We are committed to protecting your privacy and handling your data in an open and transparent manner. Please read this Privacy Policy carefully. By using OrderSource, you agree to the collection and use of information in accordance with this policy.
If you have questions or concerns about this policy, please contact us at support@ordersource.app.
1. Information We Collect
1.1 Information from Shopify Merchants (Our Customers)
When you install and use OrderSource, we collect:
- Account Information: Your Shopify store domain, store ID, and email address for account communication and daily reports
- Preferences: Timezone settings, email notification preferences, and app configuration
- Shopify Session Data: Authentication tokens required to operate the app within Shopify
1.2 Information from Your Store Visitors (End Users)
Through our server-side tracking script installed on your Shopify store, we collect:
- Visitor Identifiers: A randomly generated visitor ID (UUID) stored in the visitor's browser localStorage
- UTM Parameters: utm_source, utm_medium, utm_campaign, utm_content, and utm_term from URL parameters
- Browsing Data: Landing page URL, referring URL (referrer)
- Technical Data: IP address, browser user agent, and cart token (from Shopify cookies)
- Customer Data: Shopify customer ID when a visitor is logged in
1.3 Order Information
When orders are placed in your store, we receive via Shopify webhooks:
- Order Details: Order ID, order number, total price, currency
- Customer Information: Customer email and customer ID
- Attribution Data: Cart token used to match the order to the original visitor session
2. How We Use Your Information
We use the information we collect to:
- Provide Attribution Services: Match orders to marketing campaigns by linking visitor UTM data to completed purchases
- Tag Orders: Add attribution tags to orders in your Shopify admin for easy identification
- Generate Reports: Compile daily email reports summarizing your attributed orders and revenue (if enabled)
- Aggregate Statistics: Create dashboard analytics showing orders and revenue by marketing source and campaign
- Operate the Service: Authenticate your account, process requests, and maintain our infrastructure
- Improve the Service: Analyze usage patterns to enhance features and fix issues
- Communicate: Send service-related notifications and respond to support inquiries
3. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), we process your data under the following legal bases:
- Contract Performance: Processing necessary to provide our Service to you as a merchant
- Legitimate Interests: Processing for our legitimate business interests, including improving our Service and preventing fraud, where those interests are not overridden by your data protection rights
- Consent: Where you have given consent for specific processing activities, such as receiving marketing communications
- Legal Obligations: Processing necessary to comply with applicable laws
For store visitor data, Shopify merchants are the data controllers, and OrderSource acts as a data processor. Merchants are responsible for ensuring appropriate legal bases for tracking their store visitors.
4. Data Sharing and Disclosure
We do not sell your personal information. We may share your information in the following circumstances:
4.1 Service Providers
We use third-party services to help operate our business:
- Cloud Hosting: To store and process data securely
- Email Services: To send daily reports and notifications
- Analytics: To understand how our Service is used
These providers are contractually obligated to protect your data and use it only for the services they provide to us.
4.2 Shopify
We integrate with Shopify's platform to:
- Authenticate your store and access order data
- Add attribution tags to orders
- Receive order webhook notifications
Data shared with Shopify is governed by Shopify's privacy policy.
4.3 Legal Requirements
We may disclose your information if required by law or if we believe in good faith that such action is necessary to:
- Comply with legal obligations or respond to lawful requests
- Protect and defend our rights or property
- Prevent or investigate possible wrongdoing
- Protect the personal safety of users or the public
4.4 Business Transfers
If OrderSource is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
5. Data Retention
We retain your information as follows:
- Visitor Data (Unconverted): Automatically deleted after 90 days if no purchase is made
- Order Data: Retained for the lifetime of your account to provide attribution history and analytics
- Account Data: Retained while your account is active and for a reasonable period thereafter for legal and business purposes
- Aggregated Statistics: Retained indefinitely in anonymized form
When you uninstall OrderSource, we will delete your data within 30 days, except where retention is required by law or for legitimate business purposes.
6. Data Security
We implement appropriate technical and organizational measures to protect your information, including:
- Encrypted data transmission using HTTPS/TLS
- Secure cloud infrastructure with access controls
- Regular security assessments and updates
- Limited employee access to personal data
However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
7. Your Rights
7.1 For All Users
You have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate or incomplete information
- Deletion: Request deletion of your personal information
- Portability: Request a copy of your data in a portable format
7.2 For EEA Residents (GDPR Rights)
If you are in the European Economic Area, you also have the right to:
- Restrict Processing: Request restriction of processing in certain circumstances
- Object: Object to processing based on legitimate interests
- Withdraw Consent: Withdraw consent where processing is based on consent
- Lodge a Complaint: File a complaint with your local data protection authority
7.3 For California Residents (CCPA Rights)
If you are a California resident, you have the right to:
- Know: Know what personal information we collect and how it is used
- Delete: Request deletion of your personal information
- Opt-Out: Opt out of the sale of personal information (note: we do not sell personal information)
- Non-Discrimination: Not be discriminated against for exercising your privacy rights
To exercise any of these rights, please contact us at support@ordersource.app. We will respond to your request within the timeframe required by applicable law.
8. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have data protection laws different from your country.
When we transfer data internationally, we use appropriate safeguards such as:
- Standard contractual clauses approved by relevant authorities
- Data processing agreements with our service providers
- Compliance with applicable data transfer frameworks
9. Cookies and Tracking Technologies
9.1 Our Website
Our marketing website (ordersource.app) may use cookies for:
- Essential functionality
- Analytics to understand visitor behavior
- Remembering your preferences
9.2 Our Tracking Script
The OrderSource tracking script installed on your Shopify store:
- Uses localStorage to store a visitor ID (not a cookie)
- Reads Shopify's cart cookie to enable order matching
- Does not set any additional cookies
We use server-side tracking rather than third-party cookies, which means our attribution works even when browsers block third-party cookies.
10. Children's Privacy
OrderSource is a business-to-business service for Shopify merchants. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child, please contact us immediately at support@ordersource.app.
11. Third-Party Links
Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website with a new "Last Updated" date
- Sending an email notification for significant changes
Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.
13. Data Processing Agreement
For Shopify merchants who require a Data Processing Agreement (DPA) for GDPR compliance, please contact us at support@ordersource.app.
14. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
BondTech
Email: support@ordersource.app
For GDPR-related inquiries, you may also contact our data protection point of contact at the same email address.
15. Summary of Key Points
| What We Collect | How We Use It | How Long We Keep It |
|---|---|---|
| Visitor UTM data | Attribution matching | 90 days (if no purchase) |
| Order information | Attribution and reporting | Account lifetime |
| Merchant email | Daily reports and notifications | Account lifetime |
| Technical data (IP, user agent) | Attribution and security | 90 days (if no purchase) |
Your Data Rights: Access, correct, delete, or export your data by contacting support@ordersource.app.
Security: We use encryption and secure infrastructure to protect your data.
No Data Sales: We never sell your personal information to third parties.