Privacy Policy

1. Introduction

AskOrigin ("we", "us", "our") is a marketing attribution platform that helps e-commerce merchants understand which marketing channels drive their sales. This privacy policy explains how we collect, use, store, and protect data when merchants install and use the AskOrigin application through Shopify or directly.

2. Data Controller vs. Data Processor

The merchant who installs AskOrigin is the data controller — they determine the purposes and means of processing their customers' personal data. AskOrigin acts as a data processor, processing data on behalf of and under the instructions of the merchant.

3. Data We Collect

We process the minimum personal data required to provide marketing attribution value to merchants. When a merchant installs AskOrigin, we may collect and process the following:

• Click and page view data: URLs visited, referrer URLs, UTM parameters, landing pages, timestamps
• Order data: Order totals, currency, line items, order timestamps (received via Shopify webhooks)
• Hashed identifiers: Email addresses and phone numbers are stored only as irreversible SHA-256 hashes for identity linking purposes — we do not store plaintext emails or phone numbers
• IP addresses and user agents: Collected for attribution matching and fraud prevention
• Device fingerprints: Browser-based identifiers used for cross-session attribution
• UTM parameters: Campaign source, medium, campaign name, content, and term values from marketing URLs
• Browser identifiers: First-party cookie IDs for session tracking
• Google Ads credentials: When a merchant connects their Google Ads account, we store an encrypted OAuth refresh token (AES-256-GCM) and their Google Ads customer ID to access campaign cost data and upload conversion events
• Meta (Facebook) credentials: When a merchant connects their Meta Business account, we store their access token and pixel ID to send server-side conversion events via the Meta Conversions API

4. Purpose of Data Processing

We process data solely for the following purposes and do not use it beyond these stated purposes:

• Marketing attribution: Connecting marketing touchpoints (clicks, ad impressions) to purchases to help merchants understand their marketing ROI
• Customer journey analysis: Building anonymized journey maps showing the path from first click to purchase
• Campaign performance reporting: Aggregating data to show which campaigns, channels, and ads drive the most value
• Google Ads cost integration: Importing campaign-level cost data from Google Ads to calculate ROI, ROAS, and cost-per-acquisition metrics. Uploading server-side conversion events to Google Ads for improved campaign optimization
• Meta Conversions API: Sending server-side purchase events to Meta (Facebook) to improve ad attribution accuracy and campaign optimization. All personally identifiable information (email, phone) is hashed using SHA-256 before transmission to Meta

5. Data Retention

Personal data is retained for the duration of the merchant relationship. When a merchant uninstalls AskOrigin or Shopify sends a shop erasure request, all customer data associated with that store is permanently deleted from our systems.

When an individual customer requests erasure (via Shopify's GDPR webhooks), all personal data associated with that customer is deleted immediately upon receiving the request. Anonymized order records (with all personal identifiers removed) may be retained for aggregate business reporting.

6. Data Storage and Security

• Infrastructure: Data is stored in Supabase (PostgreSQL) with encryption at rest and encryption in transit (TLS). All database backups are encrypted.
• Hashing: Customer email addresses and phone numbers are stored exclusively as SHA-256 hashes — the original values cannot be recovered from these hashes
• Access control: Database access requires service-role credentials; all API endpoints validate authentication via HMAC signatures or user sessions
• Row-Level Security: PostgreSQL RLS policies ensure merchants can only access their own data
• Environment separation: Production and test/development environments are fully separated with distinct databases, credentials, and infrastructure
• Data loss prevention: Automated database backups, point-in-time recovery, and infrastructure redundancy protect against data loss

7. Access Controls and Logging

• Staff access limitation: Access to customer personal data is restricted to authorized personnel on a need-to-know basis. Service-role credentials are managed through environment variables and are never committed to source code.
• Authentication requirements: All staff accounts require strong passwords with a minimum length and complexity requirement. Multi-factor authentication is enforced for infrastructure access (Supabase dashboard, hosting provider, source control).
• Access logging: Database access is logged through Supabase's built-in audit logging. API requests to personal data endpoints are logged with timestamps and request metadata for accountability and incident investigation.

8. Security Incident Response

In the event of a security incident involving personal data, we will:

• Investigate and contain the incident within 24 hours of detection
• Notify affected merchants within 72 hours, as required by GDPR
• Notify relevant supervisory authorities where required by law
• Document the incident, its impact, and remediation steps taken
• Implement measures to prevent recurrence

9. Data Sharing

Customer data is only accessible to the merchant who installed AskOrigin on their store. We do not sell, rent, or share personal data with third parties. We do not use customer data for our own marketing purposes or share data across merchants.

10. Third-Party Platform Integrations

AskOrigin integrates with third-party advertising platforms at the merchant's direction. These integrations are optional and activated only when the merchant explicitly connects their accounts.

Google Ads Integration

When a merchant connects their Google Ads account via OAuth 2.0, AskOrigin accesses the following Google user data:

• Data accessed: Google Ads campaign names, cost data, conversion actions, and accessible customer account IDs
• Data stored: An encrypted OAuth refresh token (AES-256-GCM encryption) and the Google Ads customer ID. Access tokens are ephemeral and not stored
• Data sent to Google: Server-side conversion events including order value, currency, timestamp, and Google click identifiers (gclid, gbraid, wbraid) for attribution
• Scope requested: https://www.googleapis.com/auth/adwords — required for both reading campaign cost data and uploading conversion events
• Credential retention: Google OAuth credentials are retained for the duration of the integration. When a merchant disconnects their Google Ads account or uninstalls AskOrigin, the encrypted refresh token is permanently deleted from our systems
• Limited use disclosure: AskOrigin's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not sell or transfer it to third parties, and do not use it for purposes unrelated to providing marketing attribution services to the merchant

Meta Conversions API Integration

When a merchant connects their Meta Business account, AskOrigin:

• Data stored: Meta access token and pixel ID
• Data sent to Meta: Server-side purchase events including SHA-256-hashed email and phone number, order value, currency, and Facebook click identifiers (fbclid, fbc, fbp)
• Credential retention: Meta credentials are deleted when the merchant disconnects the integration or uninstalls AskOrigin

No personal data from Google or Meta is shared with other merchants, used for AskOrigin's own purposes, or transferred to any other third party.

11. Consent

AskOrigin respects and applies customers' consent decisions. Our tracking integrates with Shopify's Customer Privacy API and honors consent preferences set by visitors through merchant-configured consent banners. When a customer declines tracking consent, we do not collect or process their personal data.

We respect and apply customers' decisions to opt out of having their data sold. AskOrigin does not sell personal data under any circumstances. We do not perform automated decision-making that produces legal or similarly significant effects on individuals.

12. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of access: Request a copy of the data we hold about you
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your personal data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing of your personal data
• Right to restrict processing: Request limitation of processing

To exercise these rights, please contact the merchant (store owner) who installed AskOrigin, as they are the data controller. Merchants can also contact us directly and we will assist in fulfilling these requests.

13. Data Erasure

When a customer requests data erasure through a Shopify store, Shopify sends a GDPR webhook to AskOrigin. We automatically process these requests by deleting all associated customer data across our systems, including click data, event data, identity links, attribution records, and customer journey data. Order records are anonymized (personal identifiers removed) to preserve aggregate business reporting.

When a merchant uninstalls AskOrigin or requests shop erasure, we delete all customer data associated with their store and clear all stored credentials.

14. Cookies and Tracking

AskOrigin uses the following tracking mechanisms on merchant storefronts:

• Browser ID cookie: A first-party cookie that stores a unique browser identifier for cross-session attribution. This cookie does not contain personal information.
• Shopify Web Pixel: A Shopify-managed pixel that captures checkout and purchase events in a privacy-compliant sandbox environment.

We do not use third-party tracking cookies. All tracking is first-party and limited to the merchant's storefront. Tracking is subject to customer consent preferences as described in section 10.

15. Changes to This Policy

We may update this privacy policy from time to time. We will notify merchants of any material changes through the application or via email. Continued use of AskOrigin after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this privacy policy or our data practices, please contact us at:

Email: [email protected]
Website: https://askorigin.com