Privacy Policy

Last updated: 9 November 2025

Who we are

GTM Assistant by WebGarh Solutions Private Limited ("GTM Assistant", "we", "us", "our") is a Shopify app and SaaS that helps merchants implement accurate, privacy‑respectful analytics and server‑side tracking.

This Policy explains how we process personal data for: (i) visitors to our site/docs, (ii) merchants and their staff, and (iii) end customers of merchants whose stores use our app.

1) Roles we play (Controller vs. Processor)

  • Controller: For our websites, accounts, billing, support, demos, and our own product analytics.
  • Processor/Service Provider: For merchant store data and end‑customer events sent through our app or server‑side endpoints; the merchant is the controller and we act on documented instructions.

2) What data we collect

A. Account, billing, and support (Controller)

Contact details (name, email), company details, billing info, plan, and communications (tickets, emails).

B. Service/Platform data (Processor)

  • Shopify store metadata: store name, domain, IDs, app scopes.
  • Ecommerce events: purchase/checkout/cart/page events with event IDs, timestamps, device/UA, IP (truncated/anonymized where configured), order IDs, product metadata, and attribution (UTMs).
  • Consent signals: values exposed via Shopify Customer Privacy APIs / CMP.
  • Server‑side events: GA4/Ads payload fields required to deliver measurement (e.g., de‑duplication IDs, campaign fields).
  • Logs & diagnostics: error codes, rate‑limit flags, request IDs, success/fail states.

C. Google connections

If you connect Google properties, our use and transfer of Google information adheres to the Google API Services User Data Policy (Limited Use). We also prohibit sending PII to GA4/Ads via our product.

3) Sources of data

  • Shopify APIs & Webhooks
  • Shopify Web Pixel / Custom Pixel
  • Our server‑side endpoints
  • Forms, support tickets, demo requests

4) How we use data

A. Provide and secure the service (Processor)

Deliver tracking to your selected channels (e.g., GA4 MP, Meta CAPI), deduplicate events, enrich attribution, respect consent, monitor reliability, and generate diagnostics/health checks.

B. Product improvement & benchmarks (Controller)

We may use aggregated or de‑identified data to improve features and quality and to produce non‑identifying benchmarks. We never disclose merchant‑identifying or end‑customer‑identifying info in such outputs.

C. Communications

Service emails (critical updates, incident notices), onboarding, and product tips. You can opt‑out of non‑essential marketing.

5) Lawful bases & regional frameworks

  • GDPR/UK GDPR: performance of a contract, legitimate interests (security, fraud prevention, diagnostics), and consent where required.
  • CPRA/CCPA (California): we operate as a service provider for merchant data and honor consumer rights provided by law.
  • India DPDP Act (2023): we process digital personal data for lawful purposes with consent or other permitted grounds; rights and duties described below.

6) Cookies and similar technologies

We and our service providers use cookies and similar technologies for authentication, performance, analytics, and product experience. You can control cookies via browser settings or your site’s CMP; disabling some cookies may affect features.

7) Data sharing & sub‑processors

We use vetted infrastructure, analytics, logging, and support vendors (sub‑processors) to run the service. We disclose only what’s necessary under contractual confidentiality and security obligations. See our Sub‑processors & Data Residency page for vendor names, purposes, and regions.

8) Data residency, transfers, and safeguards

Our default server‑side processing region is India (India DC). Some merchants may opt into alternative routing where available (e.g., EU). Where data is transferred across borders, we use appropriate safeguards (e.g., SCCs for GDPR transfers) and apply comparable security protections.

9) Security

  • In transit: TLS‑encrypted connections.
  • At rest: encryption on managed cloud; access is role‑limited and audited.
  • Operational controls: least‑privilege access, key rotation, logging, incident response.

10) Shopify deletion & data requests

We honor Shopify’s GDPR webhooks: customers/data_request, customers/redact, and shop/redact. When received, we locate relevant records and export or erase them as required, within Shopify’s timelines. Uninstalling the app also triggers Shopify’s deletion workflow for apps.

11) Your rights & choices

Depending on where you live, you may have rights to access, correct, delete, port, or object to certain processing under GDPR/UK GDPR, CPRA/CCPA, and India’s DPDP Act. If you’re an end customer of a Shopify merchant, please contact that merchant first; we act as their processor and will follow their instructions.

12) Data retention

  • Processor data (merchant stores): retained only as long as needed to provide the service, fulfill legal obligations, resolve disputes, or enforce agreements. Short operational buffers may apply for logs/diagnostics.
  • Controller data (accounts/billing/support): retained for business records and legal obligations; minimised where possible.

13) Children’s data

Our services are not directed to children under the age of 16 and we do not knowingly collect such data.

14) Changes to this Policy

We may update this Policy to reflect changes in laws, our services, or operational practices. We’ll post updates here and, if material, notify admins by email or in‑app.

15) Contact

Data Protection Contact / Grievance Officer (India)

WebGarh Solutions Pvt. Ltd.
8th Floor, Worldtech 67, Sector 67, Mohali – 160062, India
Email: privacy@webgarh.co.in

If you need this policy in another language, please contact us.