Privacy Policy — CRO Audit Pro

Effective date: 2026-04-19

Last updated: 2026-04-19

Data controller: NeuroConversions LLC, 1021 East Lincolnway, 9749 Cheyenne, WY 82001, USA

Privacy contact: privacy@neuroconversions.com

Legal notice: This policy is drafted from a template and describes the app's actual data handling. Before publishing, have it reviewed by a lawyer qualified in your jurisdiction. CRO Audit Pro is a small app that processes minimal personal data, so template-based disclosure is sufficient for Shopify App Store review — but jurisdictional variations (GDPR, CCPA, LGPD, PIPEDA) may require additional clauses.

1. Who this policy applies to

CRO Audit Pro is an app installed by Shopify merchants to run conversion-rate-optimization experiments on their storefronts. This policy describes how NeuroConversions LLC (the "app developer", "we", "us") handles personal data belonging to:

Merchants — Shopify store owners who install and use the app.
Merchants' customers and storefront visitors — shoppers browsing or purchasing on a merchant's storefront.

We do not have a direct relationship with merchants' customers. We process their data solely on behalf of the merchant under a data-processor role (see §9). Merchants are the data controllers for their customers' data; we are the processor.

2. What data we process

2.1 From merchants directly

When a merchant installs the app, Shopify provides us:

Shop domain (e.g. example.myshopify.com)
Shop legal name and address (as stored in Shopify)
Shop currency and country
Merchant's email address (only for transactional / support communication)

We store this data in our production database for the lifetime of the installation.

2.2 From merchants' customers — what we DO read

Via the Shopify Admin API and our own storefront web pixel, we read:

Aggregate order totals and currency (e.g. $150.00 USD) per experiment variant
Anonymous visitor identifiers (random browser cookie nc_vid, not linked to any Shopify customer ID)
Experiment exposure events (which experiment and which variant a visitor saw)
Page-level session counts (via ShopifyQL's sessions table — aggregated visit totals per landing page)
Device category (mobile / desktop) for statistical segmentation

2.3 From merchants' customers — what we DO NOT read

We explicitly do not read or persist:

Customer names, email addresses, phone numbers, or billing / shipping addresses
Payment or credit card data (Shopify handles checkout payment exclusively — we never see card data)
Individual order contents (line items, SKUs purchased, quantities)
Shopify customer IDs (except transiently during aggregate ShopifyQL queries that do not return them to us)
Any identity-linkable data that would enable re-identification of a specific shopper

2.4 Why we ticked PII fields on Shopify's Protected Customer Data form

Shopify's shopifyqlQuery GraphQL field is gated at the field level behind Level 2 Protected Customer Data access. To query the non-PII sessions table (landing page visit counts), we had to tick Level 2 fields (name, email, phone, address) solely to unlock the field. We do not read or persist those fields. Our database schema contains no columns keyed to a customer, order, or visitor identifier — verifiable by auditing our public Prisma schema on request.

3. Why we process this data

App functionality — running conversion-rate experiments that modify a merchant's storefront and tracking which variant converted.
Analytics for the merchant — surfacing revenue lift, conversion uplift, and ROI metrics to the merchant in our dashboard.
Billing the merchant — aggregating per-experiment commission charges via Shopify's App Billing API.

We do not process personal data for:

Marketing or advertising
Profiling or personalization of individual shoppers
Sale to third parties
Any purpose beyond those listed above

4. Legal bases for processing (GDPR Art. 6)

For data concerning merchants' customers, we act as processor under the merchant's legal basis. Typically this is legitimate interest (Art. 6(1)(f)) for analytics — but merchants are responsible for their own legal basis assessment and for obtaining customer consent where required by jurisdiction.

For data concerning merchants themselves, our legal basis is contract performance (Art. 6(1)(b)) — we process shop-identifying data to provide the service the merchant installed.

5. Customer consent

We honor shopper tracking-consent decisions as follows:

Web pixel events (conversion tracking at checkout) are gated by Shopify's Customer Privacy API — when a shopper has not granted analytics consent, the event does not fire.
Storefront experiment-exposure events are gated by the same API — the NC Engine checks Shopify.customerPrivacy.analyticsProcessingAllowed() before dispatching a view event, and fails closed if the API is unavailable.
Variant rendering (showing a shopper the A or B version of a page) is not consent-gated, because displaying content is not tracking. Only the telemetry events are.

Merchants must independently ensure their storefront exposes a consent mechanism (cookie banner or equivalent) that allows shoppers to revoke analytics consent — we cannot enforce this on behalf of the merchant.

6. Data retention

Data category	Retention
Shop metadata (shop domain, currency, etc.)	Lifetime of installation
Aggregate experiment results (visitor counts, conversion counts, revenue totals, variance totals)	Indefinite — these are fully aggregated and do not identify any individual
Raw `ExperimentOrder` rows (order totals, variant, device, timestamp — no customer link)	24 months, then purged
Shopify session records (OAuth tokens)	Lifetime of installation; deleted immediately on app uninstall via `app/uninstalled` webhook
All shop-scoped data	Deleted within 48 hours of Shopify's `shop/redact` webhook firing

When a merchant uninstalls the app:

Our app/uninstalled webhook fires — we delete the Shopify session token and cancel any in-flight background jobs immediately.
Shopify's shop/redact webhook fires ~48 hours later — we cascade-delete the Store row and all related data (experiments, hypotheses, subscriptions, aggregate results, audit logs).

Merchants who want their data deleted sooner may email privacy@neuroconversions.com and we will action the deletion within 72 hours.

7. Security of personal data

Encryption in transit: TLS 1.2+ on every API endpoint, database connection, and third-party integration.
Encryption at rest: our managed Postgres provider encrypts data at rest by default; backups are also encrypted.
Environment separation: development, staging, and production each use isolated databases with distinct credentials.
Least privilege: production credentials are scoped, rotated on suspicion of compromise, and never committed to version control.
Incident response: we maintain a documented policy describing how we contain, assess, notify, and remediate security events. We notify affected merchants and the relevant supervisory authority within 72 hours of confirmed impact.

We do not claim SOC 2, ISO 27001, or HIPAA compliance. We are a small team; those frameworks are not appropriate at our current scale.

8. Data subject rights (GDPR / CCPA / etc.)

Merchants' customers have the right to:

Access — receive a copy of the personal data we hold on them.
Rectification — correct inaccurate data.
Erasure ("right to be forgotten") — request deletion.
Portability — receive data in a machine-readable format.
Restriction — pause processing pending resolution of a dispute.
Object — to processing based on legitimate interest.
Not be subject to automated decision-making with legal or significant effect — we do not use personal data for such decisions.

Shoppers should direct requests to the merchant whose store they interacted with. Merchants can forward customer requests to us by emailing privacy@neuroconversions.com. We act on Shopify's customers/data_request and customers/redact webhooks automatically — though in practice these are no-ops because our schema holds no customer-keyed data.

9. We act as processor, not controller (merchant data)

For merchants' customer data, we process under the merchant's direction and are bound by a Data Processing Addendum (DPA). The merchant is the data controller; we are the processor. This means:

We only process customer data for the purposes the merchant enabled (running experiments, showing analytics).
We do not process customer data for our own purposes (no marketing, no profiling, no resale).
We sub-contract to certain processors (hosting, error monitoring) who are themselves bound by DPAs — see §11.
We assist the merchant in responding to data subject requests within 30 days.

10. International transfers

Our production infrastructure runs on Google Cloud (Cloud Run + Cloud SQL). The specific region is being finalized for production launch; at time of writing the staging environment runs on Google Cloud and the production region will be documented here once selected. Merchant and customer data may therefore be stored outside the data subject's region. Transfers out of the EEA are protected by Standard Contractual Clauses under the GDPR Article 46(2)(c).

11. Subprocessors

Processor	Purpose	Data processed
Google Cloud Run + Cloud SQL	Application hosting and database	All persisted data
Sentry	Error and performance monitoring	Stack traces, request metadata (no PII)
Resend	Transactional email to merchants	Merchant email address
Shopify	Source of merchant and shopper data; payout processor	All data defined in §2

Each subprocessor is bound by a DPA or equivalent contract. We update this list when subprocessors change.

12. Changes to this policy

We may update this policy periodically. Material changes will be announced via:

In-app notification on next merchant login
Email to the merchant's registered Shopify contact
An update to the "Last updated" date at the top of this document

Continuing to use the app after a material change constitutes acceptance.

13. How to contact us

Privacy questions: privacy@neuroconversions.com
Security reports: security@neuroconversions.com
Merchant support: support@neuroconversions.com
Postal address: 1021 East Lincolnway, 9749 Cheyenne, WY 82001, USA
EU representative (GDPR Art. 27): to be retained before onboarding any EU merchant (NeuroConversions LLC is US-incorporated; an EU-based representative is required to serve EEA data subjects).
UK representative (UK GDPR): to be retained before onboarding any UK merchant.