Privacy Policy
Last updated 6 June 2026.
1. Who we are
Overseer is a Shopify embedded app that gives a merchant storefront analytics, customer-journey funnels, session replays, and AI conversion insights for their own store. The merchant is the data controller; Overseer acts as a data processor on the merchant's behalf and instructions.
2. What we collect
From storefront visitors (pseudonymous behavioural analytics): page views, navigation/journey paths, clicks, scroll, Web Vitals; commerce events (product viewed, add/remove cart, begin checkout, purchase — event metadata only); device/browser/OS, coarse geo (country/region/city derived from IP — the raw IP address is not stored), language; a first-party visitor identifier. Optional, merchant-enabled session replays (rrweb DOM recordings) are captured with input masking on — form-field values are masked.
From the Shopify Admin API (the merchant's store data): customers, orders, and customer events, used to enrich journeys (e.g. attribute a session to a returning customer, compute revenue). This is read-only.
We never collect payment-card numbers, passwords, government IDs, or special-category personal data.
3. How it's collected
A Shopify Web Pixel and a merchant-enabled Theme App Extension send events and (optional) replays to our analytics backend; the app server reads the merchant's store data via authenticated Shopify Admin API calls.
4. Why we process it
Our sole purpose is to provide the merchant analytics and AI conversion insights for their own store. We never sell data, never share it across merchants, and never use it for advertising or cross-store profiling. The session recorder honours Do Not Track / Global Privacy Control when the merchant enables that option; merchants are responsible for their own storefront cookie/consent notices.
5. AI processing
AI insights are generated by a large-language-model provider (Anthropic or Google). Only distilled, pseudonymous evidence — aggregated stats and a compacted event timeline — is sent to the model; never raw customer PII, raw replays, or payment data. Provider API terms prohibit using this content to train their models.
6. Storage & security
- All traffic is encrypted in transit (HTTPS/TLS); data is encrypted at rest.
- Databases have no public IP and are reachable only over a private network; the public ingest endpoint is rate-limited and WAF-protected.
- Least-privilege service accounts, no static keys, all secrets in a managed secret store.
- Strict tenant isolation — each merchant can only ever access their own store's data.
- Access is restricted and audit-logged; incidents affecting a merchant's customers are reported to the merchant without undue delay.
7. Retention
Data is retained while the app is installed so the merchant can analyse trends, and is deleted on the controls described below or when the app is uninstalled.
8. Your rights & data deletion
Overseer fully supports Shopify's mandatory privacy webhooks:
- Customer data request — logged and fulfilled; the data we hold is pseudonymous analytics the merchant can view in-app.
- Customer redact — erases that customer's data from our systems.
- Shop redact — on uninstall, erases all of the shop's data (every event, session, and replay) within Shopify's required window.
Merchants can also, at any time, Reset analytics or Delete all data from the app's Settings → Data & privacy. Uninstalling the app erases everything automatically.
9. Sub-processors
| Sub-processor | Purpose | Data |
|---|---|---|
| Google Cloud (hosting, storage, US region) | Infrastructure | All app & analytics data |
| Anthropic or Google (LLM) | AI insight generation | Distilled, pseudonymous evidence only |
10. International transfers
Data is processed in the United States (Google Cloud). Transfers rely on the providers' Standard Contractual Clauses. EU data residency is available on request.
11. Contact
Privacy questions or data requests: privacy@theoverseer.site. The merchant remains the controller and primary contact for their own customers.