Privacy Policy

1. Introduction

Prism ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our marketing analytics platform ("Service").

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name
• Company/store name
• Password (stored in encrypted form)
• Billing information (processed by our payment provider)

2.2 Tracking Pixel Data

Our tracking pixel, installed on your e-commerce store, collects data about your website visitors, including:

• Anonymous visitor identifiers (not personally identifiable)
• Page views and navigation paths
• Referral sources and UTM parameters
• Device type and browser information
• Purchase and conversion events
• Timestamps of activities

Note: We do not collect names, email addresses, or other personal information of your website visitors through our pixel. The data collected is used solely for attribution and analytics purposes.

2.3 Integration Data

When you connect third-party services, we may receive:

• Advertising campaign data from Google Ads, Meta Ads, etc.
• Ad spend and performance metrics
• OAuth tokens for authorized access (stored encrypted)

2.4 Usage Data

We automatically collect information about how you use our Service, including pages visited, features used, and actions taken within our dashboard.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our Service
• Calculate attribution and generate analytics reports
• Process transactions and send related information
• Send you technical notices and support messages
• Respond to your comments, questions, and requests
• Improve and personalize the Service
• Monitor and analyze trends, usage, and activities
• Detect, prevent, and address technical issues and fraud

4. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following situations:

4.1 Service Providers

We may share information with third-party vendors who perform services on our behalf, such as cloud hosting, payment processing, and analytics.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities.

4.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide you with our Service. Specifically:

• Account information: Retained until account deletion
• Tracking pixel data: Retained according to your plan's data retention period
• Analytics and reports: Retained according to your plan's data retention period

You may request deletion of your data by contacting us. Some information may be retained for legal or legitimate business purposes.

6. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS/SSL)
• Encryption of sensitive data at rest
• Regular security assessments and updates
• Access controls and authentication measures
• Secure cloud infrastructure

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights

Depending on your location, you may have certain rights regarding your personal information:

• Access: Request a copy of the information we hold about you
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your information
• Export: Request a portable copy of your data
• Objection: Object to certain processing of your information

To exercise these rights, please contact us at the email address below.

8. Cookies and Tracking Technologies

Our Service uses cookies and similar tracking technologies to:

• Maintain your session and preferences
• Analyze usage patterns and improve the Service
• Remember your login status

You can control cookies through your browser settings, but disabling cookies may affect the functionality of our Service.

9. Third-Party Services

Our Service may contain links to or integrations with third-party services (such as Google Ads and Meta). These services have their own privacy policies, and we encourage you to review them. We are not responsible for the privacy practices of third-party services.

10. Children's Privacy

Our Service is not directed to children under 16 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. By using our Service, you consent to such transfers.

12. GDPR Compliance (For Shopify Merchants)

If you are a Shopify merchant using our app, we comply with the General Data Protection Regulation (GDPR) and Shopify's mandatory data protection requirements.

12.1 Data Subject Rights for Your Customers

Your customers (end-users who visit your Shopify store) have the following rights under GDPR:

• Right to Access: Request a copy of their data
• Right to Erasure: Request deletion of their personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Data Portability: Receive their data in a portable format

12.2 GDPR Webhooks

When Shopify receives a GDPR request from one of your customers, we automatically process the following webhooks:

12.3 Data We Collect from Your Shopify Store

When you install our Shopify app, we collect the following data via webhooks:

• Order information (order ID, value, timestamp, line items)
• Customer information (email, name, phone - only stored temporarily for attribution)
• Discount codes applied to orders
• Store configuration (domain, currency, timezone)

12.4 How to Handle GDPR Requests

As a Shopify merchant, you don't need to take any action. When your customers submit GDPR requests through Shopify, we automatically:

• Receive the webhook notification from Shopify
• Process the request according to GDPR requirements
• Export or redact data as requested
• Log all actions for compliance auditing

If you have questions about a GDPR request, contact us at hello@theprismapp.com

13. Meta (Facebook) Data Handling

Prism Analytics integrates with Meta Ads to provide advertising attribution and return on ad spend (ROAS) analytics. This section describes how we handle data related to your Meta (Facebook) account.

13.1 Data We Access

When you connect your Meta Ads account, we request the ads_read permission to access campaign, ad set, and ad-level data:

• Campaign, ad set, and ad names and IDs
• Ad spend, impressions, clicks, reach, and outbound clicks
• Platform-reported conversion counts and values
• Video view metrics (3-second views)
• Ad creative content (images, copy text, video thumbnails, landing page URLs)
• Ad account currency and timezone

We do not access, store, or process any personal information about your customers or your Facebook profile. We do not modify any campaigns or ad account settings.

13.2 How OAuth Tokens Are Stored

When you authorize Prism to access your Meta Ads data, we receive an OAuth access token from Meta. This token is encrypted using Google Cloud KMS (Key Management Service) before being stored in our database. The plaintext token is never written to disk or logs.

13.3 Data Deletion

You can request deletion of your Meta-related data in two ways:

• Via our dashboard: Navigate to Settings → Integrations and click "Disconnect" on the Meta Ads card. This immediately deletes your OAuth token and user identity link from our systems.
• Via Facebook: Go to Facebook Settings → Security and Login → Business Integrations and remove Prism Analytics. This triggers an automatic callback that deletes your OAuth token and user identity link.

When data deletion is processed, we remove your OAuth access token and the link between your Facebook account and our system. Campaign and ad analytics data (spend, impressions, clicks, creative content) is retained as it belongs to the business ad account and does not constitute personal user data.

You can check the status of a data deletion request on our Data Deletion Status page.

13.4 Data Retention

OAuth tokens are retained only while your Meta Ads account is connected. Upon disconnection (whether initiated by you or by Meta), tokens are immediately and permanently deleted. Campaign metrics data is retained according to your plan's data retention period.

13.5 Meta's Privacy Policy

For information about how Meta handles your data, please refer to Meta's Privacy Policy.

14. Google Ads Data Handling

Prism Analytics integrates with Google Ads to provide advertising attribution and return on ad spend (ROAS) analytics. This section describes how we handle data related to your Google Ads account.

14.1 Data We Access

When you connect your Google Ads account, we access campaign, ad group, and ad-level data:

• Campaign, ad group, and ad names and IDs
• Ad spend, impressions, and clicks
• Platform-reported conversion counts and values
• Search impression share (for Search campaigns)
• Performance Max asset group metrics
• Ad creative content (responsive search ad descriptions, image URLs, landing page URLs)
• Ad account currency and timezone

We do not access, store, or process any personal information about your customers. We do not modify any campaigns or ad account settings.

14.2 How OAuth Tokens Are Stored

When you authorize Prism to access your Google Ads data, we receive OAuth access and refresh tokens. Both tokens are encrypted using Google Cloud KMS (Key Management Service) before being stored in our database. The plaintext tokens are never written to disk or logs. Access tokens are refreshed automatically as needed.

14.3 Disconnection

You can disconnect your Google Ads account at any time via Settings → Integrations in our dashboard. Disconnection immediately deletes your OAuth tokens (both access and refresh tokens) from our systems. Campaign and ad analytics data is retained as it belongs to the business ad account and does not constitute personal user data.

14.4 Data Retention

OAuth tokens are retained only while your Google Ads account is connected. Upon disconnection, tokens are immediately and permanently deleted. Campaign and ad metrics data is retained according to your plan's data retention period.

14.5 Google's Privacy Policy

For information about how Google handles your data, please refer to Google's Privacy Policy.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have any questions about this Privacy Policy, our data practices, or GDPR requests, please contact us at:

Email: hello@theprismapp.com