Last updated: February 21, 2026
This Privacy Policy describes how 12705907 Canada Inc., operating as Ripplux ("Ripplux," "we," "us," or "our"), collects, uses, discloses, and protects personal information when you use our website at ripplux.com and our application at app.ripplux.com (collectively, the "Service").
Ripplux is incorporated under the laws of Canada with its principal office in Ontario, Canada. We are committed to protecting the privacy of our users worldwide in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the United Kingdom General Data Protection Regulation (UK GDPR), and other applicable privacy laws.
When you create a Ripplux account, we collect information provided through Shopify OAuth authentication, including your name, email address, Shopify store name, and Shopify store URL. We do not collect or store your Shopify password.
When you connect your advertising accounts, we access data from Meta (Facebook/Instagram) and Google Ads through their respective APIs. This includes campaign names, ad set and ad group configurations, ad creative identifiers, advertising spend amounts, impression and click counts, conversion events, and cost-per-acquisition metrics. We access this data solely to provide our audit and analysis services. We do not modify your advertising campaigns unless you explicitly initiate an incrementality experiment through our Service.
Through your Shopify connection, we access order data including order identifiers, order dates, revenue amounts, and product information. We also access anonymized or pseudonymized customer purchase patterns for the purpose of detecting cannibalization signals and conversion overlap. We do not access, store, or process end-consumer personally identifiable information such as customer names, email addresses, shipping addresses, or payment card details from your Shopify store.
Subscription payments are processed by Stripe, Inc. We do not receive, access, or store your full credit card number, debit card number, or bank account details. Stripe provides us with a truncated card identifier (last four digits), card brand, and billing country for transaction reference purposes only. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.
We automatically collect certain technical information when you use the Service, including IP address, browser type and version, operating system, device identifiers, pages visited within the Service, timestamps of access, and referring URLs. We use this information for security monitoring, service improvement, and to diagnose technical issues.
Ripplux uses strictly necessary cookies to maintain your authenticated session and remember your preferences. We use an HttpOnly session cookie containing an encrypted JSON Web Token (JWT) for authentication. We do not use third-party advertising cookies or cross-site tracking technologies. If we introduce analytics cookies in the future, we will update this policy and obtain your consent where required by applicable law.
We use the information we collect for the following purposes:
To provide and operate the Service: Generating ad waste audits, detecting creative fatigue, identifying conversion overlap, calculating cannibalization risk scores, designing and executing incrementality experiments, and delivering weekly performance digest emails.
To process transactions: Managing your subscription, processing payments through Stripe, enforcing plan limits, and providing billing support.
To communicate with you: Sending transactional emails related to your account (subscription confirmations, trial reminders, sync status notifications), weekly digest emails (which you may disable at any time), and service announcements.
To maintain security and prevent fraud: Monitoring for unauthorized access, detecting anomalous usage patterns, and protecting the integrity of the Service.
To improve the Service: Analyzing aggregate, de-identified usage patterns to improve product features, performance, and reliability. We do not use your individual advertising or commerce data to train machine learning models or for any purpose other than providing the Service to you.
For users in the European Economic Area, the United Kingdom, and Switzerland, our legal bases for processing personal data are:
Performance of a contract (Article 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including accessing your advertising platform data, generating audits, and running experiments.
Legitimate interests (Article 6(1)(f)): Processing for security monitoring, fraud prevention, service improvement through aggregate analytics, and internal administration. We have assessed that these interests are not overridden by your fundamental rights and freedoms.
Consent (Article 6(1)(a)): Where we send marketing communications or use non-essential cookies (if introduced in the future). You may withdraw consent at any time.
Legal obligation (Article 6(1)(c)): Where we are required to process data to comply with applicable law, such as tax record retention or regulatory requests.
We do not sell, rent, or trade your personal information. We do not share your individual advertising data, commerce data, or audit results with any third party for their own commercial purposes. We share information only in the following limited circumstances:
Service providers: We engage third-party service providers who process data on our behalf to operate the Service. These providers are contractually obligated to use your data only as instructed by us and to maintain appropriate security measures. Our current service providers include:
Advertising platforms: When you connect Meta or Google Ads accounts or initiate incrementality experiments, we communicate with these platforms' APIs using OAuth tokens you have authorized. We read campaign performance data from these platforms. For incrementality experiments, we create controlled holdout experiment configurations on these platforms at your explicit direction. We do not transmit your Shopify commerce data, audit results, or any Ripplux-generated analysis to Meta, Google, or any other advertising platform.
Legal requirements: We may disclose information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Ripplux, our users, or the public.
Business transfers: If Ripplux is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.
Your data is stored on servers located in the United States, operated by our hosting providers Railway and Vercel. Our company is based in Ontario, Canada. Data may be accessed by our team from Canada for the purposes of providing and maintaining the Service.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to Canada and the United States for processing. Canada has received an adequacy decision from the European Commission under GDPR Article 45, recognizing that Canadian law provides an adequate level of data protection. For transfers to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards as required under applicable law. You may request a copy of the relevant transfer safeguards by contacting us at privacy@ripplux.com.
We implement appropriate technical and organizational measures to protect your personal information, including: encryption of OAuth access tokens at rest using AES-256-equivalent symmetric encryption (Fernet); encryption of all data in transit using TLS 1.2 or higher; HttpOnly, Secure session cookies to prevent cross-site scripting attacks; role-based access controls limiting data access to authorized personnel; automated daily database backups with point-in-time recovery capability; real-time error monitoring and anomaly detection via Sentry; and regular security reviews of our codebase and infrastructure.
While we take commercially reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.
We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:
Account data: Retained for the duration of your active subscription and for 30 days following account closure to allow for reactivation.
Advertising and commerce data: Retained for the duration of your active subscription. We maintain a rolling 90-day window of detailed data; older data is retained in aggregated, de-identified form for trend analysis.
Experiment data: Retained for 12 months after experiment completion to support longitudinal analysis and audit history.
Billing records: Retained for 7 years as required by Canadian tax law (Income Tax Act, R.S.C., 1985, c. 1 (5th Supp.)).
Technical logs: Retained for 90 days for security and debugging purposes, then automatically purged.
Upon account deletion, we will delete or de-identify your personal information within 30 days, except where retention is required by law or for the establishment, exercise, or defense of legal claims.
As a Canadian resident, you have the right to: access the personal information we hold about you; request correction of inaccurate or incomplete information; withdraw consent for the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions); and file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to: access your personal data and obtain a copy; rectify inaccurate personal data; erase your personal data ("right to be forgotten") in certain circumstances; restrict processing of your personal data; data portability — receive your data in a structured, commonly used, machine-readable format; object to processing based on legitimate interests; withdraw consent at any time where processing is based on consent; and lodge a complaint with your local data protection supervisory authority.
We will respond to requests within 30 days. In complex cases, we may extend this period by an additional 60 days with notice to you.
If you are a California resident, you have the right to: know what personal information we collect, use, and disclose; delete your personal information, subject to certain exceptions; correct inaccurate personal information; opt out of the sale or sharing of personal information — we do not sell or share your personal information as defined under the CCPA/CPRA; non-discrimination for exercising your privacy rights; and limit the use and disclosure of sensitive personal information.
To exercise any of these rights, contact us at privacy@ripplux.com. We will verify your identity before processing your request. You may also designate an authorized agent to submit a request on your behalf.
If you are a Quebec resident, you have the right to: access your personal information; request its rectification; withdraw consent to the communication of your information; and request de-indexation or re-indexation. We will process requests in accordance with Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25.
To exercise any of the rights described above, please contact us at privacy@ripplux.com. We will acknowledge your request within 5 business days and provide a substantive response within 30 days. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive.
The Service is designed for use by business merchants and is not directed at individuals under the age of 18 (or 16 in the European Economic Area). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete that information promptly.
Ripplux does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) browser signals. We honor Global Privacy Control (GPC) signals as a valid opt-out request under the CCPA/CPRA for California residents.
In the event of a data breach involving your personal information that creates a real risk of significant harm, we will: notify the Office of the Privacy Commissioner of Canada as required by PIPEDA; notify affected individuals as soon as feasible, and in any event no later than 72 hours after becoming aware of the breach where required by GDPR; and maintain records of all breaches as required by applicable law. Notifications will include a description of the breach, the types of information involved, the measures we have taken or propose to take, and contact information for further inquiries.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email at least 30 days before the changes take effect. We will also update the "Last updated" date at the top of this page. Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes. If you do not agree to the revised policy, you may close your account.
If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint about our handling of your personal information, please contact us:
12705907 Canada Inc., operating as Ripplux
Privacy Officer
Ontario, Canada
Email: privacy@ripplux.com
If you are located in the European Economic Area and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.
If you are located in Canada and are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.
If you are located in California, you may contact the California Privacy Protection Agency for more information about your rights.