Privacy Policy

Last updated: April 17, 2026

1. What Data We Collect

Cazy AB collects the minimum data required to operate A/B experiments on your Shopify store:

  • Shop data: your store's myshopify.com domain, billing plan, and installed theme ID.
  • Experiment data: the experiments, variants, and goals you configure inside the App.
  • Anonymous visitor events: page views, product views, add-to-carts, and checkout completions. Each event is associated with an anonymous visitor ID (a UUID), not a name, email, or any personally identifiable information.
  • Order revenue data: order totals and product IDs from Shopify order webhooks, used only for revenue attribution within experiments.

2. How We Use Your Data

All data collected is used solely to operate the App — to assign visitors to experiment variants, calculate experiment results, and display analytics to you in the dashboard. We do not sell, share, or use your data for advertising purposes.

3. Shopify Data Access

Cazy AB requests the following Shopify API scopes: read_products, write_products, read_orders, read_customers, write_cart_transforms, write_discounts, write_delivery_customizations, read_themes, write_shipping. These scopes are used to read product and order data for experiment targeting and revenue attribution, and to apply price/shipping modifications for applicable experiment types.

4. Anonymous Visitor Data (ClickHouse)

Visitor events are stored in a ClickHouse database hosted on a private server. Events are keyed by an anonymous visitor ID — a UUID generated client-side and stored in a first-party cookie named _cazy_vid on the merchant's domain. This cookie does not contain any personally identifiable information. Event data is automatically deleted after 13 months.

5. Data Retention

Visitor event data is retained for 13 months and then automatically purged. Experiment configuration data (variants, goals, results) is retained for as long as your store has the App installed. When you uninstall the App, all store data is deleted within 48 hours in response to the shop/redact Shopify GDPR webhook.

6. Third-Party Services

Cazy AB uses the following third-party services to operate:

  • Supabase — hosted PostgreSQL database for app state (experiments, billing, sessions). Supabase is GDPR-compliant and hosted in the EU by default.
  • Google Gemini — AI model used for hypothesis generation, results analysis, and experiment simulation. Only experiment configuration data (type, variants, goals) is sent to Gemini. No visitor data or PII is transmitted.

7. Your Rights

If you are a Shopify merchant, you may request deletion of all data associated with your store by uninstalling the App. Shopify will automatically trigger the shop/redact webhook and all your data will be deleted within 48 hours.

For questions about customer data (your store's shoppers), Cazy AB processes only anonymous visitor IDs and does not store customer names, emails, or payment information. There is no customer PII to export or delete.

8. Contact

For privacy questions or data requests, contact us at hello@cazyweb.com.