← Ad Pilot

Privacy Policy — Ad Pilot

Last updated: 28 June 2026

Ad Pilot ("the App", "we", "us") is a profit-aware Google Ads analytics app for

Shopify. This policy explains exactly what data the App accesses, how it is used,

how long it is kept, and your rights. It is written to be specific to what this App

actually does — not boilerplate.

---

1. Data controller & contact

The merchant who installs Ad Pilot is the data controller for their store's data;

Ad Pilot acts as a data processor on their behalf for the limited data described

below. Questions about data handling:

support@adpilot.syncerp.work

---

2. Protected Customer Data level

Ad Pilot is classified at Protected Customer Data (PCD) Level 0. It requests

no Shopify access scopes that grant customer or order data — in fact it requests

no Shopify data scopes at all. It cannot read your products, orders, or

customers. There is therefore no customer personal data flowing through the App from

Shopify.

Shopify access scopes requested: *(none)* — only the standard app-install / OAuth

session needed to embed the app in your admin.

We explicitly do not request read_orders, read_customers, read_products,

or any other data scope.

---

3. What data we access and store

| Data | Source | Why | Stored? |

|------|--------|-----|---------|

| Shop domain, shop id, app install/uninstall state | Shopify OAuth | Identify your store, manage your session and subscription | Yes |

| Offline access token (Shopify) | Shopify OAuth | Keep your embedded session valid | Yes — AES-256-GCM encrypted at rest |

| Your Google Ads OAuth token | You connect via Google OAuth | Read your own aggregate ad metrics | Yes — encrypted at rest; read-only Google Ads scope |

| Aggregate Google Ads metrics (spend, conversions, conversion value, impressions, clicks, search terms, budget-lost impression share) | Your connected Google Ads account | Compute break-even, profit, anomalies, waste | Yes — aggregate only, no personal data |

| Economics you type in (average order value, gross margin, per-order variable cost) | You enter them in the app | The basis for every profit calculation | Yes |

| Billing / subscription status | Shopify Billing API | Manage your plan | Yes |

| Webhook event ids + operational logs | Shopify webhooks / app runtime | Idempotency, debugging, abuse prevention | Yes (event ids); logs are short-lived and contain no customer PII |

We do not store any customer names, emails, phone numbers, addresses, payment

details, or order contents — we never receive them.

---

4. How we use the data

• To compute your break-even CPA/ROAS, contribution profit, and POAS.
• To run window-vs-baseline anomaly detection on your aggregate ad metrics.
• To mine zero-conversion search terms into suggested negative keywords.
• To simulate budget changes against your account's real headroom.
• To operate your subscription (Shopify-managed billing).

We do not sell your data, use it for advertising, or share it except with the

sub-processors listed below, strictly to provide the service.

---

5. Sub-processors

• Hosting / infrastructure: the App runs on a dedicated VPS at the

syncerp.work domain (operated by us). Data is stored in a PostgreSQL database

and Redis on that host.

• Google (Google Ads API): to read your own aggregate ad metrics via the OAuth

connection you authorize. Read-only.

• Shopify: for authentication, embedding, webhooks, and managed billing.
• Anthropic (only if/when AI features are enabled): Ad Pilot's core analytics

are pure math and use no AI. If a future optional AI feature (e.g. ad-copy

suggestions) is enabled, only the non-personal text you submit for that feature is

sent to Anthropic under a zero-retention posture; no customer PII is involved.

We do not transfer protected customer data to any sub-processor, because we do not

hold any.

---

6. Data retention & deletion

• Your data is retained while the App is installed.
• On uninstall, Shopify sends an app/uninstalled webhook and we mark your shop

inactive. About 48 hours later Shopify sends a shop/redact webhook, on which we

cascade-delete all rows for your shop (shop record, tokens, economics, ad

accounts, metrics, anomalies, search terms, billing).

• The mandatory customers/data_request and customers/redact webhooks are

answered truthfully: Ad Pilot holds no customer data to return or redact.

• You can request deletion at any time by uninstalling, or by emailing us.

---

7. Your GDPR / privacy rights

Because Ad Pilot holds no customer personal data, the rights below apply to the

merchant account data and economics you provide:

• Access — request a copy of the data we hold about your shop.
• Rectification — correct your economics any time inside the app.
• Erasure — uninstall (automatic deletion) or email us to delete sooner.
• Restriction / objection — email us.
• Portability — request your stored economics + aggregate metrics in a portable

format.

You also have the right to lodge a complaint with your local data-protection

authority.

---

8. Security

Access tokens (Shopify offline token and your Google Ads OAuth token) are encrypted

at rest with AES-256-GCM. Transport is over HTTPS/TLS. Webhooks are HMAC-verified.

Access is least-privilege (PCD Level 0, no data scopes).

---

9. Changes to this policy

We will update this page and the "Last updated" date when our data practices change.

Material changes affecting how your data is handled will be surfaced in-app.