Privacy Policy

Last updated: 26 April 2026

This Privacy Policy describes how Elbert Enterprises Corporation ("Elbert Enterprises", "we", "us", or "our") collects, uses, and shares information when you use the FunnelFusion service at https://funnelfusion.io (the "Service"). By using the Service you agree to the terms of this Privacy Policy.

1. Information We Collect

1.1 Account information

When you register, we collect your email address, display name, and a password hash. If you join an existing team via invitation, we also collect the invitation metadata associated with your account.

1.2 Third-party platform data

FunnelFusion integrates with Shopify, Google Ads, Google Merchant Center, and Microsoft Advertising. When you authorise the Service to access these platforms via OAuth, we receive and store:

• Shopify - catalogue data (read_products, read_product_listings, read_inventory, read_locations scopes): store URL, API access token, your product catalogue (titles, descriptions, prices, SKUs, images, variants, vendors, tags, Shopify standard categories, and collection memberships), and inventory availability per location. This data drives the campaign and ad group structure we build on Google and Microsoft on your behalf.
• Shopify - order data (read_orders scope): paid order line items from the date of app installation onwards. We request only the fields needed to compute advertising attribution: order ID, creation date, line item product ID, quantity, and discounted line item total. We do not read or store any customer personal data - customer names, email addresses, phone numbers, shipping addresses, and billing addresses are not requested and not persisted. Order line items are aggregated in-memory into anonymous per-product daily totals (units sold and revenue) and only those aggregates are stored in our database. No raw order rows are retained.
• Google Ads & Google Merchant Center: OAuth access and refresh tokens, linked customer and account identifiers, campaign and ad group structure, product feed membership, and daily performance metrics (impressions, clicks, cost, conversions, conversion value).
• Microsoft Advertising & Microsoft Merchant Center: OAuth access and refresh tokens, linked account identifiers, campaign and ad group structure, product feed membership, and daily performance metrics.

We request only the OAuth scopes required to perform campaign management, catalogue synchronisation, order attribution, and performance reporting. We do not request write access to any Shopify resource. We do not request or store end-customer personal data from any platform.

1.3 Usage data

We collect standard server logs (IP address, user agent, request path, response code, timestamp) to operate, secure, and improve the Service.

1.4 Billing data

Payments are processed by Stripe. We do not see or store your credit card number. Stripe provides us with a customer identifier, subscription status, and billing email for our records.

2. How We Use Your Information

We use the information we collect to:

• Authenticate you and maintain your session.
• Perform the actions you request on third-party platforms - creating and updating advertising campaigns, mirroring your product catalogue, retrieving performance reports.
• Compute per-product sales attribution (units sold and revenue) by matching Shopify order line items to your product catalogue, and display this alongside your ad spend on the dashboard and product detail pages.
• Display dashboards and reports inside the Service.
• Send you transactional emails (invitations, billing notices, security alerts).
• Provide customer support when you contact us.
• Detect and prevent abuse or unauthorised access.

3. How We Share Your Information

We do not sell or rent your information. We share information only with:

• Third-party platforms when you direct us to (e.g. Google Ads API calls are sent to Google; Microsoft Advertising API calls are sent to Microsoft). These are governed by each platform's own terms and privacy policies.
• Infrastructure providers that host and deliver the Service - Amazon Web Services (hosting), Stripe (payments), and email delivery providers. These providers process data on our behalf under written data-processing agreements.
• Legal authorities when required by a valid legal process, or when necessary to protect our rights, safety, or property.

We do not use your data from one platform to infer or generate insights about a different platform, nor do we aggregate or anonymise your data for sale to third parties.

4. Data Retention

We retain data for the periods described below, or for as long as your account is active, whichever is shorter:

• Account and campaign configuration - retained for the life of your account. Deleted within 30 days of account closure.
• Ad-platform performance metrics (impressions, clicks, cost, conversions) - retained on a rolling 90-day basis. Older daily rows are purged automatically.
• Shopify order aggregates (per-product daily units sold and revenue totals) - retained on a rolling 90-day basis. No raw order data is stored; only the anonymous aggregates described in §1.2.
• Shopify OAuth access tokens - revoked and cleared from our database immediately when the Shopify app is uninstalled (via Shopify's app/uninstalled webhook).
• All workspace data on Shopify uninstall - when a merchant uninstalls FunnelFusion from their Shopify admin, the access token is revoked immediately. Shopify then sends us a mandatory shop/redact webhook 48 hours later; on receipt we permanently delete the merchant's entire workspace including all product catalogue data, campaign configuration, performance metrics, and order aggregates.
• Google and Microsoft OAuth tokens - cleared immediately when you disconnect the integration from the Settings page.
• Billing records - retained for 7 years as required for tax and legal compliance, even after account closure.

5. Shopify App - GDPR Compliance

FunnelFusion is a Shopify app and complies with Shopify's mandatory GDPR webhook requirements. We have implemented all three Shopify GDPR webhooks:

• Customer data request (customers/data_request): If a Shopify merchant requests a copy of the data FunnelFusion holds about one of their end customers, we acknowledge the request and confirm that no customer personal data is stored. We aggregate order line items into anonymous product-level daily totals; no customer identifiers, names, addresses, or contact details are retained.
• Customer data erasure (customers/redact): If a Shopify merchant requests erasure of a specific customer's data from FunnelFusion, we acknowledge the request and confirm there is no customer-linked data to erase.
• Shop data erasure (shop/redact): Shopify sends this webhook 48 hours after a merchant uninstalls the app. On receipt, we permanently delete all data associated with that merchant's workspace: product catalogue, vendor records, campaign and ad group configuration, performance metrics, order aggregates, and the workspace record itself. This deletion is irreversible.

These webhooks are HMAC-verified using our Shopify app secret before any action is taken.

6. Security

We use industry-standard encryption for data in transit (TLS 1.2+) and at rest (AES-256 on AWS-managed storage). OAuth tokens are stored encrypted in AWS Secrets Manager or equivalent. Access to production systems is restricted to employees with a legitimate operational need and protected by multi-factor authentication.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Request a copy of the personal data we hold about you.
• Request correction of inaccurate personal data.
• Request deletion of your personal data (subject to retention exceptions above).
• Withdraw consent for processing (by disconnecting platform integrations or closing your account).
• Lodge a complaint with a data protection authority.

To exercise any of these rights, email us at api@elbert-enterprises.com. We respond to all verified requests within 30 days.

Data Processing Agreement (GDPR). If you are established in the European Economic Area, the United Kingdom, or Switzerland, or if your end customers include data subjects in those jurisdictions, a Data Processing Agreement compliant with Article 28 GDPR is available on request by emailing api@elbert-enterprises.com.

8. Revoking Platform Access

You can revoke FunnelFusion's access to any connected platform at any time by:

• Disconnecting the integration from within FunnelFusion's Settings page, which removes our stored OAuth tokens.
• Uninstalling the FunnelFusion app from your Shopify admin (Apps → FunnelFusion → Delete). This revokes our Shopify access token immediately and triggers the 48-hour data-deletion window described in §4.
• Revoking access directly on the platform (Google, Microsoft).

9. Children's Privacy

The Service is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children.

10. International Transfers

We operate on AWS infrastructure in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to you via email or an in-app notification at least 14 days before they take effect. The "Last updated" date above always reflects the current version.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, email us at api@elbert-enterprises.com.

Elbert Enterprises Corporation
(business address available on request)