1. Introduction

This Privacy Policy describes how Onbrand Online LLC ("ONBRAND", "we", "us", or "our") collects, uses, and shares information when you visit our website (onbrand.online) or install and use our Shopify application. By using our website or installing ONBRAND, you agree to the collection and use of information in accordance with this policy.

We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy applies to all visitors to our website and merchants who install our application from the Shopify App Store.

2. Information We Collect

2.1 Website Visitors

When you visit our marketing website (onbrand.online), we may collect:

• Usage data such as pages visited, time spent on pages, and referring URLs
• Device information including browser type, operating system, and screen resolution
• IP address (used for analytics and security purposes)
• Information you voluntarily provide through contact forms or newsletter signups

2.2 Store Information (App Users)

When you install ONBRAND, we collect and store:

• Your Shopify store domain (e.g., yourstore.myshopify.com)
• OAuth access tokens required to communicate with your store
• Session data for authentication purposes

2.3 App Configuration Data

We store configuration data you create within the app:

• Promo bar settings (content, colors, styling preferences)
• Personalization rules and conditions
• A/B test configurations and results
• Influencer link configurations (discount codes, UTM parameters)
• QR code settings and designs
• Cart drawer configurations and upsell settings
• AI search configurations (synonyms, redirects, boosts, exclusions)
• Smart size selection settings and learned preferences
• Upsell widget configurations (storefront and checkout)
• Product recommendation settings

2.4 Anonymous Visitor Data

When visitors interact with your promo bars on your storefront, we collect anonymous, non-personally-identifiable data:

• Visitor ID: A randomly generated identifier stored in the visitor's browser (not linked to any personal information)
• Interaction data: Clicks, impressions, and add-to-cart events
• A/B test variant assignments: Which variant a visitor was shown
• Conversion data: Order totals and discount codes used (for analytics purposes only)

2.5 Order Data (Limited)

We receive order webhook notifications from Shopify solely to track conversion metrics for A/B tests and influencer campaigns. We process:

• Order total amount (for revenue attribution)
• Discount codes used (to match with campaigns)
• Cart attributes set by our app (visitor ID, test ID, variant)
• Customer email address (for exchange/return detection and conversion deduplication)
• Customer ID (for linking repeat purchases by the same customer)

We do NOT store customer names, shipping addresses, billing addresses, phone numbers, or payment information from order data. Customer email is used solely for:

• Detecting exchanges (when a customer returns an item and places a new order)
• Preventing duplicate conversion counting for repeat purchases
• Responding to GDPR data requests

Customer email is never used for marketing, shared with third parties, or displayed in analytics.

2.6 QR Code Tracking Data

When you create QR codes using ONBRAND and enable tracking, we collect anonymous, non-personally-identifiable data when customers scan those QR codes:

• Scan count: The total number of times each QR code has been scanned
• Timestamp: When each scan occurred
• Device information: Device type (mobile/tablet/desktop), browser, and operating system (derived from user agent)
• Hashed IP address: A one-way cryptographic hash of the scanner's IP address (the original IP is NOT stored)
• Referrer URL: The page or app from which the QR code scan originated (if available)

2.7 Marketing Platform Integrations

If you choose to connect ONBRAND with marketing platforms (Klaviyo, Attentive, Omnisend, or Postscript), we may exchange data with these platforms to enhance your customer experience:

• Data we receive: Customer profile information, order history, and email/SMS engagement data to personalize the shopping experience
• Data we send: Learned size preferences and product interaction data (with your permission) to enable personalized marketing
• Identity linking: We may link anonymous visitor IDs to customer profiles when visitors click through from marketing emails or SMS messages

2.8 AI-Powered Features

ONBRAND uses AI/ML for several features. Data processed by AI includes:

• Search: Search queries are processed to provide relevant results. We do not use your search data to train external AI models.
• Product Recommendations: Product catalog data is used to generate embeddings for similarity-based recommendations.
• Size Predictions: Purchase history patterns are analyzed to predict size preferences. This analysis is done on aggregated, anonymized data.

All AI processing is done using on-device models or our own infrastructure. We do not send your data to third-party AI services for training purposes.

3. How We Use Your Information

We use the collected information for the following purposes:

• Website Operations: To operate and improve our marketing website and understand how visitors interact with it
• App Functionality: To display promo bars on your storefront and provide personalization features
• Analytics: To provide you with conversion tracking, A/B test results, and influencer campaign performance
• App Improvement: To understand usage patterns and improve our app's features and performance
• Technical Support: To diagnose technical issues and provide customer support
• Communication: To send important updates about the app or your account (we do not send marketing emails unless you opt in)

4. Data Sharing and Disclosure

We do NOT sell, rent, or trade your information to third parties. We may share data only in the following limited circumstances:

• Service Providers: We use trusted third-party services for hosting (Railway) and database services (PostgreSQL). These providers are bound by confidentiality agreements.
• Analytics: We may use analytics services to understand website and app usage patterns. This data is aggregated and anonymized.
• Legal Requirements: We may disclose information if required by law, court order, or governmental authority.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.
• With Your Consent: We may share information with third parties when you explicitly consent to such sharing.

5. Data Retention

We retain your data as follows:

• Website Data: Analytics data from website visits is retained for up to 26 months.
• Active Accounts: We retain your app data for as long as you have the app installed and your account is active.
• After Uninstallation: When you uninstall the app, your session data is immediately deleted. All remaining shop data is permanently deleted within 48 hours in accordance with Shopify's mandatory GDPR compliance requirements.
• Analytics Data (Active Use): The following analytics data is automatically deleted after 90 days:
  • Search queries and click tracking
  • Influencer visit records (non-converted)
  • QR code scan records
  • Product view history
  • A/B test visitor assignments (after test ends)
• Conversion Data: Order-related data (for revenue attribution) is retained for 12 months to support accurate reporting, then deleted.
• Aggregated Statistics: Anonymized, aggregated statistics that cannot be linked to individuals may be retained indefinitely.

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data is transmitted over HTTPS/TLS encryption
• Database access is restricted and protected by authentication
• OAuth tokens are securely stored and never exposed to third parties
• Regular security reviews and updates
• Access to production systems is limited to authorized personnel only

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.

7. Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights regarding your data:

7.1 For EU/EEA Users (GDPR)

• Right of Access: Request a copy of the data we hold about you
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data
• Right to Data Portability: Request your data in a machine-readable format
• Right to Object: Object to certain types of data processing
• Right to Restrict Processing: Request limited processing of your data

7.2 For California Users (CCPA)

• Right to Know: Request information about data collection and sharing practices
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of the sale of personal information (note: we do not sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, please contact us at help@onbrand.online.

8. Shopify Data Processing

Our app operates within the Shopify ecosystem and is subject to Shopify's terms of service and privacy practices. When you install our app, you authorize Shopify to share certain information with us as described in this policy.

We comply with Shopify's mandatory privacy and data protection requirements, including:

• Responding to customer data requests within 30 days
• Processing customer data deletion requests
• Deleting all shop data within 48 hours of app uninstallation
• Maintaining appropriate data security measures

9. Cookies and Tracking Technologies

9.1 Website Cookies

Our marketing website may use cookies for:

• Essential functionality (session management, security)
• Analytics (understanding how visitors use our site)
• Preferences (remembering your settings)

You can control cookies through your browser settings. Disabling cookies may affect some website functionality.

9.2 Storefront Tracking

Our storefront script uses browser localStorage to store a randomly-generated visitor ID. This is used solely for:

• Maintaining consistent A/B test variant assignment
• Tracking campaign attribution
• Preventing duplicate counting of visitors

This visitor ID is anonymous and cannot be used to identify any individual. We do not use third-party tracking cookies or share this data with advertising networks.

10. Children's Privacy

Our website and app are designed for use by businesses and are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately.

11. International Data Transfers

Your data is stored and processed in the United States. Specifically:

• Application Hosting: Railway (US-West region)
• Database: PostgreSQL hosted by Railway (US-West region)
• CDN/Edge: Shopify's global CDN for storefront assets

If you are located outside the United States, your data will be transferred to and processed in the United States. We ensure appropriate safeguards are in place to protect your data:

• Railway maintains SOC 2 Type II compliance
• All data is encrypted in transit (TLS 1.2+) and at rest
• We comply with GDPR requirements for data transfers to third countries
• For EU/EEA users, we rely on Standard Contractual Clauses (SCCs) where applicable

By using our website or app, you consent to the transfer of your data to the United States for processing in accordance with this Privacy Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically.

Continued use of our website or app after any changes constitutes your acceptance of the updated Privacy Policy.

13. Limitation of Liability

To the maximum extent permitted by applicable law, Onbrand Online LLC shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including without limitation, loss of profits, data, use, goodwill, or other intangible losses, resulting from:

• Your access to or use of or inability to access or use our website or app
• Any conduct or content of any third party on our services
• Any content obtained from our services
• Unauthorized access, use, or alteration of your transmissions or content

14. Disclaimer of Warranties

Our website and app are provided on an "AS IS" and "AS AVAILABLE" basis without any warranties of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

We do not warrant that our services will be uninterrupted, timely, secure, or error-free, or that any defects will be corrected.

15. Indemnification

You agree to indemnify, defend, and hold harmless Onbrand Online LLC, its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, obligations, losses, liabilities, costs, and expenses (including attorney's fees) arising from:

• Your use of our website or app
• Your violation of this Privacy Policy or any applicable laws
• Your violation of any rights of a third party
• Any content you create, store, or display using our services

16. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the jurisdiction in which Onbrand Online LLC is registered, without regard to its conflict of law provisions.

17. Contact Us

If you have any questions about this Privacy Policy, your data, or wish to exercise any of your privacy rights, please contact us:

We will respond to all legitimate requests within 30 days. Occasionally, it may take us longer if your request is particularly complex or you have made multiple requests.