Privacy Policy

North Star Metric ("we", "our", or "us") provides server-side analytics and attribution services for e-commerce merchants. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website or use our services.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

We operate in two distinct roles depending on the context:

This Privacy Policy does not apply to personal data that we process solely on behalf of merchants as a data processor. For information about how a merchant handles your data, please refer to that merchant's own privacy policy.

3.1 Merchant Account Data (Controller)

• Account information (email address, store name, Shopify store URL)
• Billing information (processed securely via Stripe and Shopify)
• Dashboard usage data (pages viewed, features used)
• Communication preferences

3.2 Store Visitor Data (Processor)

When visitors browse stores using our service, we collect the following on behalf of the merchant:

• Browser and device attributes — Non-reversible hashes derived from browser characteristics including canvas rendering, WebGL capabilities, audio context, installed fonts, screen resolution, timezone, language, and hardware specifications. These hashes cannot identify a person directly.
• Session data — Pages viewed, time on site, referrer URL, landing page
• Marketing attribution data — UTM parameters, click identifiers (gclid, fbclid, ttclid)
• IP address — Hashed at CIDR-level at the point of ingestion. We do not store raw IP addresses.
• Shopify order data — Received via Shopify webhooks when a purchase is made, including order value, line items, and hashed customer identifiers (email, phone)
• First-party identifiers — Pseudonymous visitor IDs assigned by our platform, stored in the visitor's browser (localStorage) with a 180-day rotation

3.3 How We Identify Browsers and Devices

We use technical signals collected from the browser to associate multiple page views and sessions with a common visitor profile. This association uses pseudonymous identifiers and does not create directly identifiable profiles unless the merchant provides identifying information (such as an order with a customer email). The resulting profiles are accessible only to the relevant merchant and are never shared across merchant accounts.

Events are processed on servers operated by North Star Metric on behalf of the merchant. This server-side processing occurs independently of client-side browser settings or ad-blocking tools.

Our service integrates with Shopify in the following ways:

• Shopify Web Pixel — Installed automatically when a merchant connects our app. Captures page views, add-to-cart events, and checkout events within Shopify's sandboxed pixel environment.
• Shopify Webhooks — We receive order creation events containing customer name (hashed), email (hashed), phone (hashed), shipping address (country/region only), order value, and line items. This data is used for attribution matching.
• Shopify OAuth — Used to authenticate merchants and install the app. We store the access token securely and use it only for the scopes granted by the merchant.

Shopify's own privacy policy and data governance apply to data within the Shopify platform. Our access is limited to what Shopify's API grants based on the merchant's approved scopes.

Merchants are the data controllers for their store visitor data and are responsible for obtaining appropriate consent from their visitors through their cookie consent management platform (CMP). Our tracking script integrates with common CMPs and respects consent signals.

Data is automatically deleted after the retention period expires using database TTL policies. Upon termination of a merchant's subscription, all personal data is deleted within 60 days unless legally required to retain it.

We do not sell personal data to any third party. We share data only in the following circumstances:

7.1 Advertising Platforms (Merchant-Initiated)

When a merchant explicitly connects an advertising platform through our Integrations page, we transmit hashed identifiers and conversion events to that platform on the merchant's behalf. This transmission occurs under the merchant's instructions and is governed by the merchant's relationship with those platforms.

• Meta (Facebook) — via the Conversions API (CAPI). Hashed email, hashed phone, and order value for ad optimization.
• Google Ads — via Enhanced Conversions. Hashed customer identifiers and conversion value.
• TikTok — via the TikTok Events API. Hashed identifiers and conversion events.

No data is shared with these platforms unless the merchant activates the integration. All personally identifiable information is hashed (SHA-256) before transmission.

7.2 Service Providers (Sub-Processors)

We use the following service providers to operate our platform. A complete list is maintained in our Data Processing Agreement.

• Hetzner Online GmbH — Cloud infrastructure (Germany, EU)
• Supabase Inc. — Authentication and merchant configuration (EU region)
• Cloudflare, Inc. — CDN and DDoS protection (SCCs in place)
• Stripe, Inc. — Payment processing (SCCs in place)

7.3 Data Isolation

Attribution data is never shared across merchant accounts. Each merchant can only access data from their own store(s). We do not build cross-merchant profiles.

8.1 Under GDPR (EU/UK Residents)

You also have the right to object to processing based on legitimate interest, and the right to lodge a complaint with your local supervisory authority.

8.2 Under CCPA/CPRA (California Residents)

California residents have the right to:

• Know — What personal information we collect and how it is used
• Delete — Request deletion of your personal information
• Correct — Request correction of inaccurate personal information
• Opt-Out — We do not sell personal information, so no opt-out is necessary. We do not use personal information for cross-context behavioral advertising.
• Non-Discrimination — We will not discriminate against you for exercising your rights

Categories of personal information collected (per CCPA): identifiers, internet activity, geolocation (country-level), and commercial information (order data on behalf of merchants).

8.3 For Store Visitors

If you are a visitor to a store that uses our service, we process your data on behalf of that merchant (as their processor). To exercise your data rights, please contact the store merchant directly. The merchant will instruct us to fulfill your request.

To exercise any of these rights, contact us at privacy@northstarmetric.io. We respond to all requests within 30 days.

Store visitors can opt out of tracking in several ways:

• Cookie Banner — Decline cookies/tracking in the store's consent banner. Our tracking script integrates with common CMPs and respects consent signals.
• Browser Console — Run NSM_optOut() in the browser console to immediately stop tracking and request server-side data deletion
• Global Privacy Control — We honor GPC signals as an opt-out mechanism
• Contact the Store — Ask the store merchant to submit a data deletion request through their dashboard

When you opt out, we immediately stop tracking, clear all stored identifiers from your browser, and send a deletion request to our servers. Your data is removed within 72 hours.

We implement industry-standard security measures including:

• TLS 1.3 encryption for all data in transit
• Encrypted storage for sensitive data at rest
• IP addresses hashed at CIDR-level at the point of ingestion (raw IPs never stored)
• PII (email, phone) hashed with SHA-256 before transmission to ad platforms
• SQL injection protection with parameterized queries
• HMAC verification on all incoming webhooks
• Per-store authentication keys for tracking endpoints
• JWT-based authentication with RS256 signatures
• Rate limiting on all public endpoints
• Regular security audits and penetration testing

Our primary infrastructure is located in the European Union (Hetzner, Germany). Data is processed and stored within the EU by default.

For sub-processors located outside the EEA (such as Cloudflare and Stripe), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

When merchants activate advertising platform integrations (Meta, Google, TikTok), hashed conversion data is transmitted to those platforms' servers, which may be located outside the EU. This transfer occurs under the merchant's instructions as data controller.

Our tracking script does not use third-party cookies. We use browser localStorage to store a pseudonymous visitor identifier with a 180-day rotation cycle. This identifier is scoped to the merchant's domain and cannot be used to track visitors across different websites.

Our marketing website (northstarmetric.io) uses essential cookies for functionality. We do not use third-party advertising or analytics cookies on our own website.

For privacy-related inquiries:

We may update this Privacy Policy from time to time. We will notify merchants of material changes via email and by posting the updated policy on this page with a new "Last updated" date. Continued use of the Service after changes constitutes acceptance.