AOVbar

Privacy Policy

Last updated: May 7, 2026

1. Who we are

AOVbar ("we", "us", "our") is a Shopify app that displays a cart goal progress bar on your storefront. This policy explains what data we collect, why, and how we protect it.

2. Data we collect

Merchant data (store owners)

  • Shop domain— used to identify your store.
  • Access token— AES-256-GCM encrypted at rest; used only to make API calls you initiate (e.g. enabling the app embed block, creating subscriptions).
  • Email— fetched from Shopify at install, used for transactional communication (plan changes, important updates).
  • Billing plan— which AOVbar plan you are on and your Shopify subscription ID.

Storefront visitor data (your customers)

  • Cart value— the current cart total in cents, read from Shopify's public /cart.js endpoint. We never store individual cart contents or customer identity.
  • Anonymous session ID — a random string generated in sessionStorage and cleared when the browser tab closes. Used only to deduplicate analytics events within a single visit. We cannot link this to any individual customer.
  • Analytics events— widget_view and tier_reached events with the anonymous session ID, cart value in cents, and bar ID. No IP addresses, cookies, or personal identifiers are stored.

3. How we use data

  • To operate the app and display the progress bar on your storefront.
  • To calculate analytics (conversion rate, average cart value) shown in your dashboard.
  • To enforce plan limits (number of bars, tiers).
  • To process billing via Shopify's App Subscription API.

We do not sell, rent, or share your data with third parties for marketing purposes.

4. Data storage and security

  • Merchant data is stored in Supabase (PostgreSQL) hosted in the EU (Stockholm region).
  • Access tokens are encrypted with AES-256-GCM before storage.
  • All API communication uses HTTPS/TLS.
  • We do not store payment card information — billing is handled entirely by Shopify.

5. Data retention

  • Merchant data:retained for 30 days after you uninstall the app, then permanently deleted per Shopify's mandatory GDPR webhooks.
  • Analytics events: retained for 90 days, then automatically purged.

6. Your rights (GDPR)

If you are in the EU/EEA, you have the right to access, correct, or delete your personal data. To exercise these rights, email us at support@aovbar.com. We will respond within 30 days.

7. Third-party services

  • Shopify — app platform and billing. See Shopify's Privacy Policy.
  • Supabase— database hosting (EU region).
  • Vercel— hosting and CDN (serverless functions run in US East).
  • Sentry— error monitoring (no personal data in error reports).

8. Cookies

AOVbar does not set any cookies on your storefront. The widget uses sessionStorage (not cookies) for the anonymous session ID, which is never sent to our servers as a cookie.

9. Changes to this policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be announced via email to the merchant account.

10. Contact

Questions? Email us at support@aovbar.com.