Privacy Policy

Effective date: June 26, 2026  ·  Last updated: June 26, 2026

This Privacy Policy describes how McDaniel Creative ("we," "us," "our") collects, uses, and shares information in connection with the Convetrics Shopify app ("Convetrics," the "Service") available at mcdanielcreative.com/convetrics-app and installed by merchants in their Shopify admin.

If you have questions about this policy or your data, contact us at mcdanielcreative@gmail.com.

1. Who this policy applies to

This policy describes data we collect about two different groups:

• Merchants — Shopify store owners and staff who install and use Convetrics to understand where their orders come from.
• Customers — people who place orders on a Shopify store that has Convetrics installed.

The most important thing to know up front: Convetrics stores no customer personally identifiable information (PII). No names, no email addresses, no phone numbers, no street addresses — ever. We store order economics, region-level geography, and traffic attribution only. The rest of this policy explains exactly what that means.

2. What we collect

From merchants

When you install Convetrics, we collect from Shopify:

• Your shop's myshopify.com domain, contact email, and store name.
• An OAuth access token with two read-only scopes — read_orders (order economics and attribution) and read_products (product type and vendor, used to break sales down by product category). Both are read-only: Convetrics can never write any data, and cannot access your customer accounts, themes, or storefront.
• The settings you configure in the Convetrics admin (report preferences, date ranges, etc.).

When you use the Convetrics admin, our servers also record standard request metadata: IP address, browser type, and the pages you visit.

From orders (no PII)

For each order on your store, Convetrics reads and stores:

• Conversion attribution from Shopify's customerJourneySummary: number of sessions before purchase, traffic source and referrer, landing page, UTM parameters (source / medium / campaign / term / content), and days from first visit to conversion.
• Order economics: order ID, totals, currency, discount amounts, line-item counts, and timestamps.
• Region-level geography only: country, state/province, and postal code from the shipping address. We do not store the street address, city-level address lines, or the name attached to the address.

We deliberately do not read or store customer names, email addresses, or phone numbers; street addresses; Shopify customer IDs linked to identity records; or payment details of any kind.

Convetrics has no storefront pixel, sets no cookies on your storefront, and does no shopper tracking of its own. All attribution data comes from Shopify's own per-order conversion summary via the Admin API.

3. Why we collect it (legal basis)

For merchants, our legal basis for processing is performance of the contract that begins when you install the app and accept our terms, plus our legitimate interest in operating and improving the Service.

For order data, the legal basis is the merchant's legitimate interest in understanding their store's marketing performance. Because the data we store contains no direct identifiers (Section 2), the privacy impact on customers is minimal by design: a row in our database describes an order's traffic source and economics, not a person.

4. How we use it

• Aggregate per-order attribution into the merchant's dashboard reports (channels, campaigns, conversion paths, regions).
• Compute averages and trends (sessions to conversion, days to conversion, revenue by source).
• Let the merchant export their own reports to CSV.
• Detect bugs, monitor reliability, and improve the Service.
• Comply with our legal obligations.

We do not sell data to anyone, ever. We do not use the data for advertising, profiling, or any purpose other than producing the merchant's own reports.

5. Sub-processors — who we share data with

Convetrics data lives in our own application database and is never sent to third-party analytics, advertising, or AI services. The only parties involved in operating the Service are:

We do not share data with advertising networks, data brokers, AI providers, or analytics providers. Nothing leaves our database except in the form of your own dashboard and CSV exports, delivered to you.

6. Where data is stored

Convetrics data is hosted in the United States. If you're a merchant outside the United States, your shop's data will be transferred to and processed in the U.S. For merchants in the European Economic Area, the United Kingdom, or Switzerland, this transfer relies on Standard Contractual Clauses as the applicable safeguard.

7. Data retention

You can request earlier deletion at any time at mcdanielcreative@gmail.com.

8. Cookies

The Convetrics admin (embedded in your Shopify admin) uses only the session cookies required by Shopify's embedded-app authentication. Convetrics sets no cookies on your storefront and has no storefront-facing code at all. There is nothing for your shoppers to consent to, because we never touch their browsers.

9. GDPR webhooks and your customers' rights

Convetrics implements Shopify's three mandatory privacy webhooks, and our answers are unusually simple because we store no PII:

• customers/data_request — when a customer asks a merchant for their data, Shopify forwards the request to us. Our response: we hold no personal data for any customer. There are no names, emails, phones, or addresses in our database to return.
• customers/redact — when a customer requests erasure, we clear the postal codes on that customer's orders in our database — the only field we store that could, in combination with other data, narrow down an individual. Everything else we hold about those orders (source, sessions, totals) is not personal data.
• shop/redact — 48 hours after you uninstall, Shopify fires this webhook and we delete every row associated with your shop: orders, attribution, settings, tokens, everything.

Customers who wish to exercise access, deletion, correction, portability, or objection rights should contact the merchant whose store they purchased from; Shopify's standard data-subject request workflow reaches us automatically via the webhooks above. You can also contact us directly at mcdanielcreative@gmail.com and we will respond within 30 days.

California residents: we do not sell or share personal information as those terms are defined under the CCPA.

10. Security

We follow industry-standard practices:

• All data encrypted in transit (HTTPS / TLS 1.2+) and at rest.
• Database backups are encrypted.
• Production secrets stored only in our host's encrypted secrets store, never in source code.
• Access to production infrastructure protected by two-factor authentication.
• Shopify webhook and OAuth signatures verified on every inbound request.
• Only the read-only scopes the reports need (read_orders, read_products) — no write access, and nothing beyond what the dashboard uses.
• No PII stored, which is the strongest security control of all: data we never hold can never leak.

No system is perfectly secure; if you believe your data may have been compromised, contact us immediately at mcdanielcreative@gmail.com.

11. Children's privacy

Convetrics is a merchant analytics tool and is not directed to children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal data from children — or, by design, from anyone else's customers.

12. Changes to this policy

We may update this policy from time to time. When we do, we'll update the "Last updated" date at the top of this page. Material changes will be announced via the Convetrics admin interface and, where required, by email to merchants. Your continued use of the Service after a change indicates your acceptance of the updated policy.

13. Contact

Questions, concerns, or requests:

McDaniel Creative
Email: mcdanielcreative@gmail.com
Website: mcdanielcreative.com/convetrics-app

© 2026 McDaniel Creative