This Privacy Notice for PixelRelay (“we,” “us,” or “our”) describes how and why we might access, collect, store, use, and/or share (“process”) your personal information when you use our services (“Services”).
Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services.
Summary of Key Points
This summary provides key points from our Privacy Notice. You can find more detail on any topic using the table of contents below.
What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.
Do we process any sensitive personal information? Some information may be considered “special” or “sensitive” in certain jurisdictions — for example, racial or ethnic origin, sexual orientation, or religious beliefs. We do not process this category of sensitive personal information.
Do we collect information from third parties? We may collect information from public databases, marketing partners, social media platforms, and other outside sources.
How do we process your information? We process your information to provide, improve, and administer our Services, to communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so.
In what situations and with which parties do we share personal information? We may share information in specific situations and with specific third parties.
What are your rights? Depending on where you are located, applicable privacy law may give you certain rights regarding your personal information.
How do you exercise your rights? The easiest way is by submitting a data subject access request, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.
Table of Contents
- What information do we collect?
- How do we process your information?
- When and with whom do we share your personal information?
- Do we use cookies and other tracking technologies?
- How do we handle your social logins?
- Is your information transferred internationally?
- How long do we keep your information?
- Do we collect information from minors?
- What are your privacy rights?
- Controls for Do-Not-Track features
- Do we make updates to this notice?
- How can you contact us about this notice?
- How can you review, update, or delete the data we collect from you?
- How do we keep your information safe?
1. What Information Do We Collect?
Personal information you disclose to us
In Short: We collect personal information that you provide to us.
We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, participate in activities on the Services, or otherwise contact us. All personal information you provide must be true, complete, and accurate, and you must notify us of any changes.
Sensitive information. We do not process sensitive (special category) personal information such as racial or ethnic origin, sexual orientation, or religious beliefs.
Information automatically collected
In Short: Some information — such as your IP address and/or browser and device characteristics — is collected automatically when you visit our Services.
We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, and information about how and when you use our Services. This information is primarily needed to maintain the security and operation of our Services and for our internal analytics and reporting purposes. Like many businesses, we also collect information through cookies and similar technologies.
Google Ads integration data. When merchants connect a Google Ads account, we store their Google Ads Customer ID, Conversion Action IDs, and an encrypted OAuth refresh token. We also process end-customer data — specifically SHA-256 hashed email addresses and Google Click IDs (gclid) from Shopify orders — solely to upload conversion events to the merchant’s own Google Ads account. This end-customer data is transmitted directly to Google and is not retained in our systems after the API call completes.
2. How Do We Process Your Information?
In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.
We process your personal information for a variety of reasons, depending on how you interact with our Services, including to provide, improve, and administer our Services, to communicate with you, to maintain security and prevent fraud, and to comply with applicable legal obligations.
3. When and With Whom Do We Share Your Personal Information?
In Short: We may share information in specific situations described in this section and/or with the following third parties.
We may share your personal information in the following situations:
Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Affiliates. We may share your information with our affiliates, in which case we will require those affiliates to honor this Privacy Notice. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.
Business Partners. We may share your information with our business partners to offer you certain products, services, or promotions.
3A. How Do We Handle Google User Data?
In Short: We access a merchant’s Google Ads account only to upload conversion events on their behalf and to read the account metadata needed to configure those uploads. We never create, edit, or delete campaigns, audiences, or other Google Ads data.
PixelRelay connects to Google Ads accounts via OAuth 2.0 on behalf of merchants who choose to enable Google Ads conversion tracking. When a merchant authorizes PixelRelay, we request the following OAuth scopes:
https://www.googleapis.com/auth/datamanager— used exclusively to upload first-party conversion events (purchases, add-to-cart, checkout started, product viewed) from the merchant’s Shopify store to their own Google Ads account via the Google Data Manager API (POST https://datamanager.googleapis.com/v1/events:ingest).https://www.googleapis.com/auth/adwords— used only to read the merchant’s own Google Ads account metadata (the list of ad accounts they can access and the names of their existing conversion actions) so the merchant can select the correct conversion destination during setup. The Google Ads API does not offer a read-only scope, so this scope is requested solely for the read access described here. It is never used to create, edit, pause, or delete campaigns, ads, keywords, budgets, audiences, or customer match lists.
What we send to Google on each event:
- The merchant’s Google Ads Customer ID and Conversion Action ID
- The buyer’s Google Click ID (gclid), captured as a first-party Shopify cart attribute when the buyer clicked a Google ad
- A SHA-256 hashed customer email address (for enhanced conversion matching)
- Transaction ID, order value, currency, and event timestamp from the Shopify order
- Consent signals (adUserData, adPersonalization) derived from the merchant’s consent management platform
What we do NOT do with these scopes:
- We do not read, access, modify, or delete any Google Ads campaigns, ad groups, keywords, audiences, customer match lists, or analytics data.
- We do not access any Google account data beyond the merchant’s own Google Ads conversion destinations and the account metadata described above.
- We do not share or sell any Google user data to third parties.
How we store Google credentials:
The OAuth refresh token issued during authorization is stored encrypted at rest using strong, industry-standard encryption. The merchant’s Google Ads Customer ID and Conversion Action IDs are stored as plaintext configuration values. No other Google account data is stored. Short-lived access tokens are held in memory only for their validity period (typically one hour) and are never written to disk.
Retention and deletion:
Google credentials are retained only for as long as the merchant maintains an active Google Ads connection in PixelRelay. When a merchant disconnects Google Ads — either from the PixelRelay app dashboard or by revoking access at myaccount.google.com/permissions — all stored credentials (refresh token, Customer ID, and all Conversion Action IDs) are immediately and permanently deleted from our database.
Your controls:
- Disconnect Google Ads at any time from the PixelRelay app dashboard (Settings → Connections → Google Ads → Disconnect).
- Revoke PixelRelay’s access directly at myaccount.google.com/permissions.
- Request deletion of all your data by contacting [email protected].
PixelRelay’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
4. Do We Use Cookies and Other Tracking Technologies?
In Short: We may use cookies and other tracking technologies to collect and store your information.
We may use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services, prevent crashes, fix bugs, save your preferences, and assist with basic site functions. We also permit third parties and service providers to use online tracking technologies on our Services for analytics and advertising, including to help manage and display advertisements, to tailor advertisements to your interests, or to send abandoned shopping cart reminders (depending on your communication preferences). These third parties and service providers use their technology to provide advertising about products and services tailored to your interests, which may appear either on our Services or on other websites. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice.
5. How Do We Handle Your Social Logins?
In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.
Our Services offer you the ability to register and log in using your third-party social media account details (like your Facebook or X logins). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, friends list, and profile picture, as well as other information you choose to make public. We will use the information we receive only for the purposes described in this Privacy Notice or otherwise made clear to you on the relevant Services. We do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information.
6. Is Your Information Transferred Internationally?
In Short: We may transfer, store, and process your information in countries other than your own.
Please be aware that your information may be transferred to, stored by, and processed by us and the third parties with whom we share your personal information (see “When and With Whom Do We Share Your Personal Information?” above) in countries other than your own. If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, these countries may not necessarily have data protection laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law.
7. How Long Do We Keep Your Information?
In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.
We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Google Ads credentials (OAuth refresh token, Customer ID, and Conversion Action IDs) are retained only while a merchant maintains an active Google Ads connection. Upon disconnection, all Google credentials are deleted from our active database immediately. End-customer data processed for Google Ads conversion uploads (hashed email, gclid) is not stored in our systems — it is transmitted to Google in real time and then discarded.
8. Do We Collect Information From Minors?
In Short: We do not knowingly collect data from or market to children under 18 years of age.
We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18, or that you are the parent or guardian of such a minor and consent to the minor dependent’s use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at [email protected].
9. What Are Your Privacy Rights?
In Short: You may review, change, or terminate your account at any time, depending on your country, province, or state of residence.
Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us using the contact details provided in Section 12 (“How Can You Contact Us About This Notice?”). However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, where applicable law allows, the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
Account information: If you would at any time like to review or change the information in your account, or terminate your account, you can contact us using the contact information in Section 12. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information to prevent fraud, troubleshoot problems, assist with investigations, enforce our legal terms, and/or comply with applicable legal requirements.
10. Controls for Do-Not-Track Features
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.
11. Do We Make Updates to This Notice?
In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated “Last updated” date at the top of this Privacy Notice. If we make material changes, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.
12. How Can You Contact Us About This Notice?
If you have questions or comments about this notice, or to submit a data deletion request, you may contact us at:
For Google-specific data requests (access, correction, or deletion of data processed in connection with Google Ads), please email [email protected] with the subject line “Google Data Request.” We will respond within 30 days.
13. How Can You Review, Update, or Delete the Data We Collect From You?
Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, please submit a data subject access request or contact us at [email protected].
14. How Do We Keep Your Information Safe?
In Short: We protect your information — including personal and sensitive data — using encryption in transit and at rest, hashing of personal identifiers, access controls, and other technical and organizational safeguards.
We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process, including data that may be considered sensitive such as email addresses, phone numbers, and OAuth credentials. These measures include:
- Encryption in transit: All data exchanged between merchants, end-customers, PixelRelay, and the ad platforms it connects to (including Google) is transmitted over encrypted connections (HTTPS/TLS).
- Encryption at rest: Sensitive credentials — including OAuth refresh tokens and other ad-platform access tokens — are encrypted using strong, industry-standard encryption before they are stored, with encryption keys managed separately from the encrypted data.
- Hashing of personal identifiers: Customer email addresses and phone numbers are hashed with SHA-256 before being transmitted to ad platforms for conversion matching. We do not transmit raw email addresses or phone numbers.
- Access controls and least privilege: Access to production systems and stored credentials is restricted to authorized personnel on a need-to-know basis and protected by authentication controls.
- Data minimization and retention limits: We collect only the data needed to deliver conversion and measurement features, and event data is retained only for the limited period described in Section 7 before deletion.
- Secure deletion and token revocation: When a merchant disconnects a platform or closes their account, the associated stored credentials are deleted and the related OAuth tokens are revoked.
Although we have taken steps to secure your information, please remember that no electronic transmission or storage can be guaranteed to be 100% secure, and we cannot promise or guarantee that unauthorized third parties will never be able to defeat our security. You should access the Services within a secure environment.