | Request logs, server-side processing |
| Resend (resend.com) | Transactional email delivery | Email addresses, report content |
| Twilio (twilio.com) | SMS alert delivery (Pro plan) | Phone number, alert message text |
| Shopify (shopify.com) | App distribution, billing, and identity | Shop domain, subscription status |
| Meta Platforms (facebook.com) | Meta Ads API access (when connected) | OAuth tokens, ad account IDs |
| Google LLC (google.com) | Google Ads API access (when connected) | OAuth tokens, ad account IDs |
5. Data Retention and Deletion
We retain your data for as long as your Marketing Pulse subscription is active on Shopify.
Upon uninstallation: When you uninstall Marketing Pulse from your Shopify Admin, Shopify immediately sends us an app/uninstalled webhook. Our server executes a CASCADE DELETE that permanently removes all your data from our database within minutes, including access tokens, ad account connections, campaign performance records, attribution data, alert preferences, and audit logs.
For detailed deletion instructions, see our Data Deletion Instructions page.
To request manual deletion of your data, email us at support@marketing-pulse.app and we will action your request within 30 days.
6. Data Security
- All OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM before storage in our database.
- All data in transit is protected by TLS 1.2+.
- Database access is restricted via Row Level Security (RLS) policies — each shop can only access its own data.
- Webhook payloads are verified with HMAC-SHA256 signatures before processing.
- Our infrastructure (Supabase, Vercel) is hosted in data centres with SOC 2 Type II certification.
7. Your Rights (GDPR)
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:
- Right of access: Request a copy of the data we hold about your shop.
- Right to erasure ("right to be forgotten"): Uninstalling the app triggers automatic deletion. You may also email us for manual erasure.
- Right to rectification: Contact us to correct inaccurate data.
- Right to data portability: Request an export of your data in machine-readable format.
- Right to object: Object to specific processing activities.
To exercise any of these rights, email support@marketing-pulse.app. We will respond within 30 days.
We also handle Shopify's mandatory GDPR webhooks: customers/data_request, customers/redact, and shop/redact. All are processed within the timeframes required by Shopify's Partner Program Requirements.
8. Children's Privacy
Marketing Pulse is a B2B tool designed for use by Shopify merchants and their authorised team members. We do not knowingly collect data from individuals under the age of 18.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to the primary contact address on your account. Continued use of the app after changes constitutes acceptance of the revised policy. The "Last updated" date at the top of this page reflects the most recent revision.
10. Contact
For any privacy-related questions or requests, contact Marketing Pulse at:
Email: support@marketing-pulse.app