> Source: https://tryordinary.com/privacy/

# Privacy Policy

Last updated: June 9, 2026

## For end-customers of stores using Ordinary

If you visited a Shopify store that uses Ordinary, this policy
describes Ordinary's overall practices. The merchant whose store
you visited is the data Controller for your data; their privacy
policy is the primary reference for how your data is used. To delete
your data, see our  [Data Deletion page](/data-deletion)
or contact the merchant directly through their store.

## 1. Introduction

Ordinary is operated by LoudNoises, LLC ("we,"
"our," or "us"), the data controller for the
purposes of this Privacy Policy. We are committed to protecting your
privacy. This Privacy Policy explains how we collect, use, disclose,
and safeguard your information when you use our application and
services.

We are compliant with GDPR (General Data Protection Regulation) and
CCPA (California Consumer Privacy Act) standards.

## 2. Information We Collect

### 2.1 Information from Third-Party Services

When you connect your accounts, we collect:

- **Shopify:** Order data, customer information, product data, store settings, and order shipping address — used to show you revenue and customer cohorts by location
- **Meta (Facebook/Instagram):** Ad campaign data, ad account information, performance metrics, ad creative content (ad copy text, images, videos), audience configurations, and performance broken down by ad placement and demographic. See Section 2.7 for how this data is used.
- **Amazon:** Your Amazon Seller account business data — sales and traffic metrics (ordered sales, units, sessions, page views, conversion rate, Buy Box share), financial data (settlements, fees, refunds, and adjustments), inventory levels, and order records (product, quantity, and price only — no end-buyer names, email addresses, or shipping addresses are collected from Amazon orders) — together with Amazon advertising metrics for your Sponsored Products, Brands, and Display campaigns. Read-only.
- **Google Ads:** Campaign performance data at campaign-, ad-group-, ad-, and keyword-level (spend, impressions, clicks, conversions, conversion value), performance broken down by device, network placement (Search, Display, YouTube, Shopping, Discovery, Performance Max), geographic location, and demographic (age range, gender, parental status, household income range), ad asset content (headlines, descriptions, image and video creatives associated with campaigns and ad groups), configuration history (daily snapshots of campaign and ad-group budget, status, bid strategy, and targeting), ad account metadata, and conversion-event configuration. Orders that arrive at your storefront with a Google click identifier (`gclid`) in the URL are joined to your ad data so you can compare Google-reported conversions against orders your store actually recorded. Read access via the Google Ads API powers this reporting. Beyond that, at your request Ordinary creates ad creative assets and drafts in your connected account from creatives you generate in Ordinary, in a non-serving draft state you review and publish yourself within Google Ads. Ordinary does not edit campaigns, budgets, bids, or targeting, does not serve ads or spend your budget, and does not upload conversions or audiences.
- **Klaviyo:** Campaign and flow performance data (recipients, opens, clicks, unsubscribes, bounces, spam complaints, attributed revenue), campaign and flow metadata (name, send time, trigger type, status). Orders that arrive at your storefront with a Klaviyo click identifier (`_kx`) on the link are joined to your campaign data so you can compare Klaviyo-reported revenue against orders your store actually recorded. Read-only ingest via the Klaviyo API; Ordinary does not send campaigns, edit flows, modify lists, or upload subscribers to Klaviyo.
- **Analytics Providers:** Session data, page views, user behavior (Google Analytics 4, PostHog)
- **ShipBob:** Inventory levels, fulfillment data

### 2.2 Information You Provide

- Account registration information (name, email, organization)
- API credentials and access tokens
- Configuration preferences
- Custom notes and tags

### 2.3 Automatically Collected Information

Applies only to merchant users who log into the Ordinary dashboard.
End-customer visitors of merchant storefronts have their data
captured via the pixel as described in Section 2.4 — IP addresses are
not stored against individual storefront events.

- Log data (IP address, browser type, timestamps) for dashboard sessions
- Usage analytics (features used, session duration)
- Device information

### 2.4 Storefront Pixel Data

Ordinary's Shopify Web Pixel runs on participating merchants'
storefronts (only stores that have installed the Ordinary app). The
pixel does NOT run on the Ordinary dashboard or anywhere outside a
participating merchant's storefront. It captures the following
on each merchant's behalf, as that merchant's data
Processor:

**Pseudonymous browsing data (every event):**

- A pseudonymous client_id (set by Shopify, not a name or email)
- A pseudonymous browser UUID (random v4 identifier, written to your device's localStorage by Ordinary's storefront extension; lasts up to 90 days)
- Page URL, document referrer, device type, user agent
- Operating system family (iOS, Android, macOS, Windows, Linux, ChromeOS, or other), classified from the user agent string. No separate geolocation lookup runs to derive this.
- Visitor classification — whether you are new to the storefront or returning — derived from a small cookieless marker the pixel writes in its own isolated storage on your first visit. The marker is scoped to the pixel itself and is not shared with the rest of the storefront or with any other Ordinary surface; clearing browser data resets it.
- UTM parameters and Facebook click identifiers (fbclid + campaign/adset/ad ids)
- Approximate location at city level (country, region, city, latitude, longitude) derived from the IP address of the visit. The raw IP address is read at the network edge and used only to derive the city-level location; the raw IP is **not** stored against the event record
- Event timestamp

**Event types captured:** page view, product view,
collection view, search, cart view, add-to-cart, remove-from-cart,
checkout started, checkout contact info, checkout address info,
checkout shipping info, payment info submitted, checkout completed,
plus storefront alert and UI extension error events.

**Identifiers captured at checkout** (associated with
the client_id only after the buyer types them into the checkout form,
including checkouts the buyer abandons before completing):

- Email address, phone number (raw, as supplied by the buyer)
- Billing and shipping address country, province, postal code, city
- Marketing consent flags (email and SMS) and SMS marketing phone
- Cart and checkout line items: product/variant IDs, SKUs, quantities, prices, line totals, currency
- Discount codes applied and their values
- Cart attributes (custom key/value pairs the merchant has configured)
- Order ID and Shopify customer ID (only on checkout completion)

**Diagnostic data** (used to surface storefront issues to
the merchant):

- Storefront alert messages and values (e.g. "item out of stock", "payment declined")
- UI extension error messages and stack traces
- Search queries entered into the storefront search box

**Local persistence on the buyer's device:**

- A 90-day localStorage record of first-touch and last-touch UTM parameters, used to associate later purchases with their original marketing source.
- A session-storage referrer record (lasts only for the current browsing session).

Local persistence is gated by the buyer's consent state as
exposed by Shopify's analytics-consent API. When analytics
consent is declined, the pixel falls back to a session-only
attribution record that is lost when the tab closes.

Pixel data is associated with a pseudonymous client_id and joined to
identifying data (email, phone) only at the checkout step. Browsing
activity that never reaches checkout remains pseudonymous.

### 2.5 Region-aware identity stitching

When a buyer reaches checkout on more than one device — for example,
browsing on mobile and completing the purchase on desktop — Ordinary
can link those two devices together using a one-way SHA-256 hash of
the buyer's checkout email. This linkage lets the merchant's
attribution reports treat the buyer's journey as a single
customer journey rather than two unrelated visitor sessions. It is
this linkage — and only this linkage — that turns Ordinary's
otherwise pseudonymous browser identifiers into associated personal
data within the merchant's analytics.

To respect the consent-based privacy regimes of certain jurisdictions,
Ordinary applies a region-aware default to this linkage. When the
IP-derived approximate location of a visit is in the European Economic
Area, the United Kingdom, Switzerland, or Brazil, Ordinary does NOT
write the email-hash linkage row. Visitors from these regions still
have visit-to-order attribution within the same browser via the
pseudonymous Bridge UUID — but the cross-device email-hash bridge is
not written, so a buyer who switches between mobile and desktop
appears to the merchant as two distinct visitor sessions.

For visitors in the United States (including California), Canada,
Australia, New Zealand, and the rest of the world, the cross-device
email-hash linkage is written by default, on the merchant's
instruction and in reliance on the merchant's privacy-policy
disclosure. CCPA and CPRA (California's privacy regime) regulate
the sale and sharing of personal information with third parties, not
first-party linkage of pseudonymous identifiers to a merchant's
own customer record.

The pseudonymous Bridge UUID is a random identifier written to the
visitor's storefront localStorage. It is not derived from any
personal data and is treated as pseudonymous under GDPR Article 4(1)
until and unless it is linked to identifying data — which, in strict
regions, Ordinary does not do.

**Optional first-party network route.** Merchants
may optionally configure first-party CNAME forwarding from a
subdomain of their own domain (e.g. `i.<merchant-domain>`)
to Ordinary's tracking infrastructure. When configured,
storefront pixel events flow through the merchant's own
subdomain before reaching Ordinary; without it, events are sent
directly to Ordinary's domain. The data we receive,
process, and store is identical in either case — only the
network route differs. Ordinary's role as the
merchant's data processor, the categories of data
collected, our retention windows, and the sub-processors who
handle the data (Section 7.3) are all unchanged whether or
not this routing is configured.

### 2.6 Marketing website (tryordinary.com) analytics

When you visit tryordinary.com — our public marketing site
— Ordinary captures basic web analytics to understand which
pages get traffic, where visitors come from, and what content is
engaging. This analytics surface is separate from anything that
runs on a merchant's Shopify storefront and is not connected
to the merchant or end-customer data described in 2.4 and 2.5
above.

**What we collect on tryordinary.com:**

- Pageview events (URL, page title, document referrer)
- Click events on buttons, calls-to-action, and navigation links (the visible link text and the destination URL)
- Form submission events (form name and submit action only; not field contents)
- Approximate location at city level (country, region, city), derived from the IP address of your visit at our network edge. The raw IP address is **not** stored against the event record.
- UTM parameters and ad-platform click identifiers (`gclid`, `fbclid`, `msclkid`, and similar) when present in the URL you arrived on
- Browser type and device class (derived from the User-Agent header)
- Session boundaries (a session is closed after 30 minutes of inactivity)

We forward these events to **Google Analytics 4** for
reporting. Google receives only the data described above; no
merchant data, no end-customer storefront data, no payment
information.

We also use **Google Ads** on tryordinary.com to
measure how well our own advertising performs and to show ads to
people who have previously visited our marketing site
(remarketing). This relates only to how Ordinary markets its own
app — it does not involve any merchant or end-customer
storefront data. It runs through the same Google tag as our
analytics and is governed by the same region-aware consent posture
described below: in strict-region jurisdictions no advertising
cookies are set and you are not added to any remarketing audience
unless you accept.

If you submit a form on tryordinary.com after accepting cookies,
Google's &ldquo;enhanced conversions&rdquo; feature may receive
a **hashed, irreversible** version of your email address
to help us measure how well our advertising performs. This applies
only to data you enter on our own marketing site, is never shared in
a form that can be reversed back to your email, and — like all
our advertising tags — is withheld entirely until you accept
advertising cookies.

**Region-aware consent posture for tryordinary.com:**

For visitors whose IP-derived location is in the European Economic
Area, the United Kingdom, Switzerland, or Brazil, we apply a
cookie-less anonymous mode:

- We do **not** set a persistent visitor cookie
- The visitor's identifier is derived from a daily-rotating SHA-256 hash of IP and User-Agent. The same visitor receives a stable identifier within a single day; the hash rotates at UTC midnight, making cross-day correlation impossible
- We set `non_personalized_ads: true` on every event from these regions, disabling Google's ad personalization

For visitors in other regions (United States including California,
Canada, Australia, New Zealand, and the rest of the world), a
first-party analytics cookie is set on tryordinary.com with a
randomly generated visitor identifier, persisting up to 2 years,
alongside a short-lived session cookie that tracks the current
session window. CCPA and CPRA regulate the sale and sharing of
personal information with third parties, not first-party
analytics cookies on a domain you are visiting directly.

**Consent banner for strict-region visitors.**
When tryordinary.com detects a visitor from a strict-region
jurisdiction (the EU/EEA, UK, Switzerland, or Brazil) without
a stored consent choice, we display a small consent banner
asking the visitor to accept or decline our use of analytics
and advertising cookies. Until the visitor accepts, our analytics
and advertising tags run in
Google Consent Mode v2 with all signals denied — events
may still fire as cookieless aggregate pings (which Google can
use for modeling) but no tracking cookies are written.
Declining keeps the tag in this denied state for the full
session. Accepting stores a single record of that choice in
the visitor's browser local storage so the banner does
not reappear on subsequent visits.

You can clear or block these cookies through your browser settings
at any time. Doing so does not affect functionality on the site.

### 2.7 Meta ad campaign data and creative content

When you connect your Meta (Facebook/Instagram) ad account to
Ordinary, we store additional details about your ad campaigns and
creatives so the dashboard can provide deeper analytics across
time. This includes:

- **Ad creative content:** ad copy text (primary text, headlines, descriptions, calls-to-action), the images and videos used in your ads, and the destination URLs they link to
- **Campaign and ad set configuration:** objective, bid strategy, budget, attribution settings, audience targeting configuration (lookalike percentage, interest categories, custom-audience identifiers, age range, geographic targeting summary)
- **Performance metrics broken down by placement** (Feed, Stories, Reels, Audience Network, etc.) and by **demographic** (age range, gender, country at the level Meta exposes — Meta redacts demographic data at small sample sizes for privacy)
- **Pixel configuration diagnostics:** the priority order of conversion events configured on your Meta pixel, used to surface an in-product diagnostic when the priority looks misconfigured for your funnel

**What this data is:** all of the above is your
business's own marketing operations data — campaigns
you configured in Meta Ads Manager, creatives you uploaded,
performance metrics from your own ad accounts. It does NOT
include personal information about end-customers, shoppers, or
users of your storefront. Audience targeting summaries describe
configuration only (e.g. &ldquo;a lookalike of your existing
customer list&rdquo;); they do not contain the lists of
individual users themselves — those audiences live
entirely on Meta's side and are never transferred to
Ordinary.

**Where this data lives:** ad creative media
(images and videos) are mirrored to Ordinary's storage
(DigitalOcean Spaces) so the dashboard can serve them quickly
and so historical creatives stay accessible even after Meta
rotates the original CDN URLs. The creative metadata (copy,
targeting summary, configuration history) is stored in
Ordinary's primary database alongside the rest of your
dashboard data.

**How this data is used:** to power deeper
analytics in your dashboard (placement-level performance,
demographic performance, configuration history, an ad-creative
library, conversion-gap analysis between Meta-reported and
store-attributed orders) and to enable AI-driven analysis of
your winning creative angles, copy suggestions, and assistance
with generating new ad concepts. AI-generated drafts are
presented as suggestions for you to review before they are
published; Ordinary does not publish ads to Meta on your behalf
without your explicit action.

You retain ownership of all your ad creative content. You can
disconnect your Meta integration at any time from the dashboard;
on disconnection we stop ingesting new data, and we offer a
deletion request flow (see Section 6) for removing the
historical data we've stored.

### 2.8 Google Analytics 4 data (merchant-connected)

When you connect your Google Analytics 4 property to Ordinary
using your Google account, Ordinary reads your GA4 data on
your behalf and displays it within your Ordinary dashboard
alongside the data we receive from Shopify, Meta, and other
channels you have connected. Connection is initiated by you
from the Ordinary settings page; you select which GA4 property
to connect, and we never read GA4 properties you have not
explicitly chosen.

**What we read:** session counts, user counts,
page views, traffic sources and channel groupings, conversion
and event counts, engagement metrics, and the dimensions you
have configured on your GA4 property. We read this data only
for the property you have selected; we do not enumerate other
properties on your Google account, and we do not access any
other Google services through this connection.

**How we use it:** GA4 metrics are displayed in
your Ordinary dashboards as one of several traffic and
attribution sources. The data drives cross-channel comparisons
between GA4's view of channel performance and what each
ad platform reports, contributes to Ordinary's attribution
calculations that credit orders to the marketing touchpoints
that led to them, and surfaces discrepancy diagnostics where
GA4-reported conversion counts differ from your
Shopify-confirmed orders. We do not write back to Google
Analytics, do not modify your GA4 property in any way, and do
not use GA4 data for advertising or retargeting.

**Where this data lives:** GA4 OAuth refresh
tokens are stored encrypted in Ordinary's primary
database. Aggregated GA4 metrics retrieved by our scheduled
syncs are stored alongside the rest of your dashboard data
and retained per Section 4.

**Compliance with Google API Services User Data Policy:**
Ordinary's use of information received from Google APIs
adheres to the  [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy), including the
Limited Use requirements. Specifically: Google user data is
used only to provide and improve user-facing features that
are visible within Ordinary's dashboard; we do not
transfer Google user data to third parties except as needed
to provide those features (and only to the sub-processors
listed in Section 7.3, each bound by a written data
protection contract), for security and fraud-prevention
purposes, to comply with applicable law, or as part of a
merger or acquisition with prior user notice; we do not allow
humans to read Google user data except with your affirmative
consent for a specific support request, for security and
abuse investigation, to comply with applicable law, or in
aggregated and anonymised form for internal operations; we
do not use Google user data to serve advertisements,
including retargeting, personalised, or interest-based
advertising; we do not use Google user data to train,
develop, fine-tune, or otherwise improve generalised or
personalised AI/ML models, including the AI features inside
Ordinary; we do not sell or transfer Google user data to
data brokers, information resellers, credit bureaus,
lending decision systems, or any party that would use it
for credit-worthiness determination or lending purposes;
and we do not use Google user data to build, populate, or
augment databases for resale.

**OAuth scopes requested:** read-only access
via  `https://www.googleapis.com/auth/analytics.readonly`  — the only Google scope this integration requests.
Limited to the GA4 property you select during connection.

**Deletion of GA4-derived data:** to delete
Google-account-derived data already stored in Ordinary,
contact **privacy@tryordinary.com** or use the
disconnect flow above (which deletes the OAuth refresh
token immediately; historical aggregated metrics follow
the deletion-request flow in Section 6).

**Revocation:** you can disconnect Google
Analytics from Ordinary at any time from the settings page
in your dashboard, which deletes the OAuth refresh token we
hold. You can also revoke Ordinary's access to your
Google account directly at  [myaccount.google.com/permissions](https://myaccount.google.com/permissions)
— this is Google's central revocation page that
works for any application you have authorised. Either path
stops further reads; deletion of the historical aggregated
metrics already stored in Ordinary follows the deletion
request flow described in Section 6.

### 2.9 Google Ads campaign data (merchant-connected)

When you connect your Google Ads account to Ordinary using
your Google account, Ordinary reads your Google Ads data
on your behalf and displays it within your Ordinary
dashboard alongside the data we receive from Shopify, Meta,
GA4, and other channels you have connected. Connection is
initiated by you from the Ordinary settings page; you
select which Google Ads accounts to connect (a Manager
Account or an individual account), and we never read
Google Ads accounts you have not explicitly chosen.

**What we read:** campaign, ad-group, ad, and
keyword performance (spend, impressions, clicks,
conversions, conversion value); performance broken down by
device, network placement (Search, Display, YouTube,
Shopping, Discovery, Performance Max), geographic
location, and demographic (age range, gender, parental
status, household income range); ad asset content
(headlines, descriptions, image and video creatives
associated with campaigns and ad groups); configuration
history (daily snapshots of campaign and ad-group budget,
status, bid strategy, and targeting); ad account
metadata; and conversion-event configuration. We do not
read end-customer-identifying information through this
integration — Google Ads' API does not expose
individual users to advertisers.

**How we use it:** Google Ads metrics are
displayed in your Ordinary dashboards as one of several
traffic and attribution sources. The data drives
cross-channel comparisons between Google Ads' view of
conversion performance and what your store actually
recorded, contributes to Ordinary's attribution
calculations that credit orders to the marketing
touchpoints that led to them, and surfaces discrepancy
diagnostics where Google-reported conversion counts
differ from your Shopify-confirmed orders.
Beyond this reporting, **at your request**
Ordinary creates ad creative assets and drafts in your
connected Google Ads account, using creatives you generate
inside Ordinary. These are created in a non-serving draft
state — Ordinary does not publish them, start or stop
ad serving, or spend your budget; you review and publish
them yourself in Google Ads. Ordinary does not create or
edit campaigns, budgets, bids, or targeting, and does not
upload conversions or audiences.

**Where this data lives:** Google Ads OAuth
refresh tokens are stored encrypted in Ordinary's
primary database. Aggregated Google Ads metrics retrieved
by our scheduled syncs are stored alongside the rest of
your dashboard data and retained per Section 4.

**OAuth scopes requested:** access via  `https://www.googleapis.com/auth/adwords`
— the only Google scope this integration requests, and
the only Ads API scope Google offers (there is no read-only
variant). Ordinary uses it to read your reporting data and,
at your request, to create draft ad creatives. Limited to
the Google Ads accounts you select during connection.

**Compliance with Google API Services User Data Policy:**
Ordinary's use of information received from the
Google Ads API adheres to the  [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy), including the
Limited Use requirements. The same Limited-Use rules as
Section 2.8 apply: Google user data is used only to
provide and improve user-facing features that are visible
within Ordinary's dashboard; transferred to third
parties only as needed to deliver those features (and
only to the sub-processors listed in Section 7.3), for
security and fraud prevention, to comply with law, or as
part of a merger or acquisition with prior user notice;
not read by humans except with your affirmative consent
for a specific support request, for security and abuse
investigation, to comply with law, or in aggregated and
anonymised form for internal operations; not used to
serve advertisements (including retargeting, personalised,
or interest-based advertising); not used to train, develop,
fine-tune, or otherwise improve generalised or personalised
AI/ML models, including the AI features inside Ordinary;
not sold or transferred to data brokers, information
resellers, credit bureaus, lending decision systems, or
any party that would use it for credit-worthiness
determination or lending purposes; and not used to build,
populate, or augment databases for resale.

**Revocation:** you can disconnect Google Ads
from Ordinary at any time from the settings page in your
dashboard, which deletes the OAuth refresh token we hold.
You can also revoke Ordinary's access to your Google
account directly at  [myaccount.google.com/permissions](https://myaccount.google.com/permissions)
— this is Google's central revocation page that
works for any application you have authorised. Either
path stops further reads; deletion of the historical
aggregated metrics already stored in Ordinary follows the
deletion request flow described in Section 6.

**Deletion of Google-Ads-derived data:** to
delete Google-account-derived data already stored in
Ordinary, contact **privacy@tryordinary.com**  or use the disconnect flow above.

### 2.10 Google Search Console data (merchant-connected)

When you connect your Google Search Console account to
Ordinary using your Google account, Ordinary reads your
Search Console data on your behalf and displays it within
your Ordinary dashboard alongside the data we receive from
Shopify, Meta, Google Ads, GA4, and other channels you have
connected. Connection is initiated by you from the Ordinary
settings page; you select which verified sites Ordinary may
read (and we never read Search Console properties you have
not explicitly chosen).

**What we read:** organic search performance for
the verified sites you select — queries (search terms
shown to users on Google Search), impression counts, click
counts, click-through rates, and average ranking position,
per query and per landing page, by day. We do not read
end-customer-identifying information through this
integration — Search Console's API does not
expose individual searchers to site owners.

**How we use it:** Search Console metrics are
displayed in your Ordinary dashboards as the organic-search
source alongside paid channels. The data drives
cross-channel comparisons between organic and paid search
performance, supports a planned unified paid-and-organic
keyword report so you can see which terms you pay for that
you also rank organically for, and contributes to
Ordinary's attribution view of where store traffic
originates.  **Read-only ingest only** — Ordinary
does not create properties, verify sites, modify
configuration, submit sitemaps, request indexing, or write
any other data back to Search Console.

**Where this data lives:** Search Console
OAuth refresh tokens are stored encrypted in
Ordinary's primary database. Aggregated Search Console
metrics retrieved by our scheduled syncs are stored
alongside the rest of your dashboard data and retained per
Section 4.

**OAuth scopes requested:** read-only access
via `https://www.googleapis.com/auth/webmasters.readonly`  — the only Search Console scope this integration
requests. Limited to the verified sites you select during
connection.

**Compliance with Google API Services User Data Policy:**
Ordinary's use of information received from the Search
Console API adheres to the  [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy), including the
Limited Use requirements. The same Limited-Use rules as
Sections 2.8 and 2.9 apply: Google user data is used only
to provide and improve user-facing features that are
visible within Ordinary's dashboard; transferred to
third parties only as needed to deliver those features
(and only to the sub-processors listed in Section 7.3),
for security and fraud prevention, to comply with law, or
as part of a merger or acquisition with prior user notice;
not read by humans except with your affirmative consent
for a specific support request, for security and abuse
investigation, to comply with law, or in aggregated and
anonymised form for internal operations; not used to
serve advertisements (including retargeting, personalised,
or interest-based advertising); not used to train, develop,
fine-tune, or otherwise improve generalised or personalised
AI/ML models, including the AI features inside Ordinary;
not sold or transferred to data brokers, information
resellers, credit bureaus, lending decision systems, or
any party that would use it for credit-worthiness
determination or lending purposes; and not used to build,
populate, or augment databases for resale.

**Revocation:** you can disconnect Search
Console from Ordinary at any time from the settings page
in your dashboard, which deletes the OAuth refresh token
we hold. You can also revoke Ordinary's access to
your Google account directly at  [myaccount.google.com/permissions](https://myaccount.google.com/permissions)
— this is Google's central revocation page that
works for any application you have authorised. Either path
stops further reads; deletion of the historical aggregated
metrics already stored in Ordinary follows the deletion
request flow described in Section 6.

**Deletion of Search-Console-derived data:** to
delete Google-account-derived data already stored in
Ordinary, contact **privacy@tryordinary.com**  or use the disconnect flow above.

### 2.11 Account creation when installing from the Shopify App Store

When you install Ordinary directly from the Shopify App
Store, we create your Ordinary user account using the shop
owner's name and email that Shopify shares with us
during the install handshake. We pass that information to
Clerk (our identity-management sub-processor — see
Section 7.3) to mint your account. No password is collected
from you at install: you can set one later from your
account settings or sign in via SSO.

If a Clerk account already exists for that email address,
we attach your Ordinary access to that existing account
rather than creating a duplicate. The data flow is
one-time at install: subsequent dashboard activity, sync
jobs, and webhook deliveries do not re-fetch your
shop-owner identity from Shopify.

If you would prefer to create your account with a
different email address than the one Shopify holds for
your shop owner, you can complete a manual sign-up at  **tryordinary.com** instead and then connect
Shopify from inside the dashboard.

### 2.12 Acceptance records for these terms

When you accept this Privacy Policy or our Terms of
Service — at sign-up, when the documents change, or
via in-app prompts — we log a record of that
acceptance so we can demonstrate consent if asked. Each
acceptance record includes which document (Terms or
Privacy Policy), the version of the document you accepted,
the date the document was last revised, the calendar
timestamp of your acceptance, the browser User-Agent
string of the device you accepted from, and a label
describing where the acceptance happened (sign-up,
in-app interstitial when documents changed, settings
page re-acceptance, invite acceptance, or Shopify install
consent).

**Region-aware IP capture.** We record your
IP address with the acceptance record only when you accept
from a region we treat as permissive (the United States
including California, Canada, Australia, New Zealand, and
the rest of the world outside the strict-region list).
Visitors who accept from the European Economic Area, the
United Kingdom, Switzerland, or Brazil have no IP address
stored against their acceptance record. The acceptance
record itself notes which region category applied at the
time, so we can distinguish &ldquo;IP intentionally
omitted&rdquo; from &ldquo;region unknown&rdquo; for audit
purposes.

Acceptance records are retained for the lifetime of your
account plus a defensible audit window after deletion. We
do not use them for any purpose beyond proving consent in
response to a question from you, a sub-processor, or a
regulator.

### 2.13 Historical session aggregates from Shopify

When a merchant installs Ordinary, we ask Shopify for
historical session aggregates from before Ordinary was
installed so the merchant's analytics dashboards have
a baseline to compare against. This data comes from
Shopify directly — not from any pixel or browser
tag we control — and contains only aggregate
session counts grouped by day and by traffic-source
dimensions (landing page, referring channel, referring
platform, referring medium, referrer source, and UTM
source/medium/campaign), along with bounce rate and
average session duration per (day, landing page).

The historical backfill contains **no IP
addresses** and **no individual shopper
identifiers** — only the aggregate
dimensional counts above. These rows power the
merchant's historical traffic and source attribution
views; they cannot be used to identify or contact a
specific shopper.

The backfill runs once per merchant at install time and
covers the analytics window Shopify makes available to
us. Ongoing storefront analytics — everything that
happens after install — flows through the pixel
described in Section 2.4, not through this Shopify
backfill path.

## 3. How We Use Your Information

We use the collected information to:

- Provide and maintain our services
- Generate reports and analytics
- Improve and optimize our platform
- Communicate with you about updates and support
- Ensure security and prevent fraud
- Comply with legal obligations

## 4. Data Retention

We retain your data for the following periods:

- **Active Account Data:** As long as your account is active
- **API Request Logs:** 30 days
- **Storefront Browsing Data:** At least 90 days. We retain visit-level browsing data for a minimum of 90 days to support cross-session attribution — the merchant's ability to credit a purchase to the marketing source that originally drove the visit, even when the buyer comes back days later.
- **Aggregate Analytics Data:** Up to 2 years for trend analysis. Aggregates are derived from browsing data but do not themselves identify individual visitors.
- **Deleted/Anonymized Data:** Removed from our production systems on receipt of a verified deletion request. Backups roll off on the standard backup retention schedule.

After account deletion or anonymization, we retain only aggregated,
non-identifiable data for analytical purposes.

**Server-derived conversion data.** For some shoppers
— typically those using strict-privacy browsers (Brave, Safari
with aggressive tracking protection, iOS content blockers) — the
analytics that normally runs in their browser doesn't
reach us. For these shoppers' *completed orders*,
we reconstruct a server-side conversion record from the order
data Shopify sends us via their standard server-to-server
webhook (which is unaffected by browser-side blocking). This
reconstructed record is clearly labeled as server-derived in
our internal systems and contains no information beyond what
the order itself carries. Pre-purchase browse activity
(page views, product views) for blocked-browser shoppers is
NOT recovered — only the conversion event and its channel
attribution. Merchants gain accurate revenue + channel
attribution; shoppers gain no additional tracking exposure.

## 5. Data Security

We implement industry-standard security measures including:

- AES-256-GCM encryption for sensitive data at rest
- TLS/SSL encryption for data in transit
- Secure API authentication (OAuth 2.0)
- Regular security audits and monitoring
- Access controls and role-based permissions

## 6. Your Rights (GDPR & CCPA)

You have the right to:

- **Access:** Request a copy of all data we hold about you
- **Rectification:** Correct inaccurate or incomplete data
- **Erasure:** Request deletion or anonymization of your data
- **Portability:** Export your data in a machine-readable format
- **Restriction:** Limit how we process your data
- **Objection:** Opt out of certain data processing activities
- **Withdrawal:** Revoke consent at any time

To exercise these rights, contact us at **privacy@tryordinary.com** or use the Data Privacy tools in your Settings page.

## 7. Third-Party Integrations

We integrate with third-party services (Shopify, Meta, Amazon, etc.)
that have their own privacy policies. We are not responsible for
their privacy practices.

We do not sell your personal information to third parties. The
subsections below cover the data we forward to specific ad and
analytics platforms on a merchant's behalf.

### 7.1 Meta Conversions API (CAPI)

When a merchant connects a Meta ad account, Ordinary forwards
purchase events from their Shopify store server-to-server to Meta
using the Meta Conversions API. This helps restore the ad-platform
conversion reporting that iOS privacy changes and ad blockers have
eroded for the merchant's *own* ad accounts.

**What we send per purchase event:**

- Hashed email address (SHA-256)
- Hashed phone number (SHA-256), when present
- Hashed first name and last name (SHA-256), when present
- Purchase amount and currency
- Event timestamp
- A unique event ID (used by Meta to deduplicate against the browser pixel)

**What we do not send:**

- Raw (unhashed) personally identifiable information
- Payment card, bank, or any other financial account data
- IP addresses beyond those Meta already observes from its own pixel

**Purpose:** Improving ad-platform conversion reporting
for the merchant's own ad accounts. Forwarded events are written
only to the merchant's Meta ad account — not pooled, not shared
with other merchants, not used to train models on our side.

**Retention:** Events are forwarded in real time. We do
not keep a long-term store of the hashed identifiers beyond our
standard operational audit logs (which themselves roll off on the
schedule in Section 4).

**Merchant opt-out:** Merchants can disable the
integration at any time in *Settings → Integrations → Meta*. Disabling immediately halts event forwarding.

**End-customer opt-out:** Individual customers of our
merchants can request deletion via the process described on our  [Data Deletion page](/data-deletion). When Shopify fires a `customers/redact` webhook for
a given customer, we stop forwarding that customer's events to
Meta and remove their identifiers from our pipeline.

### 7.2 Google Ads

When a merchant connects a Google Ads account, Ordinary reads
campaign performance data (spend, impressions, clicks, conversions)
for reporting. This is read-only — Ordinary does not currently
forward any purchase events, customer data, or conversions to
Google. Server-side conversion forwarding (Google Enhanced
Conversions) is planned but not yet active; this page and our  [Sub-Processors list](/sub-processors)
will be updated before any such forwarding begins. The integration
can be disabled at any time in  *Settings → Integrations → Google*.

### 7.3 Sub-processors

Ordinary uses the following sub-processors to provide our services.
Each is bound by a written contract that requires GDPR-equivalent
data protection. All process data in the United States or Canada
and rely on either the EU&minus;US Data Privacy Framework or
Standard Contractual Clauses for transfers from the EEA, UK, and
Switzerland.

Sub-processor |  Purpose |  Location |
Vercel, Inc. |  Web application hosting + edge delivery |  United States |
Neon, Inc. |  Primary database |  United States |
DigitalOcean, LLC |  Background job worker + archival storage + ad creative media storage |  United States |
Clerk, Inc. |  Account authentication for merchant operators |  United States |
Resend, Inc. |  Transactional email delivery |  United States |
Stripe, Inc. |  Payment processing (Enterprise tier billing) |  United States |
Anthropic PBC |  AI services (in-app chat assistant, content tooling) |  United States |
OpenAI, OpCo, LLC |  AI services (image generation tooling) |  United States |
Google LLC |  AI services (image generation tooling) |  United States |
Google LLC |  Google Ads campaign reporting + cross-channel attribution (read-only) |  United States |
Shopify, Inc. |  E-commerce platform integration + Shopify Billing |  Canada |
Klaviyo, Inc. |  Email + SMS campaign performance reporting (read-only, optional per merchant) |  United States |

We do not currently offer EU data residency. Customer data from
European visitors is processed in the United States under the
adequacy mechanisms above. We will notify merchants of any
changes to this list at least 30 days before they take effect.
For questions about a specific sub-processor, contact  **privacy@tryordinary.com**.

## 8. Cookies, localStorage, and Similar Tracking Technologies

We use cookies, localStorage, and similar storage technologies for:

- Authentication and session management (dashboard cookies)
- User preferences (dashboard cookies)
- Analytics and performance monitoring
- **Marketing-site analytics cookies (tryordinary.com only):**
A first-party visitor-identifier cookie with ~2-year retention. Not set for visitors in the EU/EEA, UK, Switzerland, or Brazil (see Section 2.6).
- A short-lived session cookie with a 30-minute sliding window, used to group page views into analytics sessions. Not set for strict-region visitors.

- **Storefront attribution persistence** — the Shopify storefront pixel writes a 90-day localStorage record on the visitor's device containing first-touch and last-touch UTM parameters. This is what lets us attribute a purchase to the marketing source that originally drove the visit, even when the buyer comes back later. This persistence is gated by the visitor's analytics-consent state as exposed by Shopify's consent API; when analytics consent is declined, no long-lived record is written.

You can control cookies and clear localStorage through your browser
settings. Note that disabling these may reduce attribution accuracy
in the merchant's analytics but does not affect the
storefront's shopping or checkout functionality — or
your ability to read tryordinary.com.

## 9. International Data Transfers

Ordinary's primary infrastructure is located in the United
States, with Shopify integration data flowing through Shopify's
Canadian platform. We do not currently offer EU data residency.

For data originating in the European Economic Area, the United
Kingdom, or Switzerland, we rely on the EU&minus;US Data Privacy
Framework (where the receiving sub-processor is certified) and on
Standard Contractual Clauses (where it is not). Both mechanisms
provide GDPR-equivalent safeguards as recognized by the European
Commission.

Section 7.3 lists each sub-processor and the country in which it
processes data. We do not transfer data to jurisdictions for which
neither an adequacy decision nor an alternative transfer mechanism
applies.

## 10. Children's Privacy

Our services are not intended for children under 16. We do not
knowingly collect data from children.

## 11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify
you of significant changes via email or through the application.
Continued use of our services after changes constitutes acceptance.

## 12. Contact Us

If you have questions or concerns about this Privacy Policy or our
data practices, please contact us at:

Ordinary

Email: privacy@tryordinary.com

Support: support@tryordinary.com