Privacy Policy

Last updated: May 2, 2026

For end-customers of stores using Ordinary

If you visited a Shopify store that uses Ordinary, this policy describes Ordinary's overall practices. The merchant whose store you visited is the data Controller for your data; their privacy policy is the primary reference for how your data is used. To delete your data, see our Data Deletion page or contact the merchant directly through their store.

1. Introduction

Ordinary ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application and services.

We are compliant with GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) standards.

2. Information We Collect

2.1 Information from Third-Party Services

When you connect your accounts, we collect:

  • Shopify: Order data, customer information, product data, store settings
  • Meta (Facebook/Instagram): Ad campaign data, ad account information, performance metrics
  • Amazon: Sales data, advertising metrics, product information
  • Analytics Providers: Session data, page views, user behavior (Google Analytics 4, PostHog)
  • ShipBob: Inventory levels, fulfillment data

2.2 Information You Provide

  • Account registration information (name, email, organization)
  • API credentials and access tokens
  • Configuration preferences
  • Custom notes and tags

2.3 Automatically Collected Information

Applies only to merchant users who log into the Ordinary dashboard. End-customer visitors of merchant storefronts have their data captured via the pixel as described in Section 2.4 — IP addresses are not stored against individual storefront events.

  • Log data (IP address, browser type, timestamps) for dashboard sessions
  • Usage analytics (features used, session duration)
  • Device information

2.4 Storefront Pixel Data

Ordinary's Shopify Web Pixel runs on participating merchants' storefronts (only stores that have installed the Ordinary app). The pixel does NOT run on the Ordinary dashboard or anywhere outside a participating merchant's storefront. It captures the following on each merchant's behalf, as that merchant's data Processor:

Pseudonymous browsing data (every event):

  • A pseudonymous client_id (set by Shopify, not a name or email)
  • A pseudonymous browser UUID (random v4 identifier, written to your device's localStorage by Ordinary's storefront extension; lasts up to 90 days)
  • Page URL, document referrer, device type, user agent
  • UTM parameters and Facebook click identifiers (fbclid + campaign/adset/ad ids)
  • Approximate location at city level (country, region, city, latitude, longitude) derived from the IP address of the visit. The raw IP address is read at the network edge and used only to derive the city-level location; the raw IP is not stored against the event record
  • Event timestamp

Event types captured: page view, product view, collection view, search, cart view, add-to-cart, remove-from-cart, checkout started, checkout contact info, checkout address info, checkout shipping info, payment info submitted, checkout completed, plus storefront alert and UI extension error events.

Identifiers captured at checkout (associated with the client_id only after the buyer types them into the checkout form, including checkouts the buyer abandons before completing):

  • Email address, phone number (raw, as supplied by the buyer)
  • Billing and shipping address country, province, postal code, city
  • Marketing consent flags (email and SMS) and SMS marketing phone
  • Cart and checkout line items: product/variant IDs, SKUs, quantities, prices, line totals, currency
  • Discount codes applied and their values
  • Cart attributes (custom key/value pairs the merchant has configured)
  • Order ID and Shopify customer ID (only on checkout completion)

Diagnostic data (used to surface storefront issues to the merchant):

  • Storefront alert messages and values (e.g. "item out of stock", "payment declined")
  • UI extension error messages and stack traces
  • Search queries entered into the storefront search box

Local persistence on the buyer's device:

  • A 90-day localStorage record of first-touch and last-touch UTM parameters, used to associate later purchases with their original marketing source.
  • A session-storage referrer record (lasts only for the current browsing session).

Local persistence is gated by the buyer's consent state as exposed by Shopify's analytics-consent API. When analytics consent is declined, the pixel falls back to a session-only attribution record that is lost when the tab closes.

Pixel data is associated with a pseudonymous client_id and joined to identifying data (email, phone) only at the checkout step. Browsing activity that never reaches checkout remains pseudonymous.

2.5 Region-aware identity stitching

When a buyer reaches checkout on more than one device — for example, browsing on mobile and completing the purchase on desktop — Ordinary can link those two devices together using a one-way SHA-256 hash of the buyer's checkout email. This linkage lets the merchant's attribution reports treat the buyer's journey as a single customer journey rather than two unrelated visitor sessions. It is this linkage — and only this linkage — that turns Ordinary's otherwise pseudonymous browser identifiers into associated personal data within the merchant's analytics.

To respect the consent-based privacy regimes of certain jurisdictions, Ordinary applies a region-aware default to this linkage. When the IP-derived approximate location of a visit is in the European Economic Area, the United Kingdom, Switzerland, or Brazil, Ordinary does NOT write the email-hash linkage row. Visitors from these regions still have visit-to-order attribution within the same browser via the pseudonymous Bridge UUID — but the cross-device email-hash bridge is not written, so a buyer who switches between mobile and desktop appears to the merchant as two distinct visitor sessions.

For visitors in the United States (including California), Canada, Australia, New Zealand, and the rest of the world, the cross-device email-hash linkage is written by default, on the merchant's instruction and in reliance on the merchant's privacy-policy disclosure. CCPA and CPRA (California's privacy regime) regulate the sale and sharing of personal information with third parties, not first-party linkage of pseudonymous identifiers to a merchant's own customer record.

The pseudonymous Bridge UUID is a random identifier written to the visitor's storefront localStorage. It is not derived from any personal data and is treated as pseudonymous under GDPR Article 4(1) until and unless it is linked to identifying data — which, in strict regions, Ordinary does not do.

2.6 Marketing website (tryordinary.com) analytics

When you visit tryordinary.com — our public marketing site — Ordinary captures basic web analytics to understand which pages get traffic, where visitors come from, and what content is engaging. This analytics surface is separate from anything that runs on a merchant's Shopify storefront and is not connected to the merchant or end-customer data described in 2.4 and 2.5 above.

What we collect on tryordinary.com:

  • Pageview events (URL, page title, document referrer)
  • Click events on buttons, calls-to-action, and navigation links (the visible link text and the destination URL)
  • Form submission events (form name and submit action only; not field contents)
  • Approximate location at city level (country, region, city), derived from the IP address of your visit at our network edge. The raw IP address is not stored against the event record.
  • UTM parameters and ad-platform click identifiers (gclid, fbclid, msclkid, and similar) when present in the URL you arrived on
  • Browser type and device class (derived from the User-Agent header)
  • Session boundaries (a session is closed after 30 minutes of inactivity)

We forward these events to Google Analytics 4 for reporting. Google receives only the data described above; no merchant data, no end-customer storefront data, no payment information.

Region-aware consent posture for tryordinary.com:

For visitors whose IP-derived location is in the European Economic Area, the United Kingdom, Switzerland, or Brazil, we apply a cookie-less anonymous mode:

  • We do not set a persistent visitor cookie
  • The visitor's identifier is derived from a daily-rotating SHA-256 hash of IP and User-Agent. The same visitor receives a stable identifier within a single day; the hash rotates at UTC midnight, making cross-day correlation impossible
  • We set non_personalized_ads: true on every event from these regions, disabling Google's ad personalization

For visitors in other regions (United States including California, Canada, Australia, New Zealand, and the rest of the world), a first-party cookie (_oct) is set on tryordinary.com with a randomly generated visitor identifier, persisting up to 2 years, and a short-lived session cookie (_oct_s) tracks the current session window. CCPA and CPRA regulate the sale and sharing of personal information with third parties, not first-party analytics cookies on a domain you are visiting directly.

You can clear or block these cookies through your browser settings at any time. Doing so does not affect functionality on the site.

3. How We Use Your Information

We use the collected information to:

  • Provide and maintain our services
  • Generate reports and analytics
  • Improve and optimize our platform
  • Communicate with you about updates and support
  • Ensure security and prevent fraud
  • Comply with legal obligations

4. Data Retention

We retain your data for the following periods:

  • Active Account Data: As long as your account is active
  • API Request Logs: 30 days
  • Analytics Data: Up to 2 years for trend analysis
  • Deleted/Anonymized Data: Immediately upon deletion/anonymization request

After account deletion or anonymization, we retain only aggregated, non-identifiable data for analytical purposes.

5. Data Security

We implement industry-standard security measures including:

  • AES-256-GCM encryption for sensitive data at rest
  • TLS/SSL encryption for data in transit
  • Secure API authentication (OAuth 2.0)
  • Regular security audits and monitoring
  • Access controls and role-based permissions

6. Your Rights (GDPR & CCPA)

You have the right to:

  • Access: Request a copy of all data we hold about you
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion or anonymization of your data
  • Portability: Export your data in a machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Opt out of certain data processing activities
  • Withdrawal: Revoke consent at any time

To exercise these rights, contact us at privacy@tryordinary.com or use the Data Privacy tools in your Settings page.

7. Third-Party Integrations

We integrate with third-party services (Shopify, Meta, Amazon, etc.) that have their own privacy policies. We are not responsible for their privacy practices.

We do not sell your personal information to third parties. The subsections below cover the data we forward to specific ad and analytics platforms on a merchant's behalf.

7.1 Meta Conversions API (CAPI)

When a merchant connects a Meta ad account, Ordinary forwards purchase events from their Shopify store server-to-server to Meta using the Meta Conversions API. This helps restore the ad-platform conversion reporting that iOS privacy changes and ad blockers have eroded for the merchant's own ad accounts.

What we send per purchase event:

  • Hashed email address (SHA-256)
  • Hashed phone number (SHA-256), when present
  • Hashed first name and last name (SHA-256), when present
  • Purchase amount and currency
  • Event timestamp
  • A unique event ID (used by Meta to deduplicate against the browser pixel)

What we do not send:

  • Raw (unhashed) personally identifiable information
  • Payment card, bank, or any other financial account data
  • IP addresses beyond those Meta already observes from its own pixel

Purpose: Improving ad-platform conversion reporting for the merchant's own ad accounts. Forwarded events are written only to the merchant's Meta ad account — not pooled, not shared with other merchants, not used to train models on our side.

Retention: Events are forwarded in real time. We do not keep a long-term store of the hashed identifiers beyond our standard operational audit logs (which themselves roll off on the schedule in Section 4).

Merchant opt-out: Merchants can disable the integration at any time in Settings → Integrations → Meta. Disabling immediately halts event forwarding.

End-customer opt-out: Individual customers of our merchants can request deletion via the process described on our Data Deletion page . When Shopify fires a customers/redact webhook for a given customer, we stop forwarding that customer's events to Meta and remove their identifiers from our pipeline.

7.2 Google Enhanced Conversions

When a merchant connects a Google Ads account, Ordinary forwards purchase events to Google using Enhanced Conversions. As with Meta, we send hashed email and phone (SHA-256), purchase amount, currency, and timestamp. No raw PII and no payment data are transmitted. The integration can be disabled at any time in Settings → Integrations → Google.

8. Cookies, localStorage, and Similar Tracking Technologies

We use cookies, localStorage, and similar storage technologies for:

  • Authentication and session management (dashboard cookies)
  • User preferences (dashboard cookies)
  • Analytics and performance monitoring
  • Marketing-site analytics cookies (tryordinary.com only):
    • _oct — first-party visitor identifier on tryordinary.com, ~2-year retention. Not set for visitors in the EU/EEA, UK, Switzerland, or Brazil (see Section 2.6).
    • _oct_s — short-lived session cookie, 30-minute sliding window. Used to group page views into analytics sessions. Not set for strict-region visitors.
  • Storefront attribution persistence — the Shopify storefront pixel writes a 90-day localStorage record on the visitor's device containing first-touch and last-touch UTM parameters. This is what lets us attribute a purchase to the marketing source that originally drove the visit, even when the buyer comes back later. This persistence is gated by the visitor's analytics-consent state as exposed by Shopify's consent API; when analytics consent is declined, no long-lived record is written.

You can control cookies and clear localStorage through your browser settings. Note that disabling these may reduce attribution accuracy in the merchant's analytics but does not affect the storefront's shopping or checkout functionality — or your ability to read tryordinary.com.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in accordance with GDPR standards.

10. Children's Privacy

Our services are not intended for children under 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the application. Continued use of our services after changes constitutes acceptance.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Ordinary

Email: privacy@tryordinary.com

Support: support@tryordinary.com