Privacy Policy

For end-customers of stores using Ordinary

If you visited a Shopify store that uses Ordinary, this policy describes Ordinary's overall practices. The merchant whose store you visited is the data Controller for your data; their privacy policy is the primary reference for how your data is used. To delete your data, see our Data Deletion page or contact the merchant directly through their store.

1. Introduction

Ordinary is operated by LoudNoises, LLC ("we," "our," or "us"), the data controller for the purposes of this Privacy Policy. We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application and services.

We are compliant with GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) standards.

2. Information We Collect

2.1 Information from Third-Party Services

When you connect your accounts, we collect:

• Shopify: Order data, customer information, product data, store settings, and order shipping address — used to show you revenue and customer cohorts by location
• Meta (Facebook/Instagram): Ad campaign data, ad account information, performance metrics, ad creative content (ad copy text, images, videos), audience configurations, and performance broken down by ad placement and demographic. See Section 2.7 for how this data is used.
• Amazon: Your Amazon Seller account business data — sales and traffic metrics (ordered sales, units, sessions, page views, conversion rate, Buy Box share), financial data (settlements, fees, refunds, and adjustments), inventory levels, and order records (product, quantity, and price only — no end-buyer names, email addresses, or shipping addresses are collected from Amazon orders) — together with Amazon advertising metrics for your Sponsored Products, Brands, and Display campaigns. Read-only.
• Google Ads: Campaign performance data at campaign-, ad-group-, ad-, and keyword-level (spend, impressions, clicks, conversions, conversion value), performance broken down by device, network placement (Search, Display, YouTube, Shopping, Discovery, Performance Max), geographic location, and demographic (age range, gender, parental status, household income range), ad asset content (headlines, descriptions, image and video creatives associated with campaigns and ad groups), configuration history (daily snapshots of campaign and ad-group budget, status, bid strategy, and targeting), ad account metadata, and conversion-event configuration. Orders that arrive at your storefront with a Google click identifier (`gclid`) in the URL are joined to your ad data so you can compare Google-reported conversions against orders your store actually recorded. Read access via the Google Ads API powers this reporting. Beyond that, at your request Ordinary creates ad creative assets and drafts in your connected account from creatives you generate in Ordinary, in a non-serving draft state you review and publish yourself within Google Ads. Ordinary does not edit campaigns, budgets, bids, or targeting, does not serve ads or spend your budget, and does not upload conversions or audiences.
• Klaviyo: Campaign and flow performance data (recipients, opens, clicks, unsubscribes, bounces, spam complaints, attributed revenue), campaign and flow metadata (name, send time, trigger type, status). Orders that arrive at your storefront with a Klaviyo click identifier (`_kx`) on the link are joined to your campaign data so you can compare Klaviyo-reported revenue against orders your store actually recorded. Read-only ingest via the Klaviyo API; Ordinary does not send campaigns, edit flows, modify lists, or upload subscribers to Klaviyo.
• Analytics Providers: Session data, page views, user behavior (Google Analytics 4, PostHog)
• ShipBob: Inventory levels, fulfillment data

2.2 Information You Provide

• Account registration information (name, email, organization)
• API credentials and access tokens
• Configuration preferences
• Custom notes and tags

2.3 Automatically Collected Information

Applies only to merchant users who log into the Ordinary dashboard. End-customer visitors of merchant storefronts have their data captured via the pixel as described in Section 2.4 — IP addresses are not stored against individual storefront events.

• Log data (IP address, browser type, timestamps) for dashboard sessions
• Usage analytics (features used, session duration)
• Device information

2.4 Storefront Pixel Data

Ordinary's Shopify Web Pixel runs on participating merchants' storefronts (only stores that have installed the Ordinary app). The pixel does NOT run on the Ordinary dashboard or anywhere outside a participating merchant's storefront. It captures the following on each merchant's behalf, as that merchant's data Processor:

Pseudonymous browsing data (every event):

• A pseudonymous client_id (set by Shopify, not a name or email)
• A pseudonymous browser UUID (random v4 identifier, written to your device's localStorage by Ordinary's storefront extension; lasts up to 90 days)
• Page URL, document referrer, device type, user agent
• Operating system family (iOS, Android, macOS, Windows, Linux, ChromeOS, or other), classified from the user agent string. No separate geolocation lookup runs to derive this.
• Visitor classification — whether you are new to the storefront or returning — derived from a small cookieless marker the pixel writes in its own isolated storage on your first visit. The marker is scoped to the pixel itself and is not shared with the rest of the storefront or with any other Ordinary surface; clearing browser data resets it.
• UTM parameters and Facebook click identifiers (fbclid + campaign/adset/ad ids)
• Approximate location at city level (country, region, city, latitude, longitude) derived from the IP address of the visit. The raw IP address is read at the network edge and used only to derive the city-level location; the raw IP is not stored against the event record
• Event timestamp

Event types captured: page view, product view, collection view, search, cart view, add-to-cart, remove-from-cart, checkout started, checkout contact info, checkout address info, checkout shipping info, payment info submitted, checkout completed, plus storefront alert and UI extension error events.

Identifiers captured at checkout (associated with the client_id only after the buyer types them into the checkout form, including checkouts the buyer abandons before completing):

• Email address, phone number (raw, as supplied by the buyer)
• Billing and shipping address country, province, postal code, city
• Marketing consent flags (email and SMS) and SMS marketing phone
• Cart and checkout line items: product/variant IDs, SKUs, quantities, prices, line totals, currency
• Discount codes applied and their values
• Cart attributes (custom key/value pairs the merchant has configured)
• Order ID and Shopify customer ID (only on checkout completion)

Diagnostic data (used to surface storefront issues to the merchant):

• Storefront alert messages and values (e.g. "item out of stock", "payment declined")
• UI extension error messages and stack traces
• Search queries entered into the storefront search box

Local persistence on the buyer's device:

• A 90-day localStorage record of first-touch and last-touch UTM parameters, used to associate later purchases with their original marketing source.
• A session-storage referrer record (lasts only for the current browsing session).

Local persistence is gated by the buyer's consent state as exposed by Shopify's analytics-consent API. When analytics consent is declined, the pixel falls back to a session-only attribution record that is lost when the tab closes.

Pixel data is associated with a pseudonymous client_id and joined to identifying data (email, phone) only at the checkout step. Browsing activity that never reaches checkout remains pseudonymous.

2.5 Region-aware identity stitching

When a buyer reaches checkout on more than one device — for example, browsing on mobile and completing the purchase on desktop — Ordinary can link those two devices together using a one-way SHA-256 hash of the buyer's checkout email. This linkage lets the merchant's attribution reports treat the buyer's journey as a single customer journey rather than two unrelated visitor sessions. It is this linkage — and only this linkage — that turns Ordinary's otherwise pseudonymous browser identifiers into associated personal data within the merchant's analytics.

To respect the consent-based privacy regimes of certain jurisdictions, Ordinary applies a region-aware default to this linkage. When the IP-derived approximate location of a visit is in the European Economic Area, the United Kingdom, Switzerland, or Brazil, Ordinary does NOT write the email-hash linkage row. Visitors from these regions still have visit-to-order attribution within the same browser via the pseudonymous Bridge UUID — but the cross-device email-hash bridge is not written, so a buyer who switches between mobile and desktop appears to the merchant as two distinct visitor sessions.

For visitors in the United States (including California), Canada, Australia, New Zealand, and the rest of the world, the cross-device email-hash linkage is written by default, on the merchant's instruction and in reliance on the merchant's privacy-policy disclosure. CCPA and CPRA (California's privacy regime) regulate the sale and sharing of personal information with third parties, not first-party linkage of pseudonymous identifiers to a merchant's own customer record.

The pseudonymous Bridge UUID is a random identifier written to the visitor's storefront localStorage. It is not derived from any personal data and is treated as pseudonymous under GDPR Article 4(1) until and unless it is linked to identifying data — which, in strict regions, Ordinary does not do.

Optional first-party network route. Merchants may optionally configure first-party CNAME forwarding from a subdomain of their own domain (e.g. i.<merchant-domain>) to Ordinary's tracking infrastructure. When configured, storefront pixel events flow through the merchant's own subdomain before reaching Ordinary; without it, events are sent directly to Ordinary's domain. The data we receive, process, and store is identical in either case — only the network route differs. Ordinary's role as the merchant's data processor, the categories of data collected, our retention windows, and the sub-processors who handle the data (Section 7.3) are all unchanged whether or not this routing is configured.

2.6 Marketing website (tryordinary.com) analytics

When you visit tryordinary.com — our public marketing site — Ordinary captures basic web analytics to understand which pages get traffic, where visitors come from, and what content is engaging. This analytics surface is separate from anything that runs on a merchant's Shopify storefront and is not connected to the merchant or end-customer data described in 2.4 and 2.5 above.

What we collect on tryordinary.com:

• Pageview events (URL, page title, document referrer)
• Click events on buttons, calls-to-action, and navigation links (the visible link text and the destination URL)
• Form submission events (form name and submit action only; not field contents)
• Approximate location at city level (country, region, city), derived from the IP address of your visit at our network edge. The raw IP address is not stored against the event record.
• UTM parameters and ad-platform click identifiers (gclid, fbclid, msclkid, and similar) when present in the URL you arrived on
• Browser type and device class (derived from the User-Agent header)
• Session boundaries (a session is closed after 30 minutes of inactivity)

We forward these events to Google Analytics 4 for reporting. Google receives only the data described above; no merchant data, no end-customer storefront data, no payment information.

We also use Google Ads on tryordinary.com to measure how well our own advertising performs and to show ads to people who have previously visited our marketing site (remarketing). This relates only to how Ordinary markets its own app — it does not involve any merchant or end-customer storefront data. It runs through the same Google tag as our analytics and is governed by the same region-aware consent posture described below: in strict-region jurisdictions no advertising cookies are set and you are not added to any remarketing audience unless you accept.

If you submit a form on tryordinary.com after accepting cookies, Google's “enhanced conversions” feature may receive a hashed, irreversible version of your email address to help us measure how well our advertising performs. This applies only to data you enter on our own marketing site, is never shared in a form that can be reversed back to your email, and — like all our advertising tags — is withheld entirely until you accept advertising cookies.

Region-aware consent posture for tryordinary.com:

For visitors whose IP-derived location is in the European Economic Area, the United Kingdom, Switzerland, or Brazil, we apply a cookie-less anonymous mode:

• We do not set a persistent visitor cookie
• The visitor's identifier is derived from a daily-rotating SHA-256 hash of IP and User-Agent. The same visitor receives a stable identifier within a single day; the hash rotates at UTC midnight, making cross-day correlation impossible
• We set non_personalized_ads: true on every event from these regions, disabling Google's ad personalization

For visitors in other regions (United States including California, Canada, Australia, New Zealand, and the rest of the world), a first-party analytics cookie is set on tryordinary.com with a randomly generated visitor identifier, persisting up to 2 years, alongside a short-lived session cookie that tracks the current session window. CCPA and CPRA regulate the sale and sharing of personal information with third parties, not first-party analytics cookies on a domain you are visiting directly.

Consent banner for strict-region visitors. When tryordinary.com detects a visitor from a strict-region jurisdiction (the EU/EEA, UK, Switzerland, or Brazil) without a stored consent choice, we display a small consent banner asking the visitor to accept or decline our use of analytics and advertising cookies. Until the visitor accepts, our analytics and advertising tags run in Google Consent Mode v2 with all signals denied — events may still fire as cookieless aggregate pings (which Google can use for modeling) but no tracking cookies are written. Declining keeps the tag in this denied state for the full session. Accepting stores a single record of that choice in the visitor's browser local storage so the banner does not reappear on subsequent visits.

You can clear or block these cookies through your browser settings at any time. Doing so does not affect functionality on the site.

2.7 Meta ad campaign data and creative content

When you connect your Meta (Facebook/Instagram) ad account to Ordinary, we store additional details about your ad campaigns and creatives so the dashboard can provide deeper analytics across time. This includes:

• Ad creative content: ad copy text (primary text, headlines, descriptions, calls-to-action), the images and videos used in your ads, and the destination URLs they link to
• Campaign and ad set configuration: objective, bid strategy, budget, attribution settings, audience targeting configuration (lookalike percentage, interest categories, custom-audience identifiers, age range, geographic targeting summary)
• Performance metrics broken down by placement (Feed, Stories, Reels, Audience Network, etc.) and by demographic (age range, gender, country at the level Meta exposes — Meta redacts demographic data at small sample sizes for privacy)
• Pixel configuration diagnostics: the priority order of conversion events configured on your Meta pixel, used to surface an in-product diagnostic when the priority looks misconfigured for your funnel

What this data is: all of the above is your business's own marketing operations data — campaigns you configured in Meta Ads Manager, creatives you uploaded, performance metrics from your own ad accounts. It does NOT include personal information about end-customers, shoppers, or users of your storefront. Audience targeting summaries describe configuration only (e.g. “a lookalike of your existing customer list”); they do not contain the lists of individual users themselves — those audiences live entirely on Meta's side and are never transferred to Ordinary.

Where this data lives: ad creative media (images and videos) are mirrored to Ordinary's storage (DigitalOcean Spaces) so the dashboard can serve them quickly and so historical creatives stay accessible even after Meta rotates the original CDN URLs. The creative metadata (copy, targeting summary, configuration history) is stored in Ordinary's primary database alongside the rest of your dashboard data.

How this data is used: to power deeper analytics in your dashboard (placement-level performance, demographic performance, configuration history, an ad-creative library, conversion-gap analysis between Meta-reported and store-attributed orders) and to enable AI-driven analysis of your winning creative angles, copy suggestions, and assistance with generating new ad concepts. AI-generated drafts are presented as suggestions for you to review before they are published; Ordinary does not publish ads to Meta on your behalf without your explicit action.

You retain ownership of all your ad creative content. You can disconnect your Meta integration at any time from the dashboard; on disconnection we stop ingesting new data, and we offer a deletion request flow (see Section 6) for removing the historical data we've stored.

2.8 Google Analytics 4 data (merchant-connected)

When you connect your Google Analytics 4 property to Ordinary using your Google account, Ordinary reads your GA4 data on your behalf and displays it within your Ordinary dashboard alongside the data we receive from Shopify, Meta, and other channels you have connected. Connection is initiated by you from the Ordinary settings page; you select which GA4 property to connect, and we never read GA4 properties you have not explicitly chosen.

What we read: session counts, user counts, page views, traffic sources and channel groupings, conversion and event counts, engagement metrics, and the dimensions you have configured on your GA4 property. We read this data only for the property you have selected; we do not enumerate other properties on your Google account, and we do not access any other Google services through this connection.

How we use it: GA4 metrics are displayed in your Ordinary dashboards as one of several traffic and attribution sources. The data drives cross-channel comparisons between GA4's view of channel performance and what each ad platform reports, contributes to Ordinary's attribution calculations that credit orders to the marketing touchpoints that led to them, and surfaces discrepancy diagnostics where GA4-reported conversion counts differ from your Shopify-confirmed orders. We do not write back to Google Analytics, do not modify your GA4 property in any way, and do not use GA4 data for advertising or retargeting.

Where this data lives: GA4 OAuth refresh tokens are stored encrypted in Ordinary's primary database. Aggregated GA4 metrics retrieved by our scheduled syncs are stored alongside the rest of your dashboard data and retained per Section 4.

Compliance with Google API Services User Data Policy: Ordinary's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: Google user data is used only to provide and improve user-facing features that are visible within Ordinary's dashboard; we do not transfer Google user data to third parties except as needed to provide those features (and only to the sub-processors listed in Section 7.3, each bound by a written data protection contract), for security and fraud-prevention purposes, to comply with applicable law, or as part of a merger or acquisition with prior user notice; we do not allow humans to read Google user data except with your affirmative consent for a specific support request, for security and abuse investigation, to comply with applicable law, or in aggregated and anonymised form for internal operations; we do not use Google user data to serve advertisements, including retargeting, personalised, or interest-based advertising; we do not use Google user data to train, develop, fine-tune, or otherwise improve generalised or personalised AI/ML models, including the AI features inside Ordinary; we do not sell or transfer Google user data to data brokers, information resellers, credit bureaus, lending decision systems, or any party that would use it for credit-worthiness determination or lending purposes; and we do not use Google user data to build, populate, or augment databases for resale.

OAuth scopes requested: read-only access via https://www.googleapis.com/auth/analytics.readonly — the only Google scope this integration requests. Limited to the GA4 property you select during connection.

Deletion of GA4-derived data: to delete Google-account-derived data already stored in Ordinary, contact privacy@tryordinary.com or use the disconnect flow above (which deletes the OAuth refresh token immediately; historical aggregated metrics follow the deletion-request flow in Section 6).

Revocation: you can disconnect Google Analytics from Ordinary at any time from the settings page in your dashboard, which deletes the OAuth refresh token we hold. You can also revoke Ordinary's access to your Google account directly at myaccount.google.com/permissions — this is Google's central revocation page that works for any application you have authorised. Either path stops further reads; deletion of the historical aggregated metrics already stored in Ordinary follows the deletion request flow described in Section 6.

2.9 Google Ads campaign data (merchant-connected)

When you connect your Google Ads account to Ordinary using your Google account, Ordinary reads your Google Ads data on your behalf and displays it within your Ordinary dashboard alongside the data we receive from Shopify, Meta, GA4, and other channels you have connected. Connection is initiated by you from the Ordinary settings page; you select which Google Ads accounts to connect (a Manager Account or an individual account), and we never read Google Ads accounts you have not explicitly chosen.

What we read: campaign, ad-group, ad, and keyword performance (spend, impressions, clicks, conversions, conversion value); performance broken down by device, network placement (Search, Display, YouTube, Shopping, Discovery, Performance Max), geographic location, and demographic (age range, gender, parental status, household income range); ad asset content (headlines, descriptions, image and video creatives associated with campaigns and ad groups); configuration history (daily snapshots of campaign and ad-group budget, status, bid strategy, and targeting); ad account metadata; and conversion-event configuration. We do not read end-customer-identifying information through this integration — Google Ads' API does not expose individual users to advertisers.

How we use it: Google Ads metrics are displayed in your Ordinary dashboards as one of several traffic and attribution sources. The data drives cross-channel comparisons between Google Ads' view of conversion performance and what your store actually recorded, contributes to Ordinary's attribution calculations that credit orders to the marketing touchpoints that led to them, and surfaces discrepancy diagnostics where Google-reported conversion counts differ from your Shopify-confirmed orders. Beyond this reporting, at your request Ordinary creates ad creative assets and drafts in your connected Google Ads account, using creatives you generate inside Ordinary. These are created in a non-serving draft state — Ordinary does not publish them, start or stop ad serving, or spend your budget; you review and publish them yourself in Google Ads. Ordinary does not create or edit campaigns, budgets, bids, or targeting, and does not upload conversions or audiences.

Where this data lives: Google Ads OAuth refresh tokens are stored encrypted in Ordinary's primary database. Aggregated Google Ads metrics retrieved by our scheduled syncs are stored alongside the rest of your dashboard data and retained per Section 4.

OAuth scopes requested: access via https://www.googleapis.com/auth/adwords — the only Google scope this integration requests, and the only Ads API scope Google offers (there is no read-only variant). Ordinary uses it to read your reporting data and, at your request, to create draft ad creatives. Limited to the Google Ads accounts you select during connection.

Compliance with Google API Services User Data Policy: Ordinary's use of information received from the Google Ads API adheres to the Google API Services User Data Policy, including the Limited Use requirements. The same Limited-Use rules as Section 2.8 apply: Google user data is used only to provide and improve user-facing features that are visible within Ordinary's dashboard; transferred to third parties only as needed to deliver those features (and only to the sub-processors listed in Section 7.3), for security and fraud prevention, to comply with law, or as part of a merger or acquisition with prior user notice; not read by humans except with your affirmative consent for a specific support request, for security and abuse investigation, to comply with law, or in aggregated and anonymised form for internal operations; not used to serve advertisements (including retargeting, personalised, or interest-based advertising); not used to train, develop, fine-tune, or otherwise improve generalised or personalised AI/ML models, including the AI features inside Ordinary; not sold or transferred to data brokers, information resellers, credit bureaus, lending decision systems, or any party that would use it for credit-worthiness determination or lending purposes; and not used to build, populate, or augment databases for resale.

Revocation: you can disconnect Google Ads from Ordinary at any time from the settings page in your dashboard, which deletes the OAuth refresh token we hold. You can also revoke Ordinary's access to your Google account directly at myaccount.google.com/permissions — this is Google's central revocation page that works for any application you have authorised. Either path stops further reads; deletion of the historical aggregated metrics already stored in Ordinary follows the deletion request flow described in Section 6.

Deletion of Google-Ads-derived data: to delete Google-account-derived data already stored in Ordinary, contact privacy@tryordinary.com or use the disconnect flow above.

2.10 Google Search Console data (merchant-connected)

When you connect your Google Search Console account to Ordinary using your Google account, Ordinary reads your Search Console data on your behalf and displays it within your Ordinary dashboard alongside the data we receive from Shopify, Meta, Google Ads, GA4, and other channels you have connected. Connection is initiated by you from the Ordinary settings page; you select which verified sites Ordinary may read (and we never read Search Console properties you have not explicitly chosen).

What we read: organic search performance for the verified sites you select — queries (search terms shown to users on Google Search), impression counts, click counts, click-through rates, and average ranking position, per query and per landing page, by day. We do not read end-customer-identifying information through this integration — Search Console's API does not expose individual searchers to site owners.

How we use it: Search Console metrics are displayed in your Ordinary dashboards as the organic-search source alongside paid channels. The data drives cross-channel comparisons between organic and paid search performance, supports a planned unified paid-and-organic keyword report so you can see which terms you pay for that you also rank organically for, and contributes to Ordinary's attribution view of where store traffic originates. Read-only ingest only — Ordinary does not create properties, verify sites, modify configuration, submit sitemaps, request indexing, or write any other data back to Search Console.

Where this data lives: Search Console OAuth refresh tokens are stored encrypted in Ordinary's primary database. Aggregated Search Console metrics retrieved by our scheduled syncs are stored alongside the rest of your dashboard data and retained per Section 4.

OAuth scopes requested: read-only access via https://www.googleapis.com/auth/webmasters.readonly — the only Search Console scope this integration requests. Limited to the verified sites you select during connection.

Compliance with Google API Services User Data Policy: Ordinary's use of information received from the Search Console API adheres to the Google API Services User Data Policy, including the Limited Use requirements. The same Limited-Use rules as Sections 2.8 and 2.9 apply: Google user data is used only to provide and improve user-facing features that are visible within Ordinary's dashboard; transferred to third parties only as needed to deliver those features (and only to the sub-processors listed in Section 7.3), for security and fraud prevention, to comply with law, or as part of a merger or acquisition with prior user notice; not read by humans except with your affirmative consent for a specific support request, for security and abuse investigation, to comply with law, or in aggregated and anonymised form for internal operations; not used to serve advertisements (including retargeting, personalised, or interest-based advertising); not used to train, develop, fine-tune, or otherwise improve generalised or personalised AI/ML models, including the AI features inside Ordinary; not sold or transferred to data brokers, information resellers, credit bureaus, lending decision systems, or any party that would use it for credit-worthiness determination or lending purposes; and not used to build, populate, or augment databases for resale.

Revocation: you can disconnect Search Console from Ordinary at any time from the settings page in your dashboard, which deletes the OAuth refresh token we hold. You can also revoke Ordinary's access to your Google account directly at myaccount.google.com/permissions — this is Google's central revocation page that works for any application you have authorised. Either path stops further reads; deletion of the historical aggregated metrics already stored in Ordinary follows the deletion request flow described in Section 6.

Deletion of Search-Console-derived data: to delete Google-account-derived data already stored in Ordinary, contact privacy@tryordinary.com or use the disconnect flow above.

2.11 Account creation when installing from the Shopify App Store

When you install Ordinary directly from the Shopify App Store, we create your Ordinary user account using the shop owner's name and email that Shopify shares with us during the install handshake. We pass that information to Clerk (our identity-management sub-processor — see Section 7.3) to mint your account. No password is collected from you at install: you can set one later from your account settings or sign in via SSO.

If a Clerk account already exists for that email address, we attach your Ordinary access to that existing account rather than creating a duplicate. The data flow is one-time at install: subsequent dashboard activity, sync jobs, and webhook deliveries do not re-fetch your shop-owner identity from Shopify.

If you would prefer to create your account with a different email address than the one Shopify holds for your shop owner, you can complete a manual sign-up at tryordinary.com instead and then connect Shopify from inside the dashboard.

2.12 Acceptance records for these terms

When you accept this Privacy Policy or our Terms of Service — at sign-up, when the documents change, or via in-app prompts — we log a record of that acceptance so we can demonstrate consent if asked. Each acceptance record includes which document (Terms or Privacy Policy), the version of the document you accepted, the date the document was last revised, the calendar timestamp of your acceptance, the browser User-Agent string of the device you accepted from, and a label describing where the acceptance happened (sign-up, in-app interstitial when documents changed, settings page re-acceptance, invite acceptance, or Shopify install consent).

Region-aware IP capture. We record your IP address with the acceptance record only when you accept from a region we treat as permissive (the United States including California, Canada, Australia, New Zealand, and the rest of the world outside the strict-region list). Visitors who accept from the European Economic Area, the United Kingdom, Switzerland, or Brazil have no IP address stored against their acceptance record. The acceptance record itself notes which region category applied at the time, so we can distinguish “IP intentionally omitted” from “region unknown” for audit purposes.

Acceptance records are retained for the lifetime of your account plus a defensible audit window after deletion. We do not use them for any purpose beyond proving consent in response to a question from you, a sub-processor, or a regulator.

2.13 Historical session aggregates from Shopify

When a merchant installs Ordinary, we ask Shopify for historical session aggregates from before Ordinary was installed so the merchant's analytics dashboards have a baseline to compare against. This data comes from Shopify directly — not from any pixel or browser tag we control — and contains only aggregate session counts grouped by day and by traffic-source dimensions (landing page, referring channel, referring platform, referring medium, referrer source, and UTM source/medium/campaign), along with bounce rate and average session duration per (day, landing page).

The historical backfill contains no IP addresses and no individual shopper identifiers — only the aggregate dimensional counts above. These rows power the merchant's historical traffic and source attribution views; they cannot be used to identify or contact a specific shopper.

The backfill runs once per merchant at install time and covers the analytics window Shopify makes available to us. Ongoing storefront analytics — everything that happens after install — flows through the pixel described in Section 2.4, not through this Shopify backfill path.

3. How We Use Your Information

We use the collected information to:

• Provide and maintain our services
• Generate reports and analytics
• Improve and optimize our platform
• Communicate with you about updates and support
• Ensure security and prevent fraud
• Comply with legal obligations

4. Data Retention

We retain your data for the following periods:

• Active Account Data: As long as your account is active
• API Request Logs: 30 days
• Storefront Browsing Data: At least 90 days. We retain visit-level browsing data for a minimum of 90 days to support cross-session attribution — the merchant's ability to credit a purchase to the marketing source that originally drove the visit, even when the buyer comes back days later.
• Aggregate Analytics Data: Up to 2 years for trend analysis. Aggregates are derived from browsing data but do not themselves identify individual visitors.
• Deleted/Anonymized Data: Removed from our production systems on receipt of a verified deletion request. Backups roll off on the standard backup retention schedule.

After account deletion or anonymization, we retain only aggregated, non-identifiable data for analytical purposes.

Server-derived conversion data. For some shoppers — typically those using strict-privacy browsers (Brave, Safari with aggressive tracking protection, iOS content blockers) — the analytics that normally runs in their browser doesn't reach us. For these shoppers' completed orders, we reconstruct a server-side conversion record from the order data Shopify sends us via their standard server-to-server webhook (which is unaffected by browser-side blocking). This reconstructed record is clearly labeled as server-derived in our internal systems and contains no information beyond what the order itself carries. Pre-purchase browse activity (page views, product views) for blocked-browser shoppers is NOT recovered — only the conversion event and its channel attribution. Merchants gain accurate revenue + channel attribution; shoppers gain no additional tracking exposure.

5. Data Security

We implement industry-standard security measures including:

• AES-256-GCM encryption for sensitive data at rest
• TLS/SSL encryption for data in transit
• Secure API authentication (OAuth 2.0)
• Regular security audits and monitoring
• Access controls and role-based permissions

6. Your Rights (GDPR & CCPA)

You have the right to:

• Access: Request a copy of all data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion or anonymization of your data
• Portability: Export your data in a machine-readable format
• Restriction: Limit how we process your data
• Objection: Opt out of certain data processing activities
• Withdrawal: Revoke consent at any time

To exercise these rights, contact us at privacy@tryordinary.com or use the Data Privacy tools in your Settings page.

7. Third-Party Integrations

We integrate with third-party services (Shopify, Meta, Amazon, etc.) that have their own privacy policies. We are not responsible for their privacy practices.

We do not sell your personal information to third parties. The subsections below cover the data we forward to specific ad and analytics platforms on a merchant's behalf.

7.1 Meta Conversions API (CAPI)

When a merchant connects a Meta ad account, Ordinary forwards purchase events from their Shopify store server-to-server to Meta using the Meta Conversions API. This helps restore the ad-platform conversion reporting that iOS privacy changes and ad blockers have eroded for the merchant's own ad accounts.

What we send per purchase event:

• Hashed email address (SHA-256)
• Hashed phone number (SHA-256), when present
• Hashed first name and last name (SHA-256), when present
• Purchase amount and currency
• Event timestamp
• A unique event ID (used by Meta to deduplicate against the browser pixel)

What we do not send:

• Raw (unhashed) personally identifiable information
• Payment card, bank, or any other financial account data
• IP addresses beyond those Meta already observes from its own pixel

Purpose: Improving ad-platform conversion reporting for the merchant's own ad accounts. Forwarded events are written only to the merchant's Meta ad account — not pooled, not shared with other merchants, not used to train models on our side.

Retention: Events are forwarded in real time. We do not keep a long-term store of the hashed identifiers beyond our standard operational audit logs (which themselves roll off on the schedule in Section 4).

Merchant opt-out: Merchants can disable the integration at any time in Settings → Integrations → Meta. Disabling immediately halts event forwarding.

End-customer opt-out: Individual customers of our merchants can request deletion via the process described on our Data Deletion page . When Shopify fires a customers/redact webhook for a given customer, we stop forwarding that customer's events to Meta and remove their identifiers from our pipeline.

7.2 Google Ads

When a merchant connects a Google Ads account, Ordinary reads campaign performance data (spend, impressions, clicks, conversions) for reporting. This is read-only — Ordinary does not currently forward any purchase events, customer data, or conversions to Google. Server-side conversion forwarding (Google Enhanced Conversions) is planned but not yet active; this page and our Sub-Processors list will be updated before any such forwarding begins. The integration can be disabled at any time in Settings → Integrations → Google.

7.3 Sub-processors

Ordinary uses the following sub-processors to provide our services. Each is bound by a written contract that requires GDPR-equivalent data protection. All process data in the United States or Canada and rely on either the EU−US Data Privacy Framework or Standard Contractual Clauses for transfers from the EEA, UK, and Switzerland.

We do not currently offer EU data residency. Customer data from European visitors is processed in the United States under the adequacy mechanisms above. We will notify merchants of any changes to this list at least 30 days before they take effect. For questions about a specific sub-processor, contact privacy@tryordinary.com.

8. Cookies, localStorage, and Similar Tracking Technologies

We use cookies, localStorage, and similar storage technologies for:

• Authentication and session management (dashboard cookies)
• User preferences (dashboard cookies)
• Analytics and performance monitoring
• Marketing-site analytics cookies (tryordinary.com only):
  • A first-party visitor-identifier cookie with ~2-year retention. Not set for visitors in the EU/EEA, UK, Switzerland, or Brazil (see Section 2.6).
  • A short-lived session cookie with a 30-minute sliding window, used to group page views into analytics sessions. Not set for strict-region visitors.
• Storefront attribution persistence — the Shopify storefront pixel writes a 90-day localStorage record on the visitor's device containing first-touch and last-touch UTM parameters. This is what lets us attribute a purchase to the marketing source that originally drove the visit, even when the buyer comes back later. This persistence is gated by the visitor's analytics-consent state as exposed by Shopify's consent API; when analytics consent is declined, no long-lived record is written.

You can control cookies and clear localStorage through your browser settings. Note that disabling these may reduce attribution accuracy in the merchant's analytics but does not affect the storefront's shopping or checkout functionality — or your ability to read tryordinary.com.

9. International Data Transfers

Ordinary's primary infrastructure is located in the United States, with Shopify integration data flowing through Shopify's Canadian platform. We do not currently offer EU data residency.

For data originating in the European Economic Area, the United Kingdom, or Switzerland, we rely on the EU−US Data Privacy Framework (where the receiving sub-processor is certified) and on Standard Contractual Clauses (where it is not). Both mechanisms provide GDPR-equivalent safeguards as recognized by the European Commission.

Section 7.3 lists each sub-processor and the country in which it processes data. We do not transfer data to jurisdictions for which neither an adequacy decision nor an alternative transfer mechanism applies.

10. Children's Privacy

Our services are not intended for children under 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the application. Continued use of our services after changes constitutes acceptance.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: