Privacy Policy

Last updated: April 16, 2026

This Privacy Policy describes how Detectly, a product operated by EcomTuc (“we”, “us”, or “our”), collects, uses, and discloses information when merchants install the Detectly app on their Shopify store and when end customers interact with stores that have Detectly installed.

This is a starter template prepared for the app's Shopify App Store submission and Protected Customer Data (PCD) review. It should be reviewed by qualified legal counsel and customized to your actual data practices before publishing.

1. Who we are

Detectly is a Shopify embedded application providing UTM attribution and marketing ROI analytics to Shopify merchants, developed and operated by EcomTuc. Contact: hello@getdetectly.com.

2. Information we collect

2.1 From merchants (Shopify stores)

  • Shop domain, shop name, contact email, timezone, currency.
  • OAuth access token to call Shopify Admin APIs on the merchant's behalf.
  • App configuration and settings chosen by the merchant.

2.2 From the Shopify Admin API

  • Orders, line items, and order-level metadata (amounts, currency, financial status, created/updated timestamps).
  • Customer identifiers and contact details associated with an order, solely where required to attribute that order to a marketing touch (“Protected Customer Data”).
  • Products and collections, for display in the merchant's dashboard.

2.3 From end-customer sessions (via the theme app extension)

  • UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term), referrer, landing page, and platform click IDs (e.g. fbclid, gclid).
  • A first-party visitor identifier stored in the browser to stitch multiple sessions by the same visitor.
  • IP address and user agent at the time of page load or event.

3. How we use information

  • Provide and operate the Detectly service to the merchant.
  • Attribute orders to marketing campaigns, sources, and channels.
  • Compute aggregate analytics: revenue, ROAS, journey statistics, customer segments.
  • (With merchant configuration) tag customers in Shopify or write attribution data back to order metafields.
  • Diagnose issues, secure the service, and prevent abuse.

4. Legal basis for processing (EEA/UK)

  • Contract: processing necessary to deliver the app to the merchant under our Terms of Service.
  • Legitimate interest: securing the service, preventing fraud, aggregate product analytics.
  • Consent: where required and signaled by Shopify's Customer Privacy API or the merchant's cookie banner.

5. Data sharing

We do not sell personal information. We share data only with sub-processors necessary to deliver the service:

  • Cloud hosting & database: our infrastructure provider.
  • Error monitoring & logging.
  • Transactional email provider (support replies).
  • Meta Platforms, Inc. — only when the merchant explicitly connects Meta Ads for spend import and/or Conversions API.

A current list of sub-processors is available on request at hello@getdetectly.com.

6. International transfers

Data may be processed in the United States or the European Union. Where personal data is transferred out of the EEA/UK, we rely on the European Commission's Standard Contractual Clauses.

7. Retention

  • Order & attribution data: retained for as long as the merchant has the app installed, plus up to 30 days after uninstall to allow re-installation, after which it is deleted.
  • Customer data is deleted within 30 days of a verified customers/redact webhook or shop uninstall.
  • Visitor-level UTM events are retained for up to 365 days (or the merchant's configured attribution window, whichever is shorter).
  • Operational logs: up to 90 days.

8. Security

  • All data is encrypted in transit (TLS) and at rest.
  • Access tokens and credentials are encrypted using industry-standard symmetric encryption.
  • Access to production systems is restricted, logged, and protected by strong authentication.
  • Production and staging environments are separated; backups are encrypted.
  • We maintain an incident response plan and review it regularly.

9. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or port your personal data, and to object to its processing. Customers of merchants using Detectly should first contact the merchant; you may also reach us directly at hello@getdetectly.com.

Detectly honors Shopify's customers/data_request, customers/redact, and shop/redact compliance webhooks.

10. Automated decision-making

Detectly does not perform automated decision-making that produces legal or similarly significant effects on individuals.

11. Children

Detectly is a B2B tool for merchants and is not directed at children under 13.

12. Changes to this policy

We may update this policy from time to time. We will update the “Last updated” date above and, for material changes, notify merchants via email or in-app notice.

13. Contact

Questions? Email hello@getdetectly.com.