Back to Home

Privacy Policy

Last updated: December 1, 2025

Introduction

BlackBox Attribution ("we," "us," or "our") provides marketing attribution analytics for Shopify merchants. This Privacy Policy explains how we collect, use, store, and protect information when you use our Shopify app.

By installing BlackBox Attribution, you agree to this Privacy Policy.

Contact: support@getblackbox.io

Company: BlackBox Software LLC

State: Nevada, United States

Information We Collect

From Merchants (Store Owners)

When you install BlackBox Attribution, we collect:

  • Store Information: Your Shopify store domain, store name, and installation timestamp
  • Contact Information: Email address associated with your Shopify account
  • Authentication Data: OAuth access tokens (encrypted and securely stored)

From Orders

To provide attribution analytics, we collect the following order information:

✅ Data We COLLECT:

  • Order ID (Shopify order number)
  • Order total (revenue amount)
  • Order currency (USD, EUR, etc.)
  • Order timestamp (date and time of purchase)
  • Order status (paid, pending, refunded, etc.)
  • Custom attributes (UTM parameters and referrer data stored in cart attributes)

❌ Data We DO NOT Collect:

  • Customer names (first or last)
  • Customer email addresses
  • Customer phone numbers
  • Customer shipping or billing addresses
  • Payment information (credit card details, etc.)
  • Product line items or SKUs

From Website Visitors

Our Web Pixel Extension tracks anonymous visitor behavior to enable attribution:

  • Anonymous Visitor ID: A randomly generated identifier (no personal information)
  • Page Views: URLs of pages visited on your store
  • Referrer Data: The website that referred the visitor (e.g., google.com, facebook.com)
  • UTM Parameters: Marketing campaign data in URLs (utm_source, utm_medium, utm_campaign)
  • Timestamps: When each touchpoint occurred
  • Browser Information: User agent string (for analytics, not identification)

Important: Visitor tracking is anonymous until a purchase is made. We respect Do Not Track browser settings.

How We Use Information

Attribution Analytics

  • Match orders to marketing channels that drove the sale
  • Show first-touch, last-touch, and linear attribution models
  • Display customer journey timelines showing all touchpoints before purchase
  • Calculate channel performance metrics (revenue, order count, conversion rate)

App Functionality

  • Authenticate your Shopify store with our app
  • Process webhooks for order data
  • Display your attribution dashboard
  • Generate reports and exports

Legal Compliance

  • Respond to GDPR data requests (data access, deletion)
  • Maintain audit logs as required by law
  • Comply with Shopify's data protection requirements

We DO NOT use your data for:

  • ❌ Selling or sharing with third parties
  • ❌ Marketing to your customers
  • ❌ Training AI models
  • ❌ Competitive analysis or benchmarking
  • ❌ Any purpose other than providing attribution analytics to you

Data Storage and Security

Encryption

Data at Rest:

  • All data stored in Supabase (PostgreSQL) with AES-256 encryption
  • Database backups are also encrypted

Data in Transit:

  • All API communications use HTTPS/TLS 1.3
  • OAuth tokens encrypted before storage
  • Webhook payloads transmitted over secure connections only

Access Controls

  • Database access restricted to authorized personnel only
  • Row-level security (RLS) ensures merchants only see their own data
  • Multi-factor authentication required for all admin access
  • Access logs maintained for audit purposes

Infrastructure

  • Hosted on Vercel (frontend) and Supabase (database)
  • Both platforms are SOC 2 Type II certified
  • Regular security audits and vulnerability scanning
  • Automatic security patches applied

Data Retention

Active Subscription

  • Free Tier: 90 days of historical data
  • Pro Tier: Unlimited historical data
  • Custom: Upon request, we can extend or reduce retention periods

After Cancellation

  • Grace Period: 30 days after cancellation (allows you to reactivate)
  • Permanent Deletion: All data permanently deleted after 30-day grace period

Data Deletion Process

When you uninstall the app or after the grace period:

  1. We receive Shopify's shop/redact webhook
  2. All orders, tracking events, and store data are permanently deleted
  3. Database records are overwritten and cannot be recovered
  4. Deletion is logged for compliance purposes

To request immediate deletion before the grace period ends, contact us at support@getblackbox.io

Data Sharing

We Do Not Sell Your Data

We will never sell, rent, or trade your data or your customers' data to third parties.

Limited Sharing

We only share data with:

Service Providers:

  • Supabase (database hosting) - stores encrypted data
  • Vercel (app hosting) - transmits encrypted data
  • Shopify (via API) - receives attribution data via webhooks

Legal Requirements:

We may disclose data if required by law, such as:

  • Valid subpoenas or court orders
  • Government investigations
  • Protection of our legal rights

Business Transfers:

If BlackBox Attribution is acquired or merged, your data may be transferred to the new entity. You will be notified and given the option to delete your data before any transfer.

Your Rights

You have the following rights regarding your data:

Right to Access

Request a copy of all data we have about your store and customers.

Right to Deletion

Request immediate deletion of your data (we'll process within 30 days).

Right to Correction

Request correction of inaccurate data.

Right to Portability

Export your attribution data in CSV format from the app's Export Center.

Right to Object

Object to specific data processing activities (we'll stop within 30 days).

To exercise these rights, email us at support@getblackbox.io

GDPR Compliance

BlackBox Attribution complies with the General Data Protection Regulation (GDPR) and other privacy laws.

Legal Basis for Processing

  • Legitimate Interest: Attribution analytics help merchants improve marketing ROI
  • Consent: By installing the app, you consent to data collection as described
  • Contract: Processing necessary to provide the app service you requested

Data Controller vs. Processor

  • You (Merchant): Data Controller - you own and control customer data
  • BlackBox Attribution: Data Processor - we process data on your behalf
  • Shopify: Data Processor - provides platform infrastructure

Mandatory Webhooks

We implement Shopify's required GDPR webhooks:

  • customers/data_request - Respond to data access requests
  • customers/redact - Delete customer data on request
  • shop/redact - Delete all store data after uninstall

International Data Transfers

  • Data stored in US data centers (Supabase US-West region)
  • We comply with EU-US Data Privacy Framework
  • Standard Contractual Clauses (SCCs) available upon request

CCPA Compliance (California Privacy Rights Act)

California Residents' Rights

If you are a California resident, you have additional rights:

Right to Know:

  • What categories of personal information we collect
  • Sources from which we collect personal information
  • Purpose for collecting personal information
  • Categories of third parties with whom we share personal information

Right to Delete:

Request deletion of your personal information (subject to certain exceptions)

Right to Opt-Out:

  • We do NOT sell personal information
  • We do NOT share personal information for cross-context behavioral advertising

Right to Non-Discrimination:

We will not discriminate against you for exercising your CCPA rights

To Exercise Your Rights:
Email support@getblackbox.io with:

  • Your Shopify store domain
  • Specific right you want to exercise
  • Proof of store ownership (we'll verify via Shopify)

We'll respond within 45 days as required by CCPA.

Children's Privacy

Our service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

If you believe we have collected information from a child under 18, please contact us immediately at support@getblackbox.io and we will delete the information.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

  1. We'll update the "Last Updated" date at the top
  2. Material changes will be announced via email
  3. Continued use of the app after changes means you accept the updated policy

We recommend reviewing this page periodically for changes.

Third-Party Services

Shopify

Our app integrates with the Shopify platform. Shopify's handling of your data is governed by their privacy policy:

https://www.shopify.com/legal/privacy

Vercel (Hosting)

We use Vercel for app hosting. Vercel's privacy policy:

https://vercel.com/legal/privacy-policy

Supabase (Database)

We use Supabase for data storage. Supabase's privacy policy:

https://supabase.com/privacy

Contact Us

If you have questions about this Privacy Policy or how we handle data:

Email: support@getblackbox.io

Company: BlackBox Software LLC

State: Nevada, United States

Response Time: We aim to respond within 48-72 hours

For data access or deletion requests, please email support@getblackbox.io with:

  • Your Shopify store domain
  • Description of your request
  • Proof of store ownership (we'll verify via Shopify)

We'll respond within 30 days.

This Privacy Policy applies to BlackBox Attribution Shopify app only.
For Shopify's privacy practices, see Shopify Privacy Policy.

Last updated: December 1, 2025

Effective date: December 1, 2025