Privacy policy
This Privacy Policy explains how Push Capital Ventures Ltd. ("Push Capital Ventures," "we," "us," or "our") collects, uses, shares, and protects personal data processed through our Shopify app Origin UTM Tracking (the "App"). It also describes the rights and choices available to individuals whose data we process and the responsibilities of merchants who install and use the App on their Shopify storefronts.
Privacy and data protection
Origin UTM Tracking is a privacy-first analytics company. We process as little personal data as possible. We never sell or give away private user data.
Your rights
- You may object to the processing of your personal information.
- You may request a copy of the information we hold about you.
- You may request correction of your personal data if it is incorrect or no longer relevant, or ask to restrict the processing of the information.
- You may request the deletion of any information we hold about you. We cannot delete any information that we are required to process by law.
- You may request a transfer of your data to another platform.
To exercise these rights, you can contact us by email at contact@pushcapital.io. If you have a complaint about how we handle your data, we would like to hear from you.
How we get your personal data
We process your personal data when you:
- Communicate with us online
- Use our products/services
- Enter into a collaboration with us
We do not rent, buy, or sell personal information to or from third parties.
Scope of This Policy
This Policy applies to:
- Personal data processed by the App when installed on a merchant’s Shopify store.
- Data we collect from merchants (store owners, staff accounts) who sign up for and configure the App.
- Support, billing, and account communications between merchants and Push Capital Ventures.
This Policy does not cover data collected independently by Shopify or by third-party advertising platforms used by the merchant (e.g., Meta Ads, Google Ads). Those parties have their own privacy notices. Where a merchant connects a third-party advertising account to the App (e.g., Google Ads), this Policy does cover the data we retrieve from that platform on the merchant's behalf; see "Connected advertising accounts (Google Ads)" below.
Details on processing of personal data
When you communicate with us
Whether you're a customer, vendor, or anyone else, we process the personal data you share when you reach out by email, phone, text, or social media. This typically includes your name, contact details, IP address, and any information you provide. All interactions are logged in our customer-support system.
Why we process it
Our legitimate interest (GDPR Art. 6 (1)(f)) is to answer your inquiries and—when needed—retain a record for complaints or legal claims.
How long we keep it
We review these records during our regular GDPR audits and delete them once they're no longer needed—usually within two years, or up to six years where accounting or other legal obligations apply.
You install the Origin UTM Tracking app onto your store
When you install our app, Shopify shares with us the store details needed to create your account (e-mail, store name/URL, contact email, etc.) and information about the orders on your store. We use this information to provide the service
Why we process it
Our legitimate interest (GDPR Art. 6 (1)(b)) is to deliver the features you requested
How long we keep it
We keep order and attribution information while Origin is installed on your store. After you uninstall the app all information is deleted.
You receive marketing content
We may (rarely) send existing customers emails containing a promotional element. The personal data we process is your name and email address. You can opt-out of marketing emails at any time by clicking the unsubscribe link in any such email.
Why we process it
Our legitimate interest (GDPR Art. 6 (1)(b)) is to offer our relevant products and services
How long we keep it
We process the data for as long as we have a customer relationship with you or if the processing is based on your consent until you withdraw it.
Connected advertising accounts (Google Ads)
The App allows merchants to connect their Google Ads account via Google's OAuth authorization flow. Connecting an account is optional and is initiated by the merchant. If a merchant connects their Google Ads account, we access performance data for that merchant's ad campaigns — specifically campaign, ad group, and ad-level metrics such as clicks, impressions, spend, and conversions — through the Google Ads API.
What Google user data we access
The only Google user data we access is Google Ads campaign performance data for the Google Ads account(s) the merchant explicitly authorizes.
How we use it
We use Google Ads data solely to combine it with the first-party order and attribution data collected by the App in order to calculate and display performance analytics to the merchant.
How we store and share it
Google Ads data is stored on our infrastructure and is used only to provide the analytics features described above. We do not sell Google user data, we do not use Google user data for advertising, we do not transfer Google user data to third parties except as necessary to provide features of the App (e.g., our database providers acting as sub-processors), to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to affected users.
Limited Use compliance
Origin Attribution's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Merchant controls
Merchants can disconnect their Google Ads account from within the App at any time. Merchants may also revoke the App's access directly from their Google Account security settings. Upon disconnection or uninstall, we stop retrieving new Google Ads data and delete stored Google Ads data in accordance with the retention practices described elsewhere in this Policy.
How long we keep it
We retain Google Ads data while the merchant's subscription is active and their Google Ads account remains connected. When the merchant disconnects the account or uninstalls the App, the associated Google Ads data is deleted.
How we protect Google user data
We protect Google user data using the same security controls described in the "How we protect your data" section below. In summary, Google Ads data retrieved through the Google Ads API is encrypted in transit (TLS) and at rest (AES-256), stored on infrastructure operated by our database sub-processor Supabase, and accessible only to a limited number of authorized personnel whose role requires it. OAuth refresh tokens used to access the Google Ads API on the merchant's behalf are treated as sensitive credentials and are stored in encrypted form. Access to production systems holding Google user data requires multi-factor authentication.
How we protect your data
We take the security of the data we process seriously and have security procedures in place to protect the confidentiality, integrity, and availability of your data, including any Google user data we access on a merchant's behalf.
Encryption
We use encryption to protect your information. All data transmitted between your browser, the App, and our services is encrypted in transit using TLS. Data stored on our infrastructure is encrypted at rest using AES-256.
Infrastructure and sub-processors
Our application data, including any Google user data we access on a merchant's behalf, is stored with Supabase, our primary database sub-processor. Supabase hosts data on Amazon Web Services (AWS) and is SOC 2 Type 2 and HIPAA compliant. Further information about Supabase's security program is available at supabase.com/security.
Access controls
Access to production systems and to stored personal data is restricted to a limited number of authorized personnel whose role requires it. Administrative access requires multi-factor authentication, and access rights are reviewed on a regular basis and revoked promptly when no longer needed. Employees are required to treat customer and user data as confidential.
Operational security
We apply security patches and updates to our systems on an ongoing basis, log access to production environments, and monitor for unauthorized or unusual activity. Backups are encrypted and retained for disaster recovery purposes.
Our role as a data processor
When you use our app on your storefront, we process data from your website visitors on your behalf. Here, you are the controller of such data, and we are a data processor of yours. We comply with the requirements of GDPR Article 28, such as:
- Only carry out processing on your behalf and as per your instructions
- Use sufficient technical and organizational security measures to protect the data we process on your behalf
- Require our employees to treat your data as confidential
- Govern this processing by a Data Processing Addendum (DPA)
- We also engage other (sub)processors as per your general written authorization and will inform you of any intended changes regarding such (sub)processors to object to such changes, should you not agree to them.
Minimal data processing
We process the minimal amount of personal data possible for our app to function. This is (only) the IP address and User-Agent of visitors. This is in line with GDPR; Article 5(1)(c).
IP address and User-Agent are considered personal data under GDPR. The lawful basis for processing is usually consent or legitimate interest. Since the IP address is provided by the internet service provider and not by the user's terminal equipment, we do not consider such information to constitute "information stored in the terminal equipment". IP addresses provided in that manner are therefore outside the scope of Article 5 (3), and the consent requirement will not apply under the ePrivacy Directive (Directive 2009/136/EC). In addition, User-Agent is not accessed from terminal equipment, it is sent to us by your browser, and it's impossible for us not to receive it.
How to contact us
If you have any questions regarding this Privacy Policy please get in touch: