Privacy Policy

Effective date: 07 Oct 2025

This Privacy Policy explains how Convomesh ("we", "us") collects, uses, shares, and protects information when merchants install our Shopify app or use our services, and when end users interact with sites or communications where our technology is present.

Who we are

Convomesh is provided by Melbourne Digital Group Pty Ltd (ABN 69640635561), an Australian company operating primarily on Google Cloud Platform. Registered address: Melbourne, VIC 3000, Australia. Our services include ingesting and processing Shopify commerce events (via Shopify webhooks and Google Pub/Sub), first‑party web events (Shopify Web Pixels), and email signals to deliver insights and automations.

Data we collect

• Merchant account data: shop domain, OAuth tokens, app configuration, billing tier.
• Commerce events: orders, fulfillments, refunds, checkouts (fields provided by Shopify). We prioritize identity by emailLower, phoneE164, then Shopify customer id.
• Web events (pixels): product views, cart events, checkout started, consent state, session IDs, user agent, IP (truncated/geo approximated where required).
• Operational metadata: timestamps, delivery statuses, retry and deduplication markers, system logs.

How we use data

• Provide and improve the service (dashboards, scoring, automations, diagnostics).
• Derive analytics and performance metrics (aggregated, de‑identified where possible).
• Ensure reliability and security (fraud/abuse detection, incident response).
• Comply with legal obligations and merchant contractual requirements.

Applicable laws

We process personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and where relevant, the EU/UK GDPR and the California CCPA/CPRA.

Legal bases

Where applicable, we rely on one or more of: performance of a contract (to provide the service), legitimate interests (to secure and improve the service), and consent (for web pixels where required by law).

Cookies and tracking

We use essential cookies and similar technologies necessary to operate the service and secure sessions. For details, see our Cookie Policy.

Data minimization and retention

• We process only the fields necessary for event normalization and the agreed use cases.
• Operational logs and metrics: retained for limited windows per environment for troubleshooting and SLOs.
• Commerce and web events: retained per merchant configuration and legal requirements; merchants can request deletion.

Sharing and sub‑processors

We don’t sell personal data. We use service providers to operate our platform. See our Sub‑processors list. If billing is enabled, Stripe may process payment data on our behalf.

Security

• Encryption in transit and at rest (provider‑managed keys); secret storage in Google Secret Manager.
• Principle of least privilege; service‑to‑service auth via OIDC and IAM roles; audit logging for data access.
• DDoS protections and rate limiting; replay/deduplication for webhook processing.

Your rights

We support GDPR/CCPA rights through Shopify’s GDPR topics (customers/data_request, customers/redact, shop/redact) and via direct requests from merchants or end users. See Data Requests for instructions or contact msango@convomesh.com.

• GDPR/UK GDPR (EEA/UK residents): access, rectification, erasure, restriction, portability, objection.
• CCPA/CPRA (California residents): right to know, delete, correct, and opt‑out of sale/share. We do not sell personal information. Submit requests via your merchant or msango@convomesh.com.

Controller vs Processor

For merchant customer data synced from Shopify, we act as a processor on behalf of the merchant (controller). For our own site analytics, account data, and service operations, we act as a controller. Our Data Processing Addendum applies when required by law.

International transfers

Data may be processed in regions where our cloud infrastructure or sub‑processors operate. We implement appropriate safeguards for cross‑border transfers where required by law.

Communications

You may opt out of non‑essential marketing emails by using the unsubscribe link in the message or contacting us. Service and transactional communications may still be sent. See Billing & Refund Policy for billing communications.

Children

Our services are not directed to children under 16 and we do not knowingly collect personal data from them.

Changes

We may update this policy from time to time. Material changes will be posted here with an updated effective date.

Contact

Legal entity: Melbourne Digital Group Pty Ltd (ABN 69640635561)
Registered address: Melbourne, VIC 3000, Australia
Email: msango@convomesh.com