Veritraffic Privacy Policy
Effective June 18, 2026
Veritraffic ("we", "the app") helps Shopify merchants detect and clean bot and fake traffic from their store, email marketing (Klaviyo), analytics, and ad pixels. This policy explains what data the app processes, why, and the choices you and your customers have. We are privacy-first by design: we minimize the data we store and we never store raw customer email addresses.
Who is responsible for your data
When you install Veritraffic on your store, you (the merchant) are the data controller for your customers' personal data, and Veritraffic acts as a data processor that processes that data on your behalf and on your instructions. For the data needed to operate and secure the app itself (such as your store domain and app settings), Veritraffic is the controller.
What data we process
- Storefront activity (Web Pixel): an anonymous storefront client ID, page / add-to-cart / checkout events, the visitor's IP address, and the browser user-agent string. Used to score traffic for bot signals.
- Customer & order data (Admin API webhooks): we store a one-way SHA-256 hash of the email address (never the raw email), whether a first name is present, and order metadata (browser IP, user-agent, order value and currency). Used to detect fake accounts and correlate bot checkouts.
- Klaviyo (only if you connect it): OAuth access tokens and opaque Klaviyo profile IDs, so we can tag and suppress flagged profiles. We never copy your customers' raw email addresses into our database.
- Ad pixels (only if you configure them): your Meta Pixel ID / Conversions API token and GA4 Measurement ID / API secret (stored server-side, never exposed to the browser), plus a per-event record of which conversion events we forwarded or withheld.
- Detection results: a verdict (human / suspect / bot), a score, and the evidence behind each flag, keyed to the anonymous client ID or the email hash.
We do not store raw email addresses, names, phone numbers, or postal addresses. We do not sell personal data. We do not use your data to train models for other merchants.
Why we process it (purposes & legal basis)
We process this data to detect automated / fraudulent traffic, clean fake profiles out of your marketing tools, and keep your conversion reporting accurate. Under the GDPR, the legal bases are your instructions as the merchant (for processing on your behalf) and the legitimate interest of you and your customers in preventing bot abuse and fraud, balanced against privacy by data minimization.
Sub-processors
- Supabase — database and hosting (EU region).
- Shopify — the platform your store and our app run on.
- Klaviyo — only if you connect it, to tag/suppress flagged profiles.
- Meta and Google — only if you configure ad-pixel forwarding, to receive your human conversion events.
How long we keep it
We keep event data only as long as we need it to detect and show bot activity, and we minimize what we store (for example, only a one-way hash of email addresses — never the raw address). Detection results are kept while the app is installed. When you uninstall the app, we delete your store's data; we also honour Shopify's mandatory data-deletion requests (see below).
Your customers' rights & data deletion
Your customers may exercise their GDPR rights (access, rectification, erasure, restriction, objection) through you as the merchant. We support Shopify's mandatory compliance webhooks:
- Customer data request — because we store only a pseudonymous email hash and anonymous identifiers, there is no raw personal data to return; you (the controller) fulfil the request.
- Customer redact — we delete the detection, event, and allowlist records associated with that customer's email hash.
- Shop redact — when your store uninstalls, we delete all data we hold for your shop.
Security
Data is stored with access restricted to the app's server-side service role; third-party credentials (Klaviyo tokens, ad-pixel secrets) are never sent to the browser. We minimize the personal data we hold to reduce risk.
International transfers
Our database is hosted in the EU. Where data is processed by sub-processors outside your region, it is governed by their respective data-processing terms.
Changes to this policy
We may update this policy as the app evolves. Material changes will be reflected here with a new effective date.
Contact
Questions about this policy or your data? Email mykhailo.kholiev@gmail.com.