Privacy Policy

1. Introduction

AskOrigin ("we", "us", "our") is a marketing attribution platform that helps e-commerce merchants understand which marketing channels drive their sales. This privacy policy explains how we collect, use, store, and protect data when merchants install and use the AskOrigin application through Shopify or directly.

2. Data Controller vs. Data Processor

The merchant who installs AskOrigin is the data controller — they determine the purposes and means of processing their customers' personal data. AskOrigin acts as a data processor, processing data on behalf of and under the instructions of the merchant.

3. Data We Collect

We process the minimum personal data required to provide marketing attribution value to merchants. When a merchant installs AskOrigin, we may collect and process the following:

• Click and page view data: URLs visited, referrer URLs, UTM parameters, landing pages, timestamps
• Order data: Order totals, currency, line items, order timestamps (received via Shopify webhooks)
• Hashed customer identifiers: Email addresses and phone numbers are converted to irreversible SHA-256 hashes at the moment of capture and stored only as hashes. Plaintext emails and phone numbers are never persisted to our systems. The hashes are used to link a checkout session to a prior storefront browsing session for attribution continuity.
• IP addresses and user agents: Collected for attribution matching and fraud prevention
• Device characteristics hash (sometimes called a "device fingerprint"): We compute a SHA-256 hash from a combination of stable, widely-shared device signals: WebGL renderer and vendor strings (GPU identifier), screen dimensions, CPU core count (hardwareConcurrency), device memory, touch capability, and timezone. This hash is used as an attribution fallback when first-party cookies are unavailable or have been cleared. It cannot be reversed to identify the original device characteristics, and we do not combine it with other signals to uniquely identify individual devices for cross-site tracking.
• UTM parameters: Campaign source, medium, campaign name, content, and term values from marketing URLs
• First-party browser identifier: A randomly generated ID stored in first-party storage (cookie, localStorage) on the merchant's domain to correlate browsing sessions across the storefront and Shopify checkout
• Facebook Pixel cookie (_fbp): When a merchant has enabled the Meta Conversions API integration, we read the Facebook Pixel first-party cookie (_fbp) that Meta's pixel has already set on the customer's browser, and forward its value server-to-server to Meta alongside purchase events. This is used for event deduplication between browser-side and server-side conversion reporting. We do not create, set, or overwrite the _fbp cookie ourselves.
• Google Ads credentials: When a merchant connects their Google Ads account, we store an encrypted OAuth refresh token (AES-256-GCM) and their Google Ads customer ID to access campaign cost data and upload conversion events
• Meta (Facebook) credentials: When a merchant connects their Meta Business account, we store their access token and pixel ID to send server-side conversion events via the Meta Conversions API

4. Purpose of Data Processing

We process data solely for the following purposes and do not use it beyond these stated purposes:

• Marketing attribution: Connecting marketing touchpoints (clicks, ad impressions) to purchases to help merchants understand their marketing ROI
• Customer journey analysis: Building anonymized journey maps showing the path from first click to purchase
• Campaign performance reporting: Aggregating data to show which campaigns, channels, and ads drive the most value
• Google Ads cost integration: Importing campaign-level cost data from Google Ads to calculate ROI, ROAS, and cost-per-acquisition metrics. Uploading server-side conversion events to Google Ads for improved campaign optimization
• Meta Conversions API: Sending server-side purchase events to Meta (Facebook) to improve ad attribution accuracy and campaign optimization. All personally identifiable information (email, phone) is hashed using SHA-256 before transmission to Meta

5. Data Retention

We retain personal data only for as long as necessary to provide attribution services to the merchant. Specific retention periods by data category:

• Raw click and page view events: 18 months from collection date, then permanently deleted
• Hashed customer identifiers (email/phone SHA-256 hashes): Retained for the duration of the merchant relationship; deleted immediately upon a customer erasure request or upon merchant uninstall
• Device characteristics hash: 18 months from collection date, then permanently deleted
• First-party browser identifier: 18 months rolling; cleared sooner if the customer clears their browser storage
• IP addresses: 90 days from collection date, then deleted or truncated to their network prefix for aggregate reporting
• Order records: Retained for the duration of the merchant relationship. On customer erasure requests, personal identifiers are removed but anonymized aggregate records (no customer data) may be retained for merchant reporting
• Google Ads and Meta OAuth credentials: Retained for the duration of the merchant relationship; deleted within 48 hours of the merchant disconnecting the integration or uninstalling AskOrigin
• Aggregated, anonymized reporting data: May be retained indefinitely as it contains no personal information

When a merchant uninstalls AskOrigin or Shopify sends a shop/redact erasure request, all customer data associated with that store is permanently deleted from our systems within 48 hours of receipt.

When an individual customer requests erasure (via Shopify's customers/redact webhook), all personal data associated with that customer is deleted within 30 days of receipt, as required by GDPR. Anonymized order records (with all personal identifiers removed) may be retained for aggregate business reporting.

6. Data Storage and Security

• Infrastructure: Data is stored in Supabase (PostgreSQL) with encryption at rest and encryption in transit (TLS). All database backups are encrypted.
• Hashing: Customer email addresses and phone numbers are stored exclusively as SHA-256 hashes — the original values cannot be recovered from these hashes
• Access control: Database access requires service-role credentials; all API endpoints validate authentication via HMAC signatures or user sessions
• Row-Level Security: PostgreSQL RLS policies ensure merchants can only access their own data
• Environment separation: Production and test/development environments are fully separated with distinct databases, credentials, and infrastructure
• Data loss prevention: Automated database backups, point-in-time recovery, and infrastructure redundancy protect against data loss

7. Access Controls and Logging

• Staff access limitation: Access to customer personal data is restricted to authorized personnel on a need-to-know basis. Service-role credentials are managed through environment variables and are never committed to source code.
• Authentication requirements: All staff accounts require strong passwords with a minimum length and complexity requirement. Multi-factor authentication is enforced for infrastructure access (Supabase dashboard, hosting provider, source control).
• Access logging: Database access is logged through Supabase's built-in audit logging. API requests to personal data endpoints are logged with timestamps and request metadata for accountability and incident investigation.

8. Security Incident Response

In the event of a security incident involving personal data, we will:

• Investigate and contain the incident within 24 hours of detection
• Notify affected merchants within 72 hours, as required by GDPR
• Notify relevant supervisory authorities where required by law
• Document the incident, its impact, and remediation steps taken
• Implement measures to prevent recurrence

9. Data Sharing

Customer data is only accessible to the merchant who installed AskOrigin on their store. We do not sell, rent, or share personal data with third parties. We do not use customer data for our own marketing purposes or share data across merchants.

10. Third-Party Platform Integrations

AskOrigin integrates with third-party advertising platforms at the merchant's direction. These integrations are optional and activated only when the merchant explicitly connects their accounts.

Google Ads Integration

When a merchant connects their Google Ads account via OAuth 2.0, AskOrigin accesses the following Google user data:

• Data accessed: Google Ads campaign names, cost data, conversion actions, and accessible customer account IDs
• Data stored: An encrypted OAuth refresh token (AES-256-GCM encryption) and the Google Ads customer ID. Access tokens are ephemeral and not stored
• Data sent to Google: Server-side conversion events including order value, currency, timestamp, and Google click identifiers (gclid, gbraid, wbraid) for attribution
• Scope requested: https://www.googleapis.com/auth/adwords — required for both reading campaign cost data and uploading conversion events
• Credential retention: Google OAuth credentials are retained for the duration of the integration. When a merchant disconnects their Google Ads account or uninstalls AskOrigin, the encrypted refresh token is permanently deleted from our systems
• Limited use disclosure: AskOrigin's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not sell or transfer it to third parties, and do not use it for purposes unrelated to providing marketing attribution services to the merchant

Meta Conversions API Integration

When a merchant connects their Meta Business account, AskOrigin:

• Data stored: Meta access token and pixel ID
• Data sent to Meta: Server-side purchase events including SHA-256-hashed email and phone number, order value, currency, and Facebook click identifiers (fbclid, fbc, fbp)
• Credential retention: Meta credentials are deleted when the merchant disconnects the integration or uninstalls AskOrigin

No personal data from Google or Meta is shared with other merchants, used for AskOrigin's own purposes, or transferred to any other third party.

11. Consent

AskOrigin respects and applies customers' consent decisions. Our tracking integrates with Shopify's Customer Privacy API and honors consent preferences set by visitors through merchant-configured consent banners. When a customer declines tracking consent, we do not collect or process their personal data.

We respect and apply customers' decisions to opt out of having their data sold. AskOrigin does not sell personal data under any circumstances. We do not perform automated decision-making that produces legal or similarly significant effects on individuals.

12. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of access: Request a copy of the data we hold about you
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your personal data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing of your personal data
• Right to restrict processing: Request limitation of processing

To exercise these rights, please contact the merchant (store owner) who installed AskOrigin, as they are the data controller. Merchants can also contact us directly and we will assist in fulfilling these requests.

13. Data Erasure

When a customer requests data erasure through a Shopify store, Shopify sends a GDPR webhook to AskOrigin. We automatically process these requests by deleting all associated customer data across our systems, including click data, event data, identity links, attribution records, and customer journey data. Order records are anonymized (personal identifiers removed) to preserve aggregate business reporting.

When a merchant uninstalls AskOrigin or requests shop erasure, we delete all customer data associated with their store and clear all stored credentials.

14. Cookies, Tracking, and Cross-Domain Attribution

AskOrigin uses the following tracking mechanisms on merchant storefronts:

• Browser ID cookie: A first-party cookie that stores a unique browser identifier (ot_browser_id) for cross-session attribution. This identifier is randomly generated and contains no personal information.
• Session ID cookie: A first-party cookie (ot_sid) that groups page views and events into a single browsing session.
• Shopify Web Pixel: A Shopify-managed pixel that captures checkout and purchase events in Shopify's privacy-compliant sandbox environment, honoring the Customer Privacy API.
• First-party storefront script: A JavaScript tracker loaded from a subdomain of the merchant's own domain (e.g., analytics.merchant.com) or from askorigin.com as a fallback, that captures clicks and page views.

Cross-domain attribution

When a customer proceeds from the merchant's storefront (e.g., merchant.com) to Shopify's checkout (e.g., checkout.shopify.com) — which is a different domain — we correlate the two sessions using the first-party browser identifier captured earlier on the storefront. This allows us to attribute a purchase back to the original marketing click. No additional personal data is collected during this correlation; we only match existing identifiers that the customer's browser already carries with them into checkout.

Third-party cookie interactions

AskOrigin does not set any third-party tracking cookies on customers' browsers. When a merchant has enabled the Meta Conversions API integration, we read the value of the Facebook Pixel cookie (_fbp) that Meta's own pixel has already set on the browser, and forward that value server-to-server to Meta for event deduplication. We do not create, modify, or extend the lifetime of the _fbp cookie — we only read and forward its existing value.

All tracking is subject to customer consent preferences as described in section 11. When analytics consent is declined, we do not collect click, page view, session, or device characteristics data. When marketing consent is declined, we do not forward the Facebook Pixel cookie or any other data to marketing platforms (Meta, Google Ads).

15. Changes to This Policy

We may update this privacy policy from time to time. We will notify merchants of any material changes through the application or via email. Continued use of AskOrigin after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this privacy policy or our data practices, please contact us at:

Email: [email protected]
Website: https://askorigin.com