U U-Scale CAPI
Draft notice: This is a draft template and not legal advice — review with a qualified attorney before publishing.

Privacy Policy

Last updated:

1. Introduction

U-Scale ("we", "us", "our") provides U-Scale CAPI (the "Service"), an embedded Shopify application that sends server-side conversion events from your Shopify store to advertising platforms, including Meta's Conversions API. This Privacy Policy explains what data we process, how we use it, and the rights of merchants and their customers.

U-Scale CAPI is designed to be privacy-first: customer personally identifiable information ("PII") is hashed using SHA-256 inside your store environment before it ever leaves your store.

2. Data We Collect

To deliver conversion events, the Service processes the following categories of data:

  • Shopify store data: store domain, shop ID, app configuration, and the credentials you provide for connected platforms (e.g., Meta pixel ID and Conversions API access token).
  • Order & checkout event data: order ID, currency, total value, line items, and event timestamps required to construct a valid conversion event.
  • Customer identifiers used for Meta event matching: email, phone number, IP address, user agent, and click identifiers (such as fbp and fbc). These values are SHA-256 hashed before transmission, in line with Meta's CAPI requirements.
  • Operational data: logs, delivery status, retry counts, and error metadata used to operate and troubleshoot the Service.

3. How We Use Data

We use the data described above to:

  • Send conversion events (e.g., Purchase, Initiate Checkout) to Meta's Conversions API on your behalf;
  • Deduplicate server events against your browser pixel events;
  • Provide error monitoring, queue/retry behavior, and support;
  • Comply with Shopify and Meta platform requirements;
  • Detect and prevent abuse and fraud.

4. How We Share Data

We share hashed customer identifiers and order event data with Meta Platforms, Inc. so that Meta can attribute and optimize your advertising. Meta acts as an independent processor/controller with respect to the data it receives, governed by its own terms and policies.

We do not sell personal data. We may share data with infrastructure subprocessors (such as our cloud hosting and logging providers) under contractual data-protection obligations, and with authorities where required by law.

5. Data Security

We implement administrative, technical, and organizational measures designed to protect the data we process, including encryption in transit (TLS), restricted production access, and continuous monitoring. Customer PII is SHA-256 hashed before leaving your Shopify store.

6. Data Retention

We retain operational logs and event delivery metadata for the period necessary to provide and improve the Service, comply with legal obligations, and resolve disputes. Hashed customer identifiers are transmitted to Meta as part of conversion events and are not retained by us beyond what is needed for delivery, retry, and audit purposes.

7. GDPR & CCPA Rights

Depending on your jurisdiction, you and your customers may have rights to access, correct, delete, restrict, or port personal data, and to object to certain processing. Merchants may exercise these rights through the Service or by contacting us. End-customer requests should generally be directed to the Shopify merchant (the controller of customer data); we will assist merchants in responding.

8. Shopify Mandatory Compliance Webhooks

U-Scale CAPI implements Shopify's mandatory privacy webhooks:

  • customers/data_request — when a customer requests a copy of their data, we respond to the merchant with any data we hold linked to that customer.
  • customers/redact — when a customer is redacted, we delete any identifiable data we hold about that customer.
  • shop/redact — 48 hours after a store uninstalls the Service, we delete the store's data from our systems (subject to legal retention requirements).

9. Cookies & Tracking

The Service itself runs server-side and does not place tracking cookies in your storefront. Your Shopify storefront and the Meta browser pixel may use cookies under your own policies; please consult your Shopify and Meta configuration and your storefront's privacy notices.

10. International Transfers

Data may be processed in countries other than the country in which it was collected. Where required, we rely on appropriate transfer mechanisms (such as the EU Standard Contractual Clauses) to protect your data.

11. Children's Privacy

The Service is intended for use by businesses operating Shopify stores. It is not directed to children, and we do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Shopify admin, by email, or by posting an updated version. Continued use of the Service after an update constitutes acceptance of the updated Policy.

13. Contact

For privacy questions or to exercise your rights, contact U-Scale at support@u-scale.app or .