TrackPanda ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Shopify application.
Information We Collect
1. Store Information
When you install TrackPanda, we collect:
Store domain and contact information
Order data (amounts, products, quantities)
Product and variant information including cost of goods
Store currency and exchange rates
2. Meta (Facebook) Integration
When you connect your Meta account, we collect:
Ad account information and access tokens
Campaign, ad set, and ad performance data
Ad spend and metrics information
2a. Meta Conversions API (CAPI)
When you enable the Conversions API feature, TrackPanda sends purchase event data directly to Meta's servers on your behalf. This is a server-side complement to Meta's browser-side pixel and is designed to improve ad attribution accuracy.
What we send to Meta:
Always sent (pseudonymous identifiers): A hashed version of the Shopify order ID (external_id), the Meta browser ID cookie (_fbp), and the Meta click ID (fbc) derived from the customer's landing URL.
Sent only when the customer accepted marketing at checkout: SHA-256 hashed email address, phone number, first name, last name, postcode, and city. These are one-way hashed before leaving our servers and cannot be reversed.
GDPR and data protection:
For customers in the EEA, UK, and Switzerland, we apply Meta's Limited Data Use (LDU) flag automatically. This restricts Meta's downstream processing of the event to ad attribution only and prevents Meta from using the data to build audiences or improve their own products.
Hashed PII (email, phone, name, address) is only transmitted when buyerAcceptsMarketing = true on the Shopify order, indicating the customer explicitly opted in to marketing communications at checkout.
We never store unhashed PII on our servers. PII is read from the Shopify order at send time, hashed in memory, transmitted to Meta, and not persisted.
Roles under GDPR:
You (the merchant) are the data controller for your customers' personal data. You are responsible for ensuring your store's privacy policy discloses this server-side data sharing with Meta.
TrackPanda acts as your data processor — we transmit data solely on your instruction when you enable this feature.
You can disable CAPI at any time in Settings → Meta → Conversions API. Disabling it stops all future transmissions immediately.
3. Google Ads Integration
When you connect your Google Ads account, we access the following Google user data via the Google Ads API:
Google Ads account identifiers (customer IDs and account names)
Campaign, ad group, and ad performance metrics (impressions, clicks, cost/spend, conversions, and conversion values)
Campaign and ad group names, statuses, and IDs
OAuth access tokens and refresh tokens required to maintain the connection
How we use Google Ads data:
To display advertising performance metrics (spend, clicks, impressions, CPC, CPM, CTR) on your dashboard
To calculate return on ad spend (ROAS) and profitability by combining Google Ads spend data with your Shopify order revenue and cost of goods
To attribute specific orders to Google Ads campaigns, ad groups, and individual ads
How we store Google Ads data:
OAuth tokens (access and refresh tokens) are stored securely in our PostgreSQL database, encrypted at rest, and are used solely to authenticate API requests on your behalf
Campaign performance metrics are fetched in real-time from the Google Ads API when you load your dashboard — we do not permanently store campaign performance data
Your selected ad account preference is stored in our database to remember your selection between sessions
How we share Google Ads data:
We do not sell, rent, or share your Google Ads data with any third parties
We do not use your Google Ads data for advertising, marketing, or any purpose other than providing you with the TrackPanda analytics service
Google Ads data is only accessible to you (the authenticated store owner) within your TrackPanda dashboard
TrackPanda's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google Ads data to provide and improve the user-facing features that are visible to you in the TrackPanda application.
4. Attribution Data
Our web pixel collects:
UTM parameters from ad clicks (stored client-side)
Order completion events
Ad attribution data linking orders to specific ads
How We Use Your Information
We use the information we collect to:
Calculate profit metrics and return on ad spend (ROAS)
Track which advertisements drive sales
Provide analytics dashboards and reports
Manage your subscription and billing
Communicate with you about the service
Improve and optimize our application
Data Storage and Security
Your data is stored securely in PostgreSQL databases hosted on secure infrastructure. We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction.
All data transmission between your store and our servers uses HTTPS encryption. Access tokens for Meta and Google Ads integrations are stored securely and used only to fetch advertising data on your behalf.
Data Sharing and Disclosure
We do not sell your data to third parties.
We may share your information only in the following circumstances:
Service Providers: We use third-party services including Shopify, Meta Graph API, Google Ads API, and hosting providers to operate our service.
Legal Requirements: We may disclose your information if required by law or in response to valid legal requests.
Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred.
Your Rights (GDPR Compliance)
If you are in the European Economic Area, you have the following rights:
Right to Access: Request a copy of your personal data we hold.
Right to Rectification: Request correction of inaccurate data.
Right to Erasure: Request deletion of your personal data.
Right to Data Portability: Request transfer of your data to another service.
Right to Object: Object to our processing of your data.
To exercise these rights, please contact us or uninstall the app from your Shopify store. When you uninstall TrackPanda, all your data will be deleted within 48 hours.
Data Retention
We retain your data for as long as you use our service. When you uninstall TrackPanda:
Your session data is deleted immediately
All store data, purchases, and settings are permanently deleted within 48 hours
Meta and Google Ads integration tokens are immediately revoked and deleted
You may also request immediate data deletion by contacting us directly.
Cookies and Tracking
Our web pixel uses browser localStorage to temporarily store ad attribution data (ad IDs from UTM parameters). This data is stored client-side on your customers' browsers and is only sent to our servers when a purchase is completed.
We do not use cookies for tracking user behavior across websites.
Third-Party Services
TrackPanda integrates with the following third-party services:
Hosting Provider: For secure data storage and processing
Each of these services has its own privacy policy governing their use of your information.
Children's Privacy
TrackPanda is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child, please contact us immediately.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.
Continued use of TrackPanda after changes constitutes acceptance of the updated Privacy Policy.
Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at: