Privacy Policy

Rauxdata (“we”, “us”, or “our”) operates the Rauxdata platform, including the dashboard, widget, and API (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect information in connection with the Service.

The Service involves two distinct data layers with different privacy relationships:

• Merchant data — information about you, the merchant who created a Rauxdata account. Rauxdata is the data controller for this data.
• End-customer survey data — information collected from your customers through the Rauxdata widget installed on your store. You are the data controller for this data; Rauxdata acts as a data processor on your behalf.

1. Information We Collect About Merchants

When you register and use the Service as a merchant, we collect:

• Account information: name, email address, password (stored as a salted hash), and workspace name.
• Business profile: industry, annual revenue range, e-commerce platform, referral source, and primary goal for using Rauxdata. This information is collected during onboarding and used to improve the platform and, in the future, to provide anonymized benchmarking features.
• Billing information: plan, subscription status, and billing history. Payment card details are processed and stored by Stripe; we do not store full card numbers.
• Usage data: log files, feature interactions, session identifiers, browser type, operating system, and IP address, collected automatically when you use the dashboard.
• Communications: emails or support messages you send us.

2. End-Customer Survey Data (Processor Role)

Through the Rauxdata widget installed on your store, the Service collects the following data from your end customers on your behalf:

• Survey responses: answers to the questions you configure in your survey (free-text, multiple choice, NPS scores, etc.).
• Attribution signals: UTM parameters (utm_source, utm_medium, utm_campaign), ad-platform click identifiers (fbclid from Meta, gclid from Google, ttclid from TikTok) when present in the visitor's landing URL, HTTP referrer, landing page URL.
• Order metadata: order value, currency, customer type (new or returning), discount code, product identifiers and titles (when passed by the merchant).
• Device and location: device type (mobile, tablet, desktop) and country (ISO-2 code), derived from request headers and — when the merchant has configured geo audience rules — from a client-side lookup to ip-api.com. When geo audience rules are active, the widget calls ip-api.com to determine the visitor's location for display-routing purposes only (deciding whether to open or stay closed). Region, city, and timezone data obtained from this lookup are used exclusively for that client-side routing decision and are not transmitted to Rauxdata servers and not stored server-side. Only the visitor's country (ISO-2) is included in the survey response payload submitted to Rauxdata when the visitor completes the survey, consistent with the standard location data described above.
• Optional customer identity: an opaque customerId string (if passed by the merchant) and/or a SHA-256 hash of the customer's email address. We never receive or store raw email addresses from end customers.

As a data processor, we process end-customer data only as instructed by you and only to the extent necessary to provide the Service. We do not sell, share, or use end-customer data for our own marketing or analytics beyond what is needed to operate the Service.

Your responsibilities as data controller: You must ensure your privacy policy discloses the use of the Rauxdata widget, obtain any required consents from your end customers (e.g. under GDPR, CCPA, LGPD), and handle data subject rights requests (access, deletion, portability) for your end customers. See Section 10 for how we help you fulfill deletion requests.

3. How We Use Merchant Data

We use merchant data to:

• Create and maintain your account and authenticate you.
• Provide and improve the Service, including developing new features.
• Process payments and manage your subscription.
• Send transactional emails (account confirmation, invoices, password reset).
• Send product updates and announcements (you can opt out at any time).
• Respond to support requests and investigate issues.
• Produce aggregated, anonymized benchmarks — for example, “median NPS for DTC apparel brands” — where individual merchants cannot be identified.
• Comply with legal obligations.

4. Legal Bases for Processing (GDPR)

If you are in the European Economic Area, United Kingdom, or another jurisdiction that requires a legal basis for processing personal data, we rely on the following:

• Contract performance: processing necessary to provide the Service you have signed up for (account data, billing, authentication).
• Legitimate interests: improving the Service, security, fraud prevention, and aggregated analytics, where our interests do not override your rights.
• Legal obligation: compliance with applicable law (e.g. tax records, regulatory requests).
• Consent: marketing communications and optional features; you may withdraw consent at any time.

For end-customer data, Rauxdata processes it under your instructions as data controller. You are responsible for establishing the appropriate legal basis for that processing.

5. Cookies and Similar Technologies

The Rauxdata dashboard uses cookies and local storage for authentication sessions and user preferences. We do not use third-party advertising cookies.

The Rauxdata widget installed on your store uses sessionStorage to track the survey display state (e.g. whether the widget has already been shown during the current session). It does not set persistent cookies on your end customers' browsers.

Rauxdata Pixel (browser-side tracking). When you enable the Rauxdata Pixel on your storefront, it sets a persistent identifier called raux_aid (anonymous ID) in your end customers' browser localStorage. This identifier is:

• Consent-gated: the Pixel fires only after your end customer grants analytics consent through your store's Consent Management Platform (CMP). In jurisdictions where consent is legally required (e.g. EU/EEA under GDPR, CCPA opt-in flows), the identifier is not created and no events are sent until consent is granted. If consent is never granted or the CMP is not configured, the Pixel remains silent (fail-closed default).
• Persistent across sessions: once set, raux_aid remains in localStorage until the end customer clears their browser data. A separate session identifier (raux_sid) is stored in sessionStorage and expires after 30 minutes of inactivity.
• Anonymous: the identifier is a randomly generated UUID; it does not encode any personally identifiable information by itself.
• Event types captured: once consent is granted, the Pixel may capture page views, add-to-cart actions, and purchase completions, along with the current page URL, a timestamp, and basic device type (mobile, tablet, or desktop).
• Retention: pixel event data is retained for as long as the merchant maintains an active Rauxdata subscription. Deletion of a merchant account or project removes all associated pixel data within 30 days.
• Your rights: as an end customer, you may delete the raux_aid identifier at any time by clearing your browser's localStorage. You may also submit a data deletion request to the merchant whose store you visited; the merchant can fulfill it via the Rauxdata dashboard or by contacting us at [email protected].

5b. Rauxdata Consent Banner

When you enable the Rauxdata Consent Banner (“own CMP”) for a project, your end customers who visit from the European Economic Area (EEA) or the United Kingdom will see a consent prompt before the Rauxdata Pixel activates.

Region gating

At pixel-config delivery time, Rauxdata resolves the visitor's country from the inbound request IP using a local, in-process, CC0-licensed IP-to-country database (no third-party service receives the IP). The resolved country is used solely to determine whether a consent banner is legally required:

• Visitors whose country is in the EU-27, EEA (Iceland, Norway, Liechtenstein), or UK (GB) — 31 countries in total — are shown the consent banner.
• Visitors whose country is outside that set (e.g. US, MX, AR) are not shown the banner. The pixel remains silent (fail-closed) until the visitor's own CMP on the storefront grants consent.
• If the visitor's country cannot be resolved (unrecognisable IP, VPN exit node, private range), the banner is shown as a safe default (“fail-closed”).

The visitor's full IP address is never exposed to the browser or shared with any third party. The browser receives a boolean (cmpRequired) indicating whether the banner must be shown, together with the visitor's own two-letter country code, which is recorded with the consent snapshot for audit purposes.

Banner behavior

The Rauxdata consent banner is rendered inside a Shadow DOM element isolated from the merchant's page. It presents two consent categories — analytics and marketing — both unchecked by default. No pre-ticking occurs. The visitor must explicitly grant each category.

If the merchant's store uses Shopify's built-in Consent API, the Rauxdata banner is suppressed and Shopify's CMP takes precedence.

Consent audit records (ConsentRecord)

Every consent event — grant or withdrawal — results in an append-only audit record stored by Rauxdata on the merchant's behalf. Each record contains:

• projectId — the merchant's Rauxdata project.
• anonymousId — the same randomly generated UUID stored in the visitor's localStorage as raux_aid. Not created until consent is granted.
• categories granted — analyticsGranted and marketingGranted (booleans, per the visitor's explicit selection).
• providerSource — raux-banner when the Rauxdata banner was used; raux when a merchant-supplied external CMP hook was used.
• action — grant or withdraw.
• region — the server-resolved two-letter country code (or null if unresolvable).
• bannerVersion — the version of the banner copy shown to the visitor at the time of consent.
• recordedAt — server timestamp; immutable after creation.

Append-only: existing consent records are never modified. Withdrawals create a new row with action='withdraw'.

Retention and deletion: consent records are retained for as long as the merchant maintains an active Rauxdata subscription and the associated project exists. When a project or account is deleted, all associated consent records are deleted within 30 days. End customers may request deletion of their consent records via the merchant (who can action it in the Rauxdata dashboard) or directly at [email protected] with their anonymousId.

Withdrawal right

End customers who granted consent via the Rauxdata banner may withdraw that consent at any time. Withdrawal immediately stops pixel capture (no further events are sent to Rauxdata) and writes a withdrawal record in the audit log. Clearing browser localStorage also effectively removes the anonymous identifier, preventing future capture.

Identity reconciliation (analytics)

Where the visitor grants consent for the analytics category (analyticsAllowed) and subsequently completes an identification event on the storefront (such as providing an email address during checkout), Rauxdata may retrospectively associate the previously recorded anonymous browsing events linked to that visitor's unique identifier (raux_aid) with said identity. This processing is executed strictly for marketing attribution, conversion funnel measurement, and the merchant's internal performance analytics. It is never utilized to build third-party advertising profiles or trigger automated retargeting campaigns without explicit marketing consent.

6. How We Share Information

We do not sell personal data. We share data only in these limited cases:

• Service providers: Stripe (payment processing), Railway (infrastructure hosting), Resend (transactional email), and similar vendors who process data on our behalf under confidentiality agreements.
• Your integrations: when you configure webhooks or third-party integrations (e.g. Zapier), we send data to those endpoints as instructed by you.
• Legal requirements: when required by law, court order, or governmental authority; or to protect the rights, safety, or property of Rauxdata, our users, or the public.
• Business transfers: in connection with a merger, acquisition, or sale of substantially all of our assets, provided the successor entity is bound by equivalent privacy obligations.

7. International Data Transfers

Rauxdata is operated from Argentina. Data may be stored and processed in the United States or other countries where our infrastructure providers operate. If you are located in the EEA or UK, transfers outside those regions are subject to appropriate safeguards such as Standard Contractual Clauses where required.

8. Data Retention

We retain merchant account data for as long as your account is active, plus a reasonable period thereafter for legal and business purposes.

End-customer survey data is retained for as long as you maintain an active subscription. You may export or delete your data at any time from the dashboard. When you delete a project or close your account, associated end-customer data is deleted within 30 days, except where retention is required by law.

9. Security

We implement industry-standard security measures including TLS encryption in transit, hashed passwords, and access controls. Email addresses from end customers are never stored — only a one-way SHA-256 hash (used exclusively for deduplication), which cannot be reversed to recover the original email.

No system is completely secure. We cannot guarantee absolute security. If you discover a vulnerability, please report it responsibly to [email protected].

10. Your Rights

Depending on your jurisdiction, you may have rights including access, rectification, erasure, portability, restriction of processing, and the right to object. To exercise any of these rights with respect to your merchant account data, contact us at [email protected].

For end-customer data, your customers must submit requests to you as data controller. When you receive a deletion request, you can fulfill it by deleting the relevant responses from the Rauxdata dashboard or by contacting us at [email protected] and we will assist.

EEA/UK residents have the right to lodge a complaint with their local data protection authority.

11. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the dashboard at least 14 days before the new policy takes effect. Your continued use of the Service after the effective date constitutes acceptance.

13. Contact and Data Processing Agreements

For privacy questions, to exercise your rights, or to request a Data Processing Agreement (DPA) for GDPR compliance, contact us at:

• [email protected] — general inquiries
• [email protected] — technical support and data subject requests

Also see our Terms of Service for the full contractual relationship governing your use of the platform.