Privacy Policy

North Star Metric ("we", "our", or "us") provides analytics and attribution services for Shopify merchants. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our services.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2.1 For Merchants (Our Customers)

• Account information (email, store name, Shopify store URL)
• Billing information (processed securely via Shopify)
• Usage data (how you interact with our dashboard)

2.2 For Store Visitors (End Users)

When visitors browse stores using our service, we collect:

• Device fingerprint hashes — Non-reversible hashes derived from browser characteristics (canvas, WebGL, audio context). These cannot identify a person directly.
• Session data — Pages viewed, time on site, referrer URL
• Marketing attribution — UTM parameters, click IDs (gclid, fbclid)
• IP address — Stored as hashed CIDR ranges, not full IP addresses
• Order data — Only when a purchase is made, via Shopify webhooks

We process data under the following legal bases:

• Contract Performance — To provide our services to merchants
• Legitimate Interest — For fraud prevention, bot detection, and service security
• Consent — For fingerprinting and cross-device tracking (when required by merchant's cookie banner)

Merchants are responsible for obtaining appropriate consent from their visitors through their cookie consent management platform (CMP).

Data is automatically deleted after the retention period expires using database TTL policies.

When a merchant explicitly connects an advertising platform through our Integrations page, we forward hashed and anonymized conversion data to that platform on the merchant's behalf. This is server-side forwarding initiated by the merchant's configuration.

The platforms that may receive data include:

• Meta (Facebook) — via the Conversions API (CAPI). Hashed email, phone, and order value for ad optimization.
• Google Ads — via the Google Ads API. Hashed customer identifiers and conversion value.
• TikTok — via the TikTok Events API. Hashed identifiers and conversion events.

No data is shared with these platforms unless the merchant activates the integration. All personally identifiable information is hashed (SHA-256) before transmission.

Data is stored in ClickHouse, an analytical database hosted within the EU (Hetzner, Germany), with automatic TTL-based deletion as described in Section 4.

Under GDPR, you have the following rights:

To exercise these rights, contact us at privacy@northstarmetric.io

Store visitors can opt out of tracking in several ways:

• Cookie Banner — Decline cookies/tracking in the store's consent banner
• Browser Console — Run NSM_optOut() in the browser console
• Contact Store — Ask the store merchant to delete your data

When you opt out, we immediately stop tracking, clear all stored identifiers, and send a deletion request to our servers.

We implement industry-standard security measures:

• TLS 1.3 encryption for all data in transit
• Encrypted storage for sensitive data at rest
• SQL injection protection with parameterized queries
• Regular security audits and monitoring
• Access controls and authentication

Our servers are located in the European Union (Germany). Data may be processed by sub-processors in compliance with GDPR requirements and appropriate safeguards (Standard Contractual Clauses where applicable).

For privacy-related inquiries:

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.