← Pixel Proof

Pixel Proof — Privacy Policy

Last updated: 2026-06-28

Pixel Proof ("Pixel Proof", "we", "us") is a Shopify app that audits the server-side conversion tracking a merchant already runs. It does not install tracking on your storefront and is designed to be structurally unable to read raw customer data. This policy explains exactly what we access, why, how long we keep it, and your rights.

1. Who we are

Pixel Proof is operated as an independent Shopify application. For privacy questions or data-subject requests, contact: privacy@pixelproof.syncerp.work.

2. What Pixel Proof accesses

Shopify Admin API scope

• read_products — catalog metadata only, used to anchor an audit to your store. We do not request read_orders or read_customers, and we never read orders, customers, or checkouts.

Your conversion-event sample

When you connect a tracking source (Meta Conversions API / GA4 Measurement Protocol mirror / server-side GTM, as those integrations become available), Pixel Proof ingests a sample of the conversion events you already send. At the source-adapter boundary, every event is immediately reduced to:

• the event_id (used only to match a client event to its server copy),
• the source (client vs server),
• the event name,
• and a boolean ("present" / "not present") for each already-hashed match key (email, phone, fbp, fbc, IP, user-agent, external ID).

Raw email addresses, phone numbers, and IP addresses never enter the application. The audit engine only ever sees booleans and counts. This is the design that keeps Pixel Proof at Protected Customer Data (PCD) Level 2 — we handle the boolean presence of hashed customer identifiers, never raw PII.

Operational data

• Your Shopify offline access token, stored encrypted at rest with AES-256-GCM.
• Your shop domain, billing/subscription status, and plan.
• Aggregate audit results per run: dedup %, server-side hit ratio, per-key coverage %, health score, and the generated findings. Never a per-customer row.

3. What Pixel Proof never accesses or stores

• Raw customer emails, phone numbers, or IP addresses.
• Orders, customers, carts, or checkout data.
• Any payment information.
• Nothing is injected into or read from your storefront theme.

4. How we use data

• To compute your tracking-health score and findings, and to chart your history over time.
• To run scheduled re-audits and regression alerts (Pro + Monitoring).
• To operate billing through Shopify's managed billing.
• We do not sell data, share it for advertising, or use it to train models.

5. Sub-processors

• Hosting / database / cache — our application server (syncerp.work infrastructure), PostgreSQL, and Redis, used to run the app and store the aggregate data above.
• Anthropic — Pixel Proof's audit engine is deterministic and does not call any LLM in its current scoring. (The chassis includes an Anthropic SDK dependency, but the tracking audit does not send your data to it. If a future feature uses an LLM, this policy will be updated and the data sent will be disclosed before launch.)
• Meta / Google — only when *you* connect those as event sources, and only to read the metrics needed to grade your setup; that access is governed by their own review (Meta App Review) and your authorization.

We do not transfer data to any other third party.

6. Data retention

• Aggregate audit data and operational records are retained while the app is installed.
• On app uninstall we mark your shop inactive and stop processing.
• On a Shopify shop/redact request (≈48 hours after uninstall) we cascade-delete all of your data — shop record, audit runs, findings, billing, tokens, and job logs.
• Because we hold no raw customer PII, a customers/redact or customers/data_request is answered truthfully: there is no raw customer data to return or delete.

7. Your rights (GDPR / CCPA and similar)

You may request access to, correction of, or deletion of the data we hold about your shop, and you may object to or restrict processing. Because we store only shop-level aggregates and no raw customer identifiers, most requests are satisfied by uninstalling (which triggers deletion) or by emailing us. EU/UK merchants may also lodge a complaint with their supervisory authority.

To exercise any right, email privacy@pixelproof.syncerp.work.

8. Security

• Access tokens encrypted at rest (AES-256-GCM).
• TLS in transit.
• Least-privilege scope (read_products only) and a hashed-presence boundary that keeps raw PII out of the app by construction.

9. Honesty about what the score is

Pixel Proof's health score is a diagnostic of your existing tracking. It is not a guarantee of recovered conversions, a specific Event Match Quality number from Meta, or a specific ROAS outcome. The Event Match Quality figure we show is a proxy estimated from hashed-key presence.

10. Changes

We will update this policy as the app evolves (e.g., when live event-source integrations or any new processing launch) and revise the "Last updated" date above.

11. Contact

privacy@pixelproof.syncerp.work