Privacy Policy

1. Information We Collect

1.1 Account Information

When you create a Ripplux account, we collect information provided through Shopify OAuth authentication, including your name, email address, Shopify store name, and Shopify store URL. We do not collect or store your Shopify password.

1.2 Advertising Platform Data

When you connect your advertising accounts, we access data from Meta (Facebook/Instagram), Google Ads, Google Analytics 4, and Google Search Console through their respective APIs. We access this data solely to provide our audit and analysis services. We do not modify your advertising campaigns, your Google Analytics 4 property configuration, or your Search Console properties, except where you explicitly initiate an incrementality experiment through our Service. The subsections below itemize what each integration collects.

1.2.1 Meta (Facebook / Instagram) Advertising Data

Through the Meta Marketing API, we read campaign, ad set, and ad performance metrics: campaign and ad set names, ad creative identifiers, advertising spend, impressions, clicks, conversion events, and cost-per-acquisition metrics. Read-only by default. We create controlled-holdout experiment configurations on Meta only when you explicitly initiate an incrementality experiment.

1.2.2 Google Ads Data — https://www.googleapis.com/auth/adwords (sensitive scope)

Through the Google Ads API, we read campaign-, ad-group-, and ad-level performance metrics via GoogleAdsService.SearchStream and CustomerService.ListAccessibleCustomers: campaign and ad-group names, ad identifiers, advertising spend (cost micros), clicks, impressions, conversions, click-through rate, average cost-per-click, and search impression share. We do not modify, pause, create, or delete any campaign, ad group, ad, keyword, or budget. The data is joined against your Shopify orders to surface wasted spend, creative fatigue, search-term cannibalization, and channel overlap.

1.2.3 Google Analytics 4 Data — https://www.googleapis.com/auth/analytics.readonly (sensitive scope)

Through the Google Analytics Admin API and Data API, we read aggregate channel-level metrics used to build the Orders dashboard By-Channel Attribution panel and the conversion-leaks audit engine. We call exactly two endpoints, both read-only: analyticsadmin.accountSummaries.list (once after you grant the scope, so you can pick which GA4 property maps to your Shopify store) and analyticsdata.properties.runReport (once per day, dimensions date + defaultChannelGroup; metrics sessions, engagedSessions, conversions, totalRevenue, averageSessionDuration). We do not request or store any user-level identifier, client ID, user ID, event-level row, or page-level row. We never call any mutation, never modify your property configuration, never create audiences, and never edit settings.

1.2.4 Google Search Console Data — https://www.googleapis.com/auth/webmasters.readonly (non-sensitive scope)

Through the Google Search Console API, we read aggregate search-query metrics used to surface branded-keyword cannibalization. We call exactly two endpoints, both read-only: webmasters.sites.list (once after you grant the scope, so you can pick which verified property maps to your Shopify store) and webmasters.searchanalytics.query (once per day, dimensions query + date; metrics clicks, impressions, ctr, position; rolling 28-day window). We do not request page-level or device-level dimensions. We never modify any Search Console configuration, never add or remove properties, and never submit sitemaps on your behalf.

1.2.5 Limited Use of Google User Data

Ripplux's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: Google user data is used only to provide and improve user-facing features of the Ripplux product that are prominent in the requesting app's user interface; we do not transfer Google user data to third parties except as necessary to provide or improve those features (in compliance with applicable law) or for security purposes (such as investigating abuse); we do not use Google user data for serving advertisements; and we do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating a bug or abuse), to comply with applicable law, or our use is limited to internal operations and the data (including derivations) have been aggregated and de-identified. We do not use Google user data to develop, improve, or train generalized artificial intelligence or machine learning models.

1.3 Shopify Commerce Data

Through your Shopify connection, we access order data including order identifiers, order dates, revenue amounts, and product information. We also access anonymized or pseudonymized customer purchase patterns for the purpose of detecting cannibalization signals and conversion overlap. We do not access, store, or process end-consumer personally identifiable information such as customer names, email addresses, shipping addresses, or payment card details from your Shopify store.

1.4 Payment Information

Subscription payments are processed by Shopify through Shopify Billing as part of your existing Shopify account. We never receive, access, or store your credit card number, debit card number, or bank account details — Shopify handles all payment processing and card data, and provides us only with charge status and plan information. Shopify's handling of your payment data is governed by Shopify's Privacy Policy.

1.5 Usage and Technical Data

We automatically collect certain technical information when you use the Service, including IP address, browser type and version, operating system, device identifiers, pages visited within the Service, timestamps of access, and referring URLs. We use this information for security monitoring, service improvement, and to diagnose technical issues.

1.6 Cookies and Similar Technologies

Ripplux uses strictly necessary cookies to maintain your authenticated session and remember your preferences. We use an HttpOnly session cookie containing an encrypted JSON Web Token (JWT) for authentication. We do not use third-party advertising cookies or cross-site tracking technologies.

We use PostHog for product analytics to understand aggregate feature usage. PostHog collects anonymized event data (pages visited, features used) tied to your store URL — not your personal identity. PostHog does not set third-party cookies. If PostHog is not configured (no API key present), no analytics data is collected.

2. How We Use Your Information

We use the information we collect for the following purposes:

To provide and operate the Service: Generating ad waste audits, detecting creative fatigue, identifying conversion overlap, calculating cannibalization risk scores, designing and executing incrementality experiments, and delivering weekly performance digest emails.

To process transactions: Managing your subscription, processing payments through Shopify Billing, enforcing plan limits, and providing billing support.

To communicate with you: Sending transactional emails related to your account (subscription confirmations, trial reminders, sync status notifications), weekly digest emails (which you may disable at any time), and service announcements.

To maintain security and prevent fraud: Monitoring for unauthorized access, detecting anomalous usage patterns, and protecting the integrity of the Service.

To improve the Service: Analyzing aggregate, de-identified usage patterns to improve product features, performance, and reliability. We do not use your individual advertising or commerce data to train machine learning models or for any purpose other than providing the Service to you.

2.1 Legal Bases for Processing (GDPR / UK GDPR)

For users in the European Economic Area, the United Kingdom, and Switzerland, our legal bases for processing personal data are:

Performance of a contract (Article 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including accessing your advertising platform data, generating audits, and running experiments.

Legitimate interests (Article 6(1)(f)): Processing for security monitoring, fraud prevention, service improvement through aggregate analytics, and internal administration. We have assessed that these interests are not overridden by your fundamental rights and freedoms.

Consent (Article 6(1)(a)): Where we send marketing communications or use non-essential cookies (if introduced in the future). You may withdraw consent at any time.

Legal obligation (Article 6(1)(c)): Where we are required to process data to comply with applicable law, such as tax record retention or regulatory requests.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We do not share your individual advertising data, commerce data, or audit results with any third party for their own commercial purposes. We share information only in the following limited circumstances:

Service providers: We engage third-party service providers who process data on our behalf to operate the Service. These providers are contractually obligated to use your data only as instructed by us and to maintain appropriate security measures. Our current service providers include:

• Shopify Inc. — Subscription billing and payment processing (Ottawa, ON, Canada)
• SendGrid (Twilio Inc.) — Transactional email delivery (San Francisco, CA, USA)
• Sentry (Functional Software, Inc.) — Error monitoring and performance tracking (San Francisco, CA, USA)
• Railway Corp. — Application hosting and database infrastructure (San Francisco, CA, USA)
• Vercel Inc. — Frontend hosting and content delivery (San Francisco, CA, USA)
• GitHub (Microsoft Corp.) — Source code management and CI/CD (San Francisco, CA, USA)
• PostHog, Inc. — Product analytics (San Francisco, CA, USA). Used to understand aggregate feature usage and improve the Service. No personally identifiable information is sent to PostHog — only anonymized event data tied to your store URL.

Advertising platforms: When you connect Meta or Google Ads accounts or initiate incrementality experiments, we communicate with these platforms' APIs using OAuth tokens you have authorized. We read campaign performance data from these platforms. For incrementality experiments, we create controlled holdout experiment configurations on these platforms at your explicit direction. We do not transmit your Shopify commerce data, audit results, or any Ripplux-generated analysis to Meta, Google, or any other advertising platform.

Legal requirements: We may disclose information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Ripplux, our users, or the public.

Business transfers: If Ripplux is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

4. Data Storage, Security, and International Transfers

4.1 Where We Store Data

Your data is stored on servers located in the United States, operated by our hosting providers Railway and Vercel. Our company is based in Ontario, Canada. Data may be accessed by our team from Canada for the purposes of providing and maintaining the Service.

4.2 International Data Transfers

If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to Canada and the United States for processing. Canada has received an adequacy decision from the European Commission under GDPR Article 45, recognizing that Canadian law provides an adequate level of data protection. For transfers to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards as required under applicable law. You may request a copy of the relevant transfer safeguards by contacting us at privacy@ripplux.com.

4.3 Security Measures

We implement appropriate technical and organizational measures to protect your personal information, including: encryption of OAuth access tokens at rest using AES-256-equivalent symmetric encryption (Fernet); encryption of all data in transit using TLS 1.2 or higher; HttpOnly, Secure session cookies to prevent cross-site scripting attacks; role-based access controls limiting data access to authorized personnel; automated daily database backups with point-in-time recovery capability; real-time error monitoring and anomaly detection via Sentry; and regular security reviews of our codebase and infrastructure.

While we take commercially reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:

Account data: Retained for the duration of your active subscription and for 30 days following account closure to allow for reactivation.

Advertising and commerce data (Meta, Google Ads, Shopify): Retained for the duration of your active subscription. We maintain a rolling 90-day window of detailed data; older data is retained in aggregated, de-identified form for trend analysis.

Google Analytics 4 + Google Search Console data: Aggregate per-day per-channel metrics from GA4 (runReport) and per-day per-query metrics from Search Console (searchanalytics.query) are retained for the duration of your active subscription. Detailed rolling window: 90 days for GA4, 28 days for Search Console (the maximum the Search Console API exposes). Older data is retained in aggregated, de-identified form. No GA4 user-level data, client IDs, or per-event rows are ever stored by Ripplux.

Experiment data: Retained for 12 months after experiment completion to support longitudinal analysis and audit history.

Billing records: Retained for 7 years as required by Canadian tax law (Income Tax Act, R.S.C., 1985, c. 1 (5th Supp.)).

Technical logs: Retained for 90 days for security and debugging purposes, then automatically purged.

Upon account deletion, we will delete or de-identify your personal information within 30 days, except where retention is required by law or for the establishment, exercise, or defense of legal claims. Account deletion also triggers a downstream deletion cascade — Ripplux issues a Google Analytics 4 user-deletion request via the Google Analytics Admin API submitUserDeletion endpoint, removes your contact from SendGrid (transactional email vendor), removes your event profile from PostHog (product analytics), and sends matching deletion signals to the server-side conversion APIs we use for marketing measurement. The Google Ads and Search Console connections are revoked at the OAuth-token layer; those providers retain the underlying account data on your behalf, not ours, and are governed by their respective privacy policies.

6. Your Privacy Rights

6.1 Rights Under Canadian Law (PIPEDA)

As a Canadian resident, you have the right to: access the personal information we hold about you; request correction of inaccurate or incomplete information; withdraw consent for the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions); and file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

6.2 Rights Under European and UK Law (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to: access your personal data and obtain a copy; rectify inaccurate personal data; erase your personal data ("right to be forgotten") in certain circumstances; restrict processing of your personal data; data portability — receive your data in a structured, commonly used, machine-readable format; object to processing based on legitimate interests; withdraw consent at any time where processing is based on consent; and lodge a complaint with your local data protection supervisory authority.

We will respond to requests within 30 days. In complex cases, we may extend this period by an additional 60 days with notice to you.

6.3 Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the right to: know what personal information we collect, use, and disclose; delete your personal information, subject to certain exceptions; correct inaccurate personal information; opt out of the sale or sharing of personal information — we do not sell or share your personal information as defined under the CCPA/CPRA; non-discrimination for exercising your privacy rights; and limit the use and disclosure of sensitive personal information.

To exercise any of these rights, contact us at privacy@ripplux.com. We will verify your identity before processing your request. You may also designate an authorized agent to submit a request on your behalf.

6.4 Rights Under Quebec Privacy Law (Law 25)

If you are a Quebec resident, you have the right to: access your personal information; request its rectification; withdraw consent to the communication of your information; and request de-indexation or re-indexation. We will process requests in accordance with Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25.

6.5 How to Exercise Your Rights

You may exercise any of the rights described above through any of the following paths:

• Self-serve deletion form: Submit your email at ripplux.com/data-deletion — open to anyone, no Ripplux account required.
• In-product (signed-in merchants): Visit app.ripplux.com/dashboard/settings and use the Delete Account control.
• Email: Contact privacy@ripplux.com.

We will acknowledge your request within 5 business days and provide a substantive response within 30 days. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive.

7. Children's Privacy

The Service is designed for use by business merchants and is not directed at individuals under the age of 18 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete that information promptly.

8. Do Not Track and Global Privacy Control

Ripplux does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) browser signals. We honor Global Privacy Control (GPC) signals as a valid opt-out request under the CCPA/CPRA for California residents.

9. Data Breach Notification

In the event of a data breach involving your personal information that creates a real risk of significant harm, we will: notify the Office of the Privacy Commissioner of Canada as required by PIPEDA; notify affected individuals as soon as feasible, and in any event no later than 72 hours after becoming aware of the breach where required by GDPR; and maintain records of all breaches as required by applicable law. Notifications will include a description of the breach, the types of information involved, the measures we have taken or propose to take, and contact information for further inquiries.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email at least 30 days before the changes take effect. We will also update the "Last updated" date at the top of this page. Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes. If you do not agree to the revised policy, you may close your account.

11. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint about our handling of your personal information, please contact us:

Ripplux Inc.
Privacy Officer
Ontario, Canada
Email: privacy@ripplux.com

If you are located in the European Economic Area and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

If you are located in Canada and are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.

If you are located in California, you may contact the California Privacy Protection Agency for more information about your rights.