Privacy Policy

Privacy Policy

Last updated: 28.12.2025

1. Introduction

Headless Analytics ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our analytics service for Shopify stores.

2. Information We Collect

2.1 Anonymous Behavioral Data

We collect anonymous behavioral data from store visitors. This data CANNOT be used

to identify individual persons and includes:

• Anonymous page view events

• Anonymous conversion events

• Technical metadata (browser type, device type, screen resolution)

• Geographic location (country/region level only)

• Referrer sources and UTM parameters

• Product interaction events (which products were viewed/added to cart)

Data Anonymization:

• Email addresses and IP addresses are cryptographically hashed using SHA-256

(one-way hashing that cannot be reversed)

• We do NOT store email addresses or IP addresses in readable form

• Hashed values are used solely for server-side conversion tracking (Meta CAPI)

and cannot be used by us to identify individuals

• We do NOT create user profiles or track individuals across sessions

• All data is aggregated and cannot be linked to specific persons

What This Means:

Because we cannot identify individuals from our data, we cannot fulfill individual

data access or deletion requests for store visitors. The data is anonymous by design.

2.2 Store Information

We collect your Shopify store domain, billing information, and subscription details to provide our service.

2.3 Meta CAPI Data Processing (Pro Plan Only)

When you enable Meta Conversions API integration, we process conversion events

to send to Meta's servers on your behalf.

Technical Implementation:

• Email addresses are hashed using SHA-256 before transmission

• IP addresses are hashed using SHA-256 before transmission

• We do NOT store unhashed email addresses or IP addresses

• Hashed values cannot be reversed by us to identify individuals

• Meta may be able to match hashed values to their user database, but we cannot

Your Responsibilities:

• You must obtain explicit consent from users before enabling Meta CAPI

• You represent that you have proper legal basis for this data transmission

• You are responsible for compliance with GDPR, CCPA, and Meta's Terms

• We act solely as a technical processor and are not responsible for your

consent practices or Meta's data handling

GDPR Note: Transmission to Meta constitutes an international data transfer

and third-party data sharing requiring explicit consent (GDPR Article 49).

3. How We Use Your Information

We use the collected information to:

Provide analytics and insights about your store's performance

Process billing and manage subscriptions

Send server-side conversion events to Meta (if enabled)

Improve our service and develop new features

Provide customer support

Comply with legal obligations

4. Data Retention

Free Plan: Analytics data is retained for up to 180 days

Pro Plan: Analytics data is retained for up to 720 days

After the retention period, data is automatically and permanently deleted from our systems. We cannot recover deleted data. You can request immediate deletion at any time by contacting support@headless.life.

5. Data Sharing and Disclosure

We do not sell your data. We may share your information with:

Meta Platforms: Only if you enable Meta CAPI integration (Pro plan)

Legal Requirements: When required by law or to protect our rights

6. Data Subject Rights

6.1 Rights for Merchants (Our Customers)

If you are a Shopify store owner using our service, you have the following rights

under GDPR:

• Access: Request a copy of your account data and analytics

• Rectification: Correct inaccurate account information

• Erasure: Request deletion of your account and all associated data

• Portability: Export your analytics data in portable format

• Restriction: Limit how we process your account data

• Objection: Object to certain types of processing

To exercise these rights, contact support@headless.life

6.2 Rights for Store Visitors (End Users)

If you are a visitor to a store using our analytics:

IMPORTANT: We do not collect personally identifiable information about store visitors.

All behavioral data is anonymized and cannot be linked to specific individuals.

Because we cannot identify you from our data, we cannot:

• Provide access to "your" data (it doesn't exist in an identifiable form)

• Delete "your" data (it's already anonymous and aggregated)

• Confirm whether we process data about you specifically (we cannot identify individuals)

For questions about data collection on a specific store, contact the store owner

directly. They are the Data Controller.

To prevent tracking: Use browser privacy features, ad blockers, or contact the

store owner to request they disable analytics.

7. Legal Basis for Processing and Consent

7.1 Anonymous Analytics (Base Service)

Our base analytics operates on anonymous, aggregated data that cannot identify

individuals. Legal basis under GDPR:

• Article 6(1)(f) - Legitimate Interest: Processing anonymous statistical data

for the merchant's business purposes

• No consent required because data is truly anonymous (GDPR Recital 26)

• We do not use cookies or create user profiles

Merchant Responsibility:

While consent may not be legally required for anonymous analytics, we recommend

transparency. Include a notice in your privacy policy: "This site uses privacy-friendly

analytics that do not track individual users."

7.2 Meta CAPI (Optional Feature)

Enabling Meta Conversions API requires explicit consent because:

• It constitutes third-party data sharing (with Meta)

• It's used for advertising purposes, not just statistics

• It involves international data transfer (to Meta's US servers)

Required Legal Basis: Consent (GDPR Article 6(1)(a) and 9(2)(a) if special categories apply)

We strongly recommend implementing a consent management platform (CMP) that:

• Obtains explicit opt-in consent before enabling Meta CAPI

• Allows users to withdraw consent

• Documents consent for compliance purposes

8. Privacy-Focused Architecture

Technical Guarantees:

✓ No cookies stored on visitor devices

✓ No localStorage or sessionStorage usage

✓ No device fingerprinting techniques

✓ No cross-site tracking

✓ No user profiles or identity graphs

✓ Email/IP hashing is one-way (SHA-256, irreversible by us)

✓ Events cannot be linked to specific individuals

✓ All data is aggregated before merchant access

What We DON'T Do:

✗ We don't know who your customers are

✗ We can't see email addresses in readable form

✗ We can't track individuals across sessions

✗ We can't build behavior profiles

✗ We can't identify users from our database

Comparison to Traditional Analytics:

Unlike Google Analytics, Mixpanel, or similar tools, we cannot:

• Show you "User X visited 3 times and bought Product Y"

• Create audience segments based on individual behavior

• Track user journeys across multiple sessions

• Link purchases to specific email addresses

We only show aggregated metrics: "100 conversions from Meta ads this week"

9. Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (HTTPS/TLS), encrypted storage, access controls, and regular security audits.

In the event of a data breach affecting personal data, we will:

Notify relevant supervisory authorities within 72 hours (GDPR Article 33)

Notify affected merchants promptly so you can fulfill your obligations to notify your customers

Provide details necessary for you to assess the risk to your customers

10. International Data Transfers

We ensure appropriate safeguards are in place for international data transfers in compliance with GDPR, including:

Standard Contractual Clauses (SCCs) with third-party processors

Data Processing Agreements with all service providers

Your data is primarily stored in secure data centers in the EU. Transfers to non-EU regions only occur when necessary for service provision (e.g., Meta CAPI).

10.5 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect and how it's used

Request deletion of your personal information

Opt-out of the "sale" or "sharing" of personal information (we do not sell data)

Non-discrimination for exercising your rights

To exercise these rights, contact support@headless.life. We will respond within 45 days.

Note for Merchants: If you are subject to CCPA, you must provide appropriate privacy notices to your California customers about our analytics tracking.

11. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at:

Headless Analytics

Email: support@headless.life

14. Data Controller and Processor Roles

For Merchant Account Data:

• Data Controller: We (Headless Analytics) control merchant account information

• This includes: email, store URL, billing info, subscription status

For Anonymous Behavioral Data:

• Data Controller: You (the Shopify merchant)

• Data Processor: We (Headless Analytics) process on your behalf

• We follow your instructions and provide infrastructure only

Important Distinction:

Because the behavioral data is anonymous, typical GDPR data subject rights

(access, deletion, portification) cannot be fulfilled for individual visitors.

The data exists only in aggregate form.

Your Obligations as Merchant:

• Provide privacy notice to visitors about anonymous analytics

• Obtain explicit consent if enabling Meta CAPI

• Respond to visitor questions about tracking (explain it's anonymous)

• Implement consent management if required by law

• Include our tracking in your privacy policy

Data Processing Agreement (DPA):

A standard DPA is available upon request for merchants who require it for

compliance purposes. Email support@headless.life

15. Information for Store Visitors

If you visited a Shopify store using Headless Analytics:

What Data We Have:

We have anonymous event data (e.g., "Someone from France viewed Product X").

We CANNOT identify you personally because:

• Your email (if provided to the store) was hashed before we received it

• Your IP address was hashed before we received it

• We have no name, account ID, or other identifying information

• Events are not linked to you as an individual

Can You Request Your Data?

No, because we cannot identify which events are "yours." The data is truly anonymous.

Can You Request Deletion?

There is nothing to delete that is specific to you. All data is already anonymized

and aggregated.

How to Prevent Tracking:

• Contact the store owner and ask them to disable analytics

• Use browser privacy features (JavaScript blocking, Privacy Badger, uBlock Origin)

• Use private/incognito browsing mode

• The store owner is responsible for honoring your requests

Questions About Specific Store's Data Collection:

Contact the store owner directly. They are the Data Controller and responsible

for their tracking practices. We only provide technical infrastructure.

16. Technical Data Flow and Anonymization

How Data Moves Through Our System:

Step 1: Event Collection

• Store visitor triggers event (page view, purchase, etc.)

• Our tracking script sends event to our servers

• Email/IP (if present) are immediately hashed via SHA-256

• No readable PII ever touches our servers

Step 2: Storage

• Anonymous events stored with metadata:

- Store ID (which store sent this)

- Event type (page view, conversion, etc.)

- Hashed identifiers (irreversible by us)

- Technical data (browser, device type)

- Timestamp and location (country-level)

• We CANNOT reverse the hash to find the original email/IP

• We CANNOT link events to specific individuals

Step 3: Aggregation

• Data is aggregated for merchant dashboards

• Merchants see: "50 conversions from Meta ads"

• Merchants do NOT see: "john@example.com bought Product X"

• All analytics are aggregate-level only

Step 4: Meta CAPI (if enabled)

• Hashed conversion events sent to Meta

• Meta may match hashes to their user database (we cannot)

• Used for ad optimization on Meta's side

• Merchant must obtain consent for this before enabling

Step 5: Retention and Deletion

• After retention period (180 or 720 days), data is automatically deleted

• Deletion is permanent and cannot be recovered

• No backups retained beyond retention period