Privacy policy for the Pixel for OpenAI Ads Shopify app

1. Operator and contact

The "Pixel for OpenAI Ads" app is operated by Reach, a service of Inmediato LLC. For any privacy-related inquiries, contact us at alejandro@joinreach.ai.

2. Scope

This policy covers data processed by the Shopify app named "Pixel for OpenAI Ads" (the "App") when installed on a Shopify merchant's store. It does not cover the joinreach.ai marketing website or any other Reach service.

3. What the App accesses from your Shopify store

When you install the App, it accesses the following from your Shopify store via the standard Shopify App APIs:

• Your shop domain (for example, merchantshop.myshopify.com)
• An OAuth session token issued by Shopify, used to authenticate API calls back to your store
• Standard Shopify Customer Events fired on your storefront, namely: page_viewed, product_viewed, product_added_to_cart, checkout_started, and checkout_completed
• For each customer event, the App receives: the product or variant identifiers and titles involved, the cart line items, prices and currency, the timestamp, and the URL of the storefront page where the event occurred

The App does NOT access or collect: customer names, customer email addresses, customer phone numbers, billing or shipping addresses, payment information, or IP addresses. Standard Shopify Customer Events are scoped to behavioral data without personal identifiers.

4. What the App stores

The App stores the following data on its own infrastructure:

• The OpenAI Pixel ID you provide in the App's settings
• The OpenAI Conversions API key you provide in the App's settings
• Shopify session data managed via the standard Shopify app session storage library, used for OAuth and admin API access
• Diagnostic event logs (event type, timestamp, source URL, amount, currency, contents), retained for up to 30 days for debugging and support purposes

5. What the App transmits and to whom

The core purpose of the App is to forward storefront conversion events to OpenAI's Conversions API at https://bzr.openai.com/v1/events.

Each forwarded event includes:

• The event type (one of: page_viewed, contents_viewed, items_added, checkout_started, order_created)
• The event timestamp
• The source URL of the storefront page
• The action source ("web")
• For commerce events: the amount, currency, and contents (product identifiers, names, quantities)

Each request includes your OpenAI Pixel ID in the URL query parameter and your OpenAI Conversions API key as a Bearer authorization header. OpenAI's handling of the data after receipt is governed by OpenAI's own privacy policy at https://openai.com/policies/privacy-policy.

6. Sub-processors

The App relies on the following sub-processors in order to operate:

• Shopify, Inc. — the host commerce platform: https://www.shopify.com/legal/privacy
• OpenAI, L.L.C. — recipient of conversion events: https://openai.com/policies/privacy-policy
• Fly.io — application hosting infrastructure: https://fly.io/legal/privacy-policy
• Cloudflare, Inc. — network edge in front of the App's hosting: https://www.cloudflare.com/privacypolicy/

7. Data retention

• Your Pixel ID and Conversions API key are retained for the lifetime of the App installation on your store. They are deleted within 30 days of you uninstalling the App.
• Diagnostic event logs are retained for up to 30 days, after which they are deleted.
• Shopify session data is managed per Shopify's standard app session lifecycle.

8. Your rights

As a merchant using the App, you have the right to:

• Access: receive a copy of the data we hold about your store. Contact us at alejandro@joinreach.ai.
• Deletion: uninstalling the App from your Shopify admin triggers deletion of your stored credentials within 30 days. For immediate deletion, email us.
• Correction: contact us to correct any data we hold about your store.
• Data portability: contact us to receive a portable copy of your stored configuration.

9. GDPR and other regional regulations

For storefront conversion events that originate from end-customers of your store, you are the data controller and Reach acts as a data processor on your behalf. If you receive a data subject request from an end-customer of your store (for example, a GDPR access or deletion request), you remain responsible for routing and fulfilling that request. We will assist on request.

For your own data as a merchant (your Pixel ID, API key, and configuration), Reach is the data controller.

10. Changes to this policy

Substantive changes to this policy will be communicated to merchants via in-app notification in the Shopify admin and noted on this page. The "Last updated" date at the top of the page reflects the most recent change.

11. Contact

For any privacy-related inquiry, including data access, deletion, correction, or portability requests, contact us at:

alejandro@joinreach.ai

Reach is a service of Inmediato LLC.