Skip to main content
Coming Soon to Shopify

Privacy Policy

Privacy Policy

Last updated: April 2026

Sofol Digital (“we”, “us”, “our”) operates ReclaimROAS, a Shopify application that provides server-side conversion tracking services. This Privacy Policy explains how we collect, use, store, and protect information when you use our website (reclaimroas.com) and our Shopify application.

We are based in Melbourne, Victoria, Australia, and comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

1. Information We Collect

1.1 Information from Shopify Merchants (App Users)

When you install and use the ReclaimROAS Shopify app, we collect:

Store information: Your Shopify store domain, store name, and Shopify plan type. This is provided by Shopify during the app installation process.

Ad platform credentials: Your Meta Pixel ID, Meta Conversions API access token, Google Ads customer ID, and Google Ads OAuth tokens. These are provided by you during the app setup process and are used solely to forward conversion data to your ad accounts on your behalf.

Billing information: Your subscription plan and billing status. All payment processing is handled by Shopify through their Billing API. We do not collect or store credit card numbers, bank account details, or other direct payment information.

1.2 Information from Store Visitors (Your Customers)

When a visitor browses or makes a purchase on your Shopify store, our app collects:

Browsing event data: Page URLs visited, products viewed, items added to cart, checkout initiation, and purchase completion. This data is collected via our Shopify Web Pixel Extension and Shopify webhooks.

Technical identifiers: IP address, browser user agent, device type, and referral source. These are captured to support ad platform attribution requirements.

Ad click identifiers: Google Click ID (GCLID), Meta Click ID (FBCLID), Meta Browser ID (FBP), and UTM parameters. These are captured from URL parameters and browser cookies to enable conversion attribution.

Customer personal information: When a purchase is completed, Shopify provides us with the customer’s email address, phone number, name, and shipping address via order webhooks. This information is immediately hashed using SHA-256 encryption and is only used for forwarding to Meta and Google’s conversion APIs in hashed form, as required by those platforms for conversion matching.

1.3 Information from Website Visitors

When you visit reclaimroas.com, we collect standard web analytics data including pages visited, referral source, device type, and browser type. This data is collected via Google Analytics and is used solely to understand website traffic and improve our content.

2. How We Use Information

We use the information we collect for the following purposes:

Conversion tracking: To forward purchase and browsing events from your Shopify store to your Meta Ads and Google Ads accounts via their respective server-side APIs (Meta Conversions API and Google Enhanced Conversions API). This is the core function of our app.

Identity resolution: To link anonymous browsing sessions to completed purchases, enabling us to include ad click identifiers (GCLID, FBCLID) with conversion events sent to your ad platforms.

Dashboard and reporting: To display aggregated event statistics, conversion funnel data, and signal recovery metrics in your ReclaimROAS dashboard within the Shopify admin.

Billing: To track your order volume for plan-based billing through Shopify’s Billing API.

App improvement: To monitor forwarding success rates, debug technical issues, and improve the reliability of our service.

Website improvement: To understand how visitors use reclaimroas.com and improve our content and user experience.

3. How We Handle Personal Information

3.1 Hashing and Data Minimisation

We follow a strict data minimisation approach. Customer personal information (email, phone, name, address) received from Shopify webhooks is immediately hashed using SHA-256 encryption before storage. The hashed values are used solely for forwarding to Meta and Google’s conversion APIs, which require hashed identifiers for conversion matching.

We do not store raw (unhashed) customer personal information beyond the immediate processing window required to hash and forward the data.

3.2 Data We Forward to Ad Platforms

When we send conversion events to Meta or Google on your behalf, the data includes:

Sent to Meta Conversions API: Hashed email, hashed phone number, hashed name, hashed city, hashed state, hashed postcode, hashed country, Meta click ID (FBC), Meta browser ID (FBP), IP address, user agent, event name, purchase value, currency, order ID, and product information.

Sent to Google Enhanced Conversions API: Hashed email, hashed phone number, hashed first name, hashed last name, country code, postal code, Google click ID (GCLID), event name, purchase value, currency, and order ID.

This data is sent using encrypted HTTPS connections directly to Meta’s and Google’s servers. We act as a data processor on your behalf — the data is your first-party customer data being forwarded to your own ad accounts.

4. Data Storage and Security

Database: Event data and hashed customer identifiers are stored in our database hosted by Supabase (PostgreSQL) in the Sydney, Australia region.

Encryption: All ad platform OAuth tokens and API credentials are encrypted at rest. All data transmission uses HTTPS/TLS encryption.

Access control: Access to our database and infrastructure is restricted to authorised personnel only.

Data retention: Raw event data is automatically purged after 90 days. Aggregated statistics (which contain no personal information) are retained for reporting purposes. Hashed customer records are retained for the duration of your app subscription for identity resolution purposes.

Data deletion: When you uninstall the ReclaimROAS app, we automatically delete all data associated with your store, including events, sessions, customer records, and stored credentials. You may also request data deletion at any time by contacting us.

5. Data Sharing

We do not sell, rent, or share personal information with third parties for their own marketing purposes.

We share data only in the following circumstances:

With your ad platforms: We forward conversion data to Meta and Google on your behalf, using your own ad account credentials. This is the core function of the app.

Service providers: We use Supabase for database hosting and Fly.io for application hosting. These providers process data on our behalf under data processing agreements.

Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.

6. Your Rights

Under the Australian Privacy Act, you have the right to:

Access: Request access to the personal information we hold about you or your customers.

Correction: Request correction of inaccurate personal information.

Complaint: Lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Australian Privacy Principles.

Deletion: Request deletion of your data at any time. Uninstalling the app automatically triggers data deletion.

If your store serves customers in the European Economic Area (EEA), those customers have additional rights under the GDPR, including the right to erasure, data portability, and the right to object to processing. Our app respects Shopify’s Customer Privacy API and only processes tracking events after customer consent has been given, where required by regional privacy laws.

7. Cookies

reclaimroas.com: Our website uses Google Analytics, which sets cookies for analytics purposes. These cookies do not collect personally identifiable information.

Your Shopify store: Our Web Pixel Extension runs within Shopify’s sandbox environment. It accesses Meta’s _fbc and _fbp cookies (set by Meta, not by us) to capture click identifiers for conversion attribution. We do not set any cookies on your store.

8. Children’s Privacy

Our service is designed for business use by Shopify merchants. We do not knowingly collect personal information from children under the age of 18. If we become aware that we have collected personal information from a child, we will take steps to delete that information.

9. International Data Transfers

Our primary database is hosted in Sydney, Australia. Conversion data is transmitted to Meta (servers in the United States and other locations) and Google (servers in the United States and other locations) as part of the core service. These transfers are necessary to provide the conversion tracking service and are made using encrypted connections to the platforms’ official APIs.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date at the top of this page. We encourage you to review this page periodically.

11. Contact Us

If you have questions about this Privacy Policy, wish to make a complaint, or want to exercise your privacy rights, please contact us:

Sofol Digital Melbourne, Victoria, Australia Email: steve@sofol.digital

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.