Privacy Policy
Dernière mise à jour : Last updated: 07/04/2026
Fullmetrix ("we", "our") operates the fullmetrix.com platform. This privacy policy describes how we collect, use and protect your personal data when you use our service.
Data collected
Account data
When you register, we collect:
- First and last name
- Email address
- Password (stored in encrypted form)
- Organization name
E-commerce data
When you connect your store (Shopify, WooCommerce, PrestaShop), we access the following data through their APIs:
- Orders (amounts, statuses, dates, ordered products)
- Customers (names, emails, addresses, purchase history)
- Products (names, prices, categories, stock)
- Promo codes and discounts
- Refunds
Tracking data
If you enable visitor tracking on your site, we anonymously collect:
- Pages visited and browsing paths
- Device type, browser and language
- Traffic source (referrer)
- Conversion events (add to cart, checkout, purchase)
- Anonymous visitor identifier (first-party cookie)
Connection data
When you connect third-party services (Meta Ads, Google Ads, Google Analytics 4, Google Search Console, Google Merchant Center, TikTok Ads, Slack, WhatsApp), we store the OAuth access tokens and refresh tokens required for the integrations to function. We never store your passwords for these services.
Data usage
Your data is used exclusively for:
- Providing dashboards and analytics for your e-commerce activity
- Generating automated reports
- Syncing your advertising audiences (Meta, Google, TikTok)
- Sending notifications via configured channels (email, Slack, WhatsApp)
- Improving the service and fixing bugs
Data sharing
We never sell your data. We only share it with:
- Your connected platforms : data is sent back to services you have explicitly connected (e.g. Meta Ads audiences)
- Hosting provider : our infrastructure is hosted in the European Union
- Transactional email : third-party service for sending service emails
Storage and security
- Data is stored on servers located in the European Union
- Third-party API access tokens are encrypted (AES-256-GCM)
- Passwords are hashed with a secure hashing algorithm
- Communications are encrypted via HTTPS/TLS
- Plugin authentication uses HMAC-SHA256
Data retention
- Account data : retained as long as your account is active
- E-commerce data : retained as long as the connection is active. Cascade deleted upon disconnection
- Tracking data : retained for a maximum of 24 months
- Access tokens : deleted upon service disconnection
- Google OAuth tokens : refresh tokens are stored encrypted (AES-256-GCM) for the duration of the integration. They are permanently deleted when you disconnect the Google service. Access tokens are short-lived and refreshed automatically
Your rights (GDPR)
In accordance with the General Data Protection Regulation (GDPR), you have the following rights:
- Access : obtain a copy of your personal data
- Rectification : correct inaccurate data
- Deletion : request deletion of your data
- Portability : receive your data in a structured format
- Objection : object to the processing of your data
- Restriction : restrict the processing of your data
To exercise these rights, contact us at . We respond within 30 days.[email protected]
Cookies
We use strictly necessary cookies for the service to function (authentication session). We do not use advertising cookies or third-party tracking. See our for more details.Cookie Policy
Subprocessors
| Subprocessor | Usage | Location |
|---|---|---|
| EU Hosting | Server and database hosting | European Union |
| Email service | Transactional emails | United States |
| Shopify | E-commerce API (if connected) | Canada |
| Meta | Advertising API (if connected) | United States |
| Google Ads | Advertising reporting and audience sync (if connected) | United States |
| Google Analytics 4 | Web analytics (read-only, if connected) | United States |
| Google Search Console | Search performance (read-only, if connected) | United States |
| Google Merchant Center | Product feeds (read-only, if connected) | United States |
| TikTok | Advertising API (if connected) | Singapore |
Changes
We may update this policy. In case of substantial changes, we will notify you by email or via an in-app notification.
Shopify Integration and E-commerce Data
When you connect your Shopify store to Fullmetrix, we access certain store data through the Shopify API to provide our analytics services.
Data collected via Shopify
- Orders (number, amount, status, date, items)
- Customers (name, email, phone, address)
- Products (name, price, stock, categories)
- Discount codes (code, discount type, usage)
- Refunds (amount, reason, date)
Web Pixel (checkout tracking)
Fullmetrix installs a web pixel on your store to track checkout events (start, completion, contact info). This pixel runs in Shopify's strict sandbox mode and sends data via sendBeacon. Data collected includes: visitor ID, session ID, total amount, cart items, customer email and phone (if provided during checkout).
GDPR Compliance
Fullmetrix processes customer data deletion requests, data export requests, and shop deletion requests in compliance with Shopify's requirements. Personal data is anonymized or deleted within 30 days of the request.
Data Retention
Your store data is retained as long as your account is active. If you uninstall the Shopify app, data is deleted per Shopify's GDPR obligations (48 hours after uninstall). If the subscription is cancelled, data is retained for 90 days then deleted.
Google API Services
Fullmetrix connects to several Google API services to provide analytics and advertising features. This section describes what data is accessed, how it is used, and how it is protected.
Fullmetrix's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Google Analytics 4 (read-only)
- Account and property listing
- Traffic reports (sessions, users, page views)
- Conversion and event data
- Audience and demographic reports
Google Ads (read and write)
Read access:
- Campaign performance (impressions, clicks, cost, conversions)
- Ad group and keyword reporting
- Shopping product reporting
- Account structure and settings
Write access (audience sync only):
- Creation and deletion of Customer Match user lists
- Upload of hashed customer data (SHA-256 hashed email addresses) to your user lists for advertising audience targeting
Email addresses are hashed locally using SHA-256 before being sent to Google. Fullmetrix never sends plain-text customer emails to Google Ads.
Google Merchant Center (read-only)
- Account listing
- Product feed data and status
- Product images for display in dashboards
Google Search Console (read-only)
- Site listing and verification status
- Search performance data (queries, clicks, impressions, position)
- Page-level performance reports
Token storage and revocation
OAuth refresh tokens for Google services are stored encrypted (AES-256-GCM) on our EU-hosted servers. Tokens are permanently deleted when you disconnect the corresponding Google service from your Fullmetrix account. You can also revoke access at any time from your Google Account permissions page.
We do not sell, share, or use Google user data for advertising purposes, profiling, or any purpose other than providing the Fullmetrix analytics features described above.
