Privacy Policy — Pixly — Pixel for OpenAI Ads
Effective date: June 17, 2026 · Last updated: June 17, 2026
This Privacy Policy explains how Cilbe LLC ("Pixly," "we," "us") collects, uses, shares, and protects information in connection with the Pixly — Pixel for OpenAI Ads Shopify application (the "App").
Merchants install the App on their Shopify stores to measure advertising conversions for the OpenAI Ads platform. The App (a) installs the OpenAI Ads measurement pixel on the storefront and (b) sends conversion events to OpenAI through OpenAI's server-side Conversions API ("CAPI"), so ad attribution survives browser ad-blockers and cookie loss. It covers Merchants (store owners/staff) and store visitors / customers (shoppers). For shopper data we act as a processor / service provider for the Merchant (the controller / business).
1. Summary
- We store SHA-256 hashes of customer email addresses — we never store raw emails or other plaintext personal identifiers. A SHA-256 hash is a one-way fingerprint we cannot reverse.
- We collect storefront browsing events (page/product views), checkout events, and order/conversion data (order ID, value, currency, line items).
- To measure conversions, we transmit to OpenAI via the Conversions API: a hashed email plus order data and, where available, the order's country, city, and postal code, the customer's IP address, and browser user-agent — standard signals used to match conversions to ads (see §5).
- For logged-in shoppers, the storefront pixel also sends a hashed email to OpenAI on page/product views, not only at purchase (see §2.2).
- We encrypt your OpenAI CAPI key at rest with AES-256-GCM.
- We honor Shopify's three mandatory privacy webhooks.
- Sub-processors: Shopify, OpenAI, Neon, Vercel, Resend.
- We never sell personal information, never build cross-merchant profiles, and never use your data to train AI models.
2. What we collect, and why
2.1 Merchant account & configuration
Shop domain, shop ID, and Shopify OAuth session/token (to call the Admin API on your behalf); your OpenAI pixel ID; your OpenAI CAPI key (validated with OpenAI during setup, then stored encrypted with AES-256-GCM); app configuration/status; and a contact email for alerts. We request the Shopify scopes write_pixels, read_pixels, read_customer_events, read_orders, and read_themes. Access to customer email/address on an order is governed by Shopify Protected Customer Data approval, requested separately in the Partner Dashboard.
2.2 Storefront / customer-event data (browser pixel)
A web pixel installed via a Shopify theme app embed collects standard ad-measurement signals on page views, product views, and checkout events — event type, timestamp, page/product context, and the technical identifiers provided by the Shopify customer-events sandbox and the OpenAI Ads pixel. For shoppers who are logged in to the store, the pixel computes a SHA-256 hash of their email and sends it to OpenAI with these browsing events so OpenAI can associate them with the same customer; the raw email is never exposed in plaintext beyond the one-way hash. Browser collection is subject to the visitor's consent via Shopify's Customer Privacy / Consent API (see §4); when required consent is absent, the pixel does not fire.
2.3 Order / conversion data (server-side webhook)
On orders/create, Shopify sends the App the order. This is the conversion event. We process and transmit to OpenAI: the Shopify order ID (used as the deduplication event_id); order value, currency, and line items; a SHA-256 hash of the customer's email (the raw email is hashed immediately and never persisted); and, where present and permitted by your Protected Customer Data approval, the order's country, city, and postal/ZIP code, the customer's IP address, and browser user-agent. These location/device signals are sent only to OpenAI and only to improve conversion match rates. We do not store raw email addresses, customer names, phone numbers, or payment-card data.
2.4 Pixel-health & operational data
Per-event CAPI delivery status, event counts / monthly usage vs. plan, funnel and KPI aggregates, recent-event metadata, and the amount-units self-test result. An hourly job checks pixel health and raises in-app and/or email alerts. Health alerting is on every plan, including Free.
2.5 What we do NOT do
- We do not store raw/plaintext emails, customer names, phone numbers, or card data.
- We do not sell personal information or "share" it for cross-context behavioral advertising under CCPA/CPRA.
- We do not use Merchant or shopper data to train ML/AI models, and we do not build cross-merchant shopper profiles.
3. How we use data
To: install and operate the pixel + CAPI integration; send deduplicated conversions to OpenAI; power the in-app dashboard; detect and alert on pixel-health/measurement issues; enforce plan limits and billing via Shopify managed pricing; and provide support, security, and legal compliance. Lawful bases: performance of our contract with the Merchant and the legitimate interest of accurate ad measurement; for browser events, the visitor's consent as captured by the Merchant's Shopify consent configuration.
4. Customer consent
The App is consent-aware. The browser pixel integrates with Shopify's Customer Privacy / Consent API and only fires when the required consent (analytics, marketing, and sale-of-data) is present. Merchants are responsible for configuring their store's consent banner for their jurisdiction.
5. Third-party transfer to OpenAI (Conversions API)
This transfer is the App's core function. On a conversion (and, for logged-in shoppers, on browsing per §2.2) we transmit to OpenAI via the Conversions API: the SHA-256 hashed email (never the raw email), order/conversion data (order ID as event_id, value, currency, line items), and — where available and permitted — country, city, ZIP, IP address, and user-agent. OpenAI uses this to match and attribute conversions, under its own terms and privacy policy. We send only the minimum needed for conversion measurement.
6. Security
- In transit: all data over TLS/HTTPS.
- Secrets at rest: the OpenAI CAPI key is encrypted with AES-256-GCM (authenticated encryption), validated against OpenAI before storage.
- Minimization: emails are reduced to SHA-256 hashes at ingestion; raw emails are never written to durable storage.
- Access control: production access is restricted to authorized personnel.
No method of transmission or storage is perfectly secure.
7. Sub-processors
| Sub-processor | Function | Data it may receive |
|---|---|---|
| Shopify | Platform; source of store, event, and order data | Store/account data, storefront events, order data (incl. the order email, before hashing) |
| OpenAI | Destination ad-measurement platform (CAPI) | Hashed email + order data + (where available) country/city/ZIP, IP, user-agent |
| Neon | Managed PostgreSQL database | Merchant config, the encrypted CAPI key, SHA-256 email hashes, event/order metadata, aggregates |
| Vercel | App hosting / serverless compute | Data transiently processed while the App runs |
| Resend | Transactional email | Merchant alert-recipient email + alert content |
Data may be processed outside your jurisdiction (including the United States); where required, transfers use appropriate safeguards (e.g. Standard Contractual Clauses).
8. Data retention
Merchant config and the encrypted CAPI key are kept while the App is installed. Event/order/health records are kept for the period needed to provide the dashboard, metering, and measurement, then deleted or aggregated. On uninstall (app/uninstalled) we deactivate the integration. We delete or de-identify Merchant and shopper data within 30 days of uninstall or a valid shop/redact request, except limited records required for legal, accounting, or security obligations. Because we store only hashes (not raw emails), much shopper data we hold is already pseudonymized.
9. Shopify mandatory privacy webhooks (GDPR)
customers/data_request— we compile the data we hold for the provided identifiers (e.g. SHA-256 email hashes and related order/event metadata) and make it available to the Merchant to fulfill the shopper's access request.customers/redact— we delete the records associated with that shopper (the relevant email hash and associated event/order metadata).shop/redact— sent ~48h after uninstall; we delete the Merchant's store data, configuration, the encrypted CAPI key, and associated records.
10. Your rights
Shoppers: because we process shopper data on behalf of Merchants, direct privacy requests to the Merchant whose store you shopped on; the Merchant fulfills them via the webhooks in §9, which we honor. Subject to law (GDPR, CCPA/CPRA), data subjects may access, correct, delete, port, object to/restrict processing, and withdraw consent. We do not sell or share personal information as defined by CCPA/CPRA.
Merchants: access, export, correct, or delete your configuration data in-app or by contacting us; uninstalling triggers the deletion in §§8–9.
11. Children
The App is a business tool, not directed to children; we do not knowingly collect children's data.
12. Changes
We may update this policy; material changes update the "Last updated" date and, where appropriate, notify Merchants.
13. Contact
Company: Cilbe LLC
Email: privacy@pixlyads.com
Pixly — Pixel for OpenAI Ads is an independent application and is not affiliated with, endorsed by, or sponsored by OpenAI or Shopify. "OpenAI," "ChatGPT," and "Shopify" are trademarks of their respective owners.