Calatrix
Legal

Privacy Policy

How we collect, use, and protect your data.

Effective date: January 1, 2025  ·  Last updated: April 13, 2026

1. Introduction and Controller Identity

Calatrix ("we", "our", "us") is a profit-first advertising automation platform for Shopify merchants, accessible at calatrix.com. Calatrix is the data controller for personal data you provide directly to us (such as your account information). For all privacy-related questions, requests, or to exercise your data rights, contact us at privacy@calatrix.com. We are committed to transparency and will respond to privacy inquiries within 5 business days.

2. Definitions

As used in this policy:

  • Personal Data means any information relating to an identified or identifiable natural person. This includes account information and Shopify/Meta identifiers, but excludes aggregated, anonymized data that cannot be linked back to you.
  • Processing means any operation performed on personal data, including collection, storage, use, sharing, deletion, or any other form of handling.
  • Data Controller means the person or entity that determines the purposes and means of processing personal data.
  • Data Processor means an entity that processes personal data on behalf of a controller.
  • Data Subject means you, the individual whose personal data is being processed.

3. Data We Collect

Calatrix is designed to operate on the minimum data required to calculate advertising profitability. We collect only the following categories of personal data:

  • Account Information — your email address and subscription status. These are required to create and operate your Calatrix account, manage billing, and send transactional communications.
  • Meta Ads Performance Data — campaign spend, impressions, clicks, ROAS, and other performance metrics from Meta ad accounts you explicitly authorize. We access only accounts you grant permission for through OAuth.
  • Shopify Order Data — numeric order IDs, order subtotals, currency codes, product variant identifiers, and UTM attribution parameters. We do not collect customer names, email addresses, payment information, or any Shopify customer profile fields.
  • Cost of Goods Sold (COGS) — values you enter manually for profit margin calculation. This is your own business data, not customer data.
  • Usage and Analytics Data — feature usage patterns, button clicks, page interactions, and session duration. This helps us improve the product and understand which features provide the most value.

4. Legal Basis for Processing (GDPR Article 6)

Under GDPR, we process your personal data based on the following legal grounds:

  • Contract Performance (Article 6(1)(b)) — processing your account information and Shopify/Meta data is necessary to provide you with the Calatrix service you have contracted for.
  • Legitimate Interests (Article 6(1)(f)) — we process usage analytics and feature usage data to improve our product, understand user behaviour, and protect against fraud.
  • Legal Obligation (Article 6(1)(c)) — we process and retain data as required by applicable tax, financial reporting, and data protection laws.
  • Consent (Article 6(1)(a)) — where required by law, we collect and use certain data only with your explicit consent, which you can withdraw at any time.

5. How We Use Your Data

We use the data we collect exclusively for the following purposes:

  • Attributing Shopify revenue to specific Meta advertising campaigns using UTM parameters
  • Calculating profit per campaign after deducting COGS and Meta ad spend
  • Powering kill rules that automatically pause or disable unprofitable campaigns
  • Scaling budgets on campaigns that exceed your configured profit targets
  • Generating profit reports, ROI analysis, and performance insights in your dashboard
  • Processing subscription payments via Stripe and managing billing cycles
  • Sending transactional emails (billing receipts, system alerts, password resets)
  • Improving our product through usage analytics and feature telemetry
  • Detecting, preventing, and investigating fraud or unauthorized account access

We never sell your data to third parties. We do not use your data for advertising, marketing profiling, or any purpose outside of operating the Calatrix service.

6. What We Do Not Collect

To protect customer privacy, Calatrix deliberately does not collect:

  • Customer names, email addresses, phone numbers, or physical addresses
  • Customer payment information or credit card details
  • Customer browsing history or session data
  • Any Shopify customer profile fields or personal information
  • Personally identifiable information from Meta (except your Meta user ID for account linking)

7. Data Sharing and Third Parties

Calatrix integrates with carefully selected third-party services on your behalf. We only share the minimum data necessary for these services to function:

  • Meta Ads API — we act as a processor on your behalf. We send campaign IDs and budget data to Meta to manage campaigns; we receive campaign performance metrics from Meta. Meta's privacy policy governs how they store and use data on their platform. Data is transmitted over HTTPS with OAuth tokens stored encrypted.
  • Shopify Admin API — we access order data from Shopify on your behalf. We retrieve order IDs, subtotals, and UTM parameters. Shopify's privacy policy applies to data held on their platform. We never store Shopify customer profile information.
  • Stripe — payment processing is handled by Stripe under PCI DSS Level 1 compliance. We transmit only your email and subscription plan ID to Stripe; we never handle or store your payment card details. Stripe's privacy policy applies.
  • Email Delivery Provider — transactional emails (receipts, alerts, password resets) are sent via a third-party email service. Only your email address is shared with this provider for delivery purposes.
  • Analytics — we may use non-identifying usage metrics to understand product performance and improve features. We never share personal data with analytics providers.

We do not share your data with any other third parties without your explicit consent, except where required by law or in response to a valid legal request.

8. International Data Transfers

Your data may be stored and processed in countries other than your country of residence. If data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place:

  • Standard Contractual Clauses (SCCs) — where transfers occur to countries without an adequacy decision, we rely on SCCs to provide contractual safeguards equivalent to GDPR protection.
  • Adequacy Decisions — for some jurisdictions, the European Commission has determined that data protection standards are adequate, allowing transfers without additional safeguards.
  • Your Consent — for transfers based on your explicit consent, you may withdraw consent at any time.

By using Calatrix, you consent to the international transfer of your data as described above.

9. Shopify Merchant Data and GDPR Compliance

Calatrix is a Shopify app. When you install and authorize Calatrix, you grant us access to specific data from your store. In this relationship:

  • You (the merchant) are the data controller of Shopify data.
  • Calatrix is a data processor acting on your behalf.
  • We process Shopify data only to provide the Calatrix service to you.
  • We comply with Shopify's Data Processing Addendum (DPA) and GDPR Article 28 processor requirements.
  • We do not store individual end-customer personal information beyond numeric order identifiers required for revenue attribution.

GDPR Webhook Handling: If your end-customers submit data deletion or access requests through Shopify (or other GDPR-related webhooks), Calatrix handles these automatically:

  • customers/data_request: Upon receiving this webhook, Calatrix exports all stored data related to that customer within 30 days and provides it to Shopify for forwarding to the customer.
  • customers/redact: Upon receiving this webhook, Calatrix immediately deletes all personal data (including order references) associated with that customer.
  • shop/redact: Upon store uninstall, Calatrix deletes all order attribution data within 48 hours of receiving the shop/redact webhook.

You may also contact us at privacy@calatrix.com to request deletion or export of specific Shopify data.

10. Meta (Facebook) Data Storage and Deletion

When you connect your Meta account to Calatrix, we store and process the following data:

What we store: an encrypted access token, your Meta user ID, ad account IDs you selected during authorization, and campaign performance metrics (spend, impressions, clicks, ROAS). We use this data exclusively to read campaign performance and to manage campaigns according to your configured rules (kill rules, budget scaling). We do not store personal information about your customers via Meta.

Data deletion: If you request deletion of your Facebook data through Meta's Privacy Centre, Meta notifies Calatrix automatically. Upon receiving Meta's notification, we immediately delete your encrypted access token, Meta user ID, ad account connections, and all related campaign data. This typically completes within seconds of the request.

You can also trigger deletion yourself by disconnecting Meta in Calatrix Settings, or by contacting us at privacy@calatrix.com. We will respond and process your deletion request within 5 business days.

11. Data Security

We implement comprehensive technical and organizational measures to protect your data:

  • Encryption at Rest: All Shopify and Meta access tokens are encrypted using AES-256-GCM before being written to our database. This ensures that even if our database is compromised, tokens cannot be read without the encryption key.
  • Encryption in Transit: All data transmitted between your browser, Calatrix, Shopify, and Meta is encrypted using HTTPS with TLS 1.2 or higher.
  • Webhook Verification: All inbound webhooks from Shopify and Meta are verified using timing-safe HMAC comparisons (HMAC-SHA256) to prevent forgery and man-in-the-middle attacks.
  • OAuth Security: OAuth tokens are validated with timing-safe comparison to prevent token tampering.
  • Access Controls: Access to personal data is restricted to authorized personnel only, with role-based access controls (RBAC) in place.
  • Audit Logging: All data access and modifications are logged for audit and compliance purposes.
  • Breach Notification: In the event of a data breach, we will notify affected data subjects and relevant regulators without undue delay and no later than 72 hours after discovery, as required by GDPR.

12. Data Retention

We retain your data only as long as necessary to provide the service and comply with legal obligations:

  • Account Data: Retained while your Calatrix account is active. After cancellation, retained for 30 days then permanently deleted (except where retention is required by law).
  • Order Attribution Data: Deleted within 48 hours of Shopify store uninstall, triggered automatically by Shopify's shop/redact webhook.
  • Event Logs: Retained for 90 days, then automatically deleted.
  • Encrypted Backups: For disaster recovery, encrypted backups of all data are retained for up to 6 months. After 6 months, backups are deleted.
  • Tax and Financial Records: Retained as required by applicable tax and financial reporting laws (typically 7 years).

13. Your Rights (GDPR)

If you are in the European Union or EEA, you have the following rights under GDPR:

  • Right of Access (Article 15): You have the right to request and obtain a copy of all personal data we hold about you in a portable, machine-readable format.
  • Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Article 17): You have the right to request deletion of your personal data ("right to be forgotten"), subject to exceptions for legal obligations and legitimate interests.
  • Right to Restrict Processing (Article 18): You have the right to request that we limit how we process your data in specific circumstances.
  • Right to Data Portability (Article 20): You have the right to request your personal data in a structured, machine-readable format and to transmit it to another controller.
  • Right to Object (Article 21): You have the right to object to processing based on legitimate interests or to automated decision-making and profiling.
  • Right to Lodge a Complaint (Article 77): If you believe we have violated your data protection rights, you have the right to lodge a complaint with your local data protection authority without penalty.

To exercise any of these rights, contact us at privacy@calatrix.com. We will respond to your request within 30 days (extendable by 60 days for complex requests). Please include sufficient information for us to identify you and verify your identity.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to request what personal information we collect, use, and share about you.
  • Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to exceptions for legal obligations and service operations.
  • Right to Opt-Out of Sale: Calatrix does not sell your personal information. We do not share your data for monetary or other valuable consideration.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights. You will not be denied service, charged different prices, or offered degraded quality service for exercising these rights.

To submit a request, email privacy@calatrix.com with "CCPA Request" in the subject line. Include your full name and email address. We will verify your identity and respond within 45 days.

15. Children's Privacy

Calatrix is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child under 16, we will delete such data immediately and terminate the child's account. If you believe we have collected data from a child, contact us at privacy@calatrix.com.

16. Cookies and Tracking Technologies

Calatrix uses minimal tracking technologies:

  • Session Cookies: We use a single session cookie to maintain your authenticated login state. This cookie is essential for the service to function and expires when you close your browser or log out.
  • No Advertising Cookies: We do not use cookies for advertising, retargeting, or behavioral profiling.
  • No Tracking Pixels: We do not use web beacons or tracking pixels.

Disabling cookies in your browser will prevent you from logging in to Calatrix. You can control cookies through your browser settings.

17. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes to this policy, we will:

  • Provide at least 30 days' advance notice via email to your registered email address, or
  • Display a prominent notice in your Calatrix dashboard, or
  • Require your explicit consent to the new policy terms before you continue using the service.

Your continued use of Calatrix after the effective date of any changes constitutes your acceptance of the revised policy.

18. Contact and Data Protection Officer

For any privacy-related questions, to exercise your data rights, or to report a data breach, contact us:

Email: privacy@calatrix.com
Response SLA: We aim to respond to all privacy requests within 5 business days. For detailed data subject access requests, we have up to 30 days to respond.
Format: You may submit requests in writing via email. Please include sufficient details to identify you and verify your identity.

We have appointed a Data Protection Officer to oversee our privacy practices and ensure compliance with applicable data protection laws. All privacy inquiries are handled with care and confidentiality.