Privacy Policy

1. Introduction

Astronaut Party Inc. ("we," "us," or "our") operates a software-as-a-service application that helps businesses optimize their marketing performance through cross-platform analytics combining Meta advertising, Google Ads, Microsoft Advertising, Northbeam attribution, Shopify e-commerce data, and first-party attribution tracking. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our service.

By using our service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, and authentication credentials when you create an account
• Third-Party Authentication Data: Basic profile information required for OAuth authentication with Meta, Google, and Microsoft (name, email, user ID)

2.2 Meta Business Data

When you connect your Meta account, we access and store:

• Meta Ads account data and performance metrics
• Meta Pages data associated with your Business Manager
• Meta Business Manager information
• Advertising campaign data, including ad performance, spend, and audience insights

We access this data through Meta's Marketing API using the following permissions:

• ads_read - To read your advertising data and performance metrics
• ads_management - To read and manage your ad campaigns, including pausing and resuming ads
• business_management - To access your Business Manager data and ad accounts
• catalog_management - To read and manage your product catalogs for dynamic and catalog-based ads
• pages_read_engagement - To read content and metadata from your Facebook Pages associated with ads
• pages_manage_ads - To create and manage ads associated with your Facebook Pages
• pages_show_list - To display the list of Facebook Pages you manage for account setup

2.3 Google Ads Data

When you connect your Google Ads account, we access and store:

• Google Ads campaign, ad group, and ad performance metrics
• Shopping and Performance Max asset group data
• Product-level performance metrics from Shopping campaigns
• Advertising spend, conversions, and impression data

We access this data through the Google Ads API using the following OAuth scope:

• https://www.googleapis.com/auth/adwords - To read and manage your Google Ads data

2.4 Microsoft Advertising Data

When you connect your Microsoft Advertising account, we access and store:

• Microsoft Advertising campaign, ad group, ad, and keyword performance metrics
• Advertising spend, impressions, clicks, conversions, and revenue data
• Account structure and campaign configuration data

We access this data through the Microsoft Advertising API using the following OAuth scope:

• https://ads.microsoft.com/msads.manage - To read campaign performance data and manage ad delivery (pause/resume)
• offline_access - To maintain access via refresh tokens without requiring re-authentication

2.5 Northbeam Data

When you connect your Northbeam account, we access and store:

• Attribution and marketing analytics data
• Cross-channel marketing performance metrics
• Customer journey and touchpoint data
• Revenue attribution data across marketing channels

We access this data through Northbeam's Data Export API to provide cross-platform attribution insights.

2.6 Shopify Data

When you connect your Shopify store, we access and store:

• Order and transaction data (including order ID, revenue, customer email for attribution matching)
• Product catalog data, variants, and collection information
• Inventory cost data for profitability analysis
• Customer purchase history (for attribution matching via one-way email hashing)

We access this data through Shopify's API using the following permissions:

• read_orders - To read your order data for attribution analysis
• read_products - To read your product catalog and variant data
• read_inventory - To read inventory cost data for profitability analysis

We also receive real-time data via Shopify webhooks for the following events:

• Order creation and updates (for attribution and revenue tracking)
• Refunds (for revenue adjustment)
• Customer data deletion requests (for GDPR compliance)
• Shop data deletion requests (when a merchant uninstalls our app)

2.7 Moonmap Attribution Tracking Data

When you enable first-party attribution tracking, we install a Shopify Web Pixel on your store that collects:

• Browsing events: Page views, product views, add-to-cart actions, checkout starts, and checkout completions
• Page and referrer URLs: To determine how visitors arrive at your store and navigate through it
• UTM parameters: Campaign source, medium, campaign name, content, and term from URL parameters
• Ad platform click IDs: fbclid (Meta), gclid (Google), msclkid (Microsoft) — collected only with marketing consent (consent tier 2)
• First-party cookie: A unique visitor identifier stored as a first-party cookie on your store domain (2-year expiry) for session and visitor tracking
• Email hash: Customer email addresses from Shopify orders are processed using one-way cryptographic hashing with a unique per-client key for attribution matching. Plaintext emails are never stored in the attribution system.

We implement a tiered consent model:

• Essential only: No tracking cookies or marketing identifiers collected
• Analytics: Cookie-based visitor identification and UTM parameter tracking
• Marketing: Ad platform click IDs (fbclid, gclid, msclkid) additionally collected

When a visitor downgrades their consent from Tier 2 to a lower tier, all previously collected click IDs are immediately cleared from their historical touchpoints.

2.8 Google Drive Data

When you connect your Google Drive account, we access:

• Files and folder metadata for browsing and selection
• File content for importing creative assets into the platform

We access this data using the following OAuth scope:

• https://www.googleapis.com/auth/drive.readonly - Read-only access to your Google Drive files. We do not modify or delete any files in your Drive.

2.9 Usage and Analytics Data

• Service usage information collected through PostHog analytics
• Log data including IP addresses, browser type, and device information
• Cookies and similar tracking technologies necessary for service functionality
• Live chat conversations and support interactions via Crisp (including your email address when authenticated)

2.10 Data Sync Frequency

We sync with Meta's API, Google Ads API, Microsoft Advertising API, Northbeam's API, and Shopify's API on hourly, daily, and on-demand schedules to ensure your data is current. Shopify order data and attribution events are also received in real-time via webhooks and pixel event collection.

3. How We Use Your Information

We use your information solely to:

• Provide and improve our marketing analytics and campaign optimization services
• Authenticate your identity and manage your account
• Analyze and optimize your advertising performance across platforms
• Provide cross-platform attribution analysis combining data from Meta, Google Ads, Microsoft Advertising, Northbeam, and Shopify
• Provide first-party conversion attribution by connecting ad interactions to purchases
• Display your marketing and e-commerce data to you within our application
• Generate AI-powered insights and recommendations for your marketing campaigns
• Provide customer support via live chat
• Communicate with you about your account and our services
• Comply with legal obligations

We do not:

• Sell your data to third parties
• Use your data for purposes other than marketing analytics and campaign optimization
• Share your advertising or e-commerce data with other users or unauthorized parties
• Store plaintext customer email addresses in our attribution system (only one-way hashes)

4. Data Sharing and Disclosure

4.1 Third-Party Service Providers

We share limited data with the following categories of service providers:

• Supabase: Database hosting and authentication services
• Vercel: Application hosting and serverless infrastructure
• PostHog: Analytics platform for understanding service usage
• Resend: Transactional email delivery (account notifications, reports)
• Google AI (Gemini): AI-powered insights generation from your marketing data
• Crisp: Live chat support platform

These providers are contractually obligated to protect your data and use it only for providing services to us.

4.2 Legal Requirements

We may disclose your information if required by law, court order, or governmental regulation, or to protect our rights, property, or safety.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

5. Platform Compliance

5.1 Meta Data Usage

• We comply with Meta's Platform Terms and Policies
• Meta advertising data is used exclusively for optimizing your campaigns
• We do not use Meta data to build or augment user profiles
• We do not transfer Meta data to any data broker or advertising network
• Your Meta data is only visible to you and authorized users of your account

5.2 Meta Data Retention

• We retain your Meta advertising data while your account is active
• Upon account deletion or disconnection from Meta, we immediately delete all associated Meta data from our systems

5.3 Google Ads Data Usage

• We comply with the Google API Services User Data Policy
• Google Ads data is used exclusively for analytics, reporting, and campaign optimization
• We do not use Google Ads data to build or augment user profiles for advertising purposes
• We do not transfer Google Ads data to any data broker or advertising network
• Your Google Ads data is only visible to you and authorized users of your account

5.4 Google Ads Data Retention

• We retain your Google Ads data while your account is active
• Upon account deletion or disconnection from Google Ads, we immediately delete all associated Google Ads data from our systems

5.5 Google Drive Data Usage

• We comply with the Google API Services User Data Policy
• Google Drive data is accessed exclusively in read-only mode for importing creative assets
• We do not modify, delete, or share your Google Drive files
• Your Google Drive data is only visible to you and authorized users of your account

5.6 Google Drive Data Retention

• We do not permanently store Google Drive file content — assets are imported to our platform storage upon selection
• Upon disconnection from Google Drive, we delete stored access credentials

5.7 Microsoft Advertising Data Usage

• We comply with the Microsoft Advertising API Terms of Use
• Microsoft Advertising data is used exclusively for analytics, reporting, and campaign optimization
• We do not use Microsoft Advertising data to build or augment user profiles for advertising purposes
• We do not transfer Microsoft Advertising data to any data broker or advertising network
• Your Microsoft Advertising data is only visible to you and authorized users of your account

5.8 Microsoft Advertising Data Retention

• We retain your Microsoft Advertising data while your account is active
• Upon account deletion or disconnection from Microsoft Advertising, we immediately delete all associated Microsoft Advertising data from our systems

5.9 Northbeam Data Usage

• We comply with Northbeam's API Terms of Service
• Northbeam data is used exclusively for attribution analysis and marketing optimization
• We do not transfer Northbeam data to any third parties except as required to provide our services
• Your Northbeam data is only visible to you and authorized users of your account

5.10 Northbeam Data Retention

• We retain your Northbeam data while your account is active
• Upon account deletion or disconnection from Northbeam, we immediately delete all associated Northbeam data from our systems

5.11 Shopify Data Usage

• We comply with Shopify's API Terms of Service and Partner Program Agreement
• Shopify order data is used exclusively for attribution analysis and e-commerce performance insights
• Shopify customer email addresses are processed for attribution matching using one-way cryptographic hashing with a unique per-client key — plaintext emails are never stored in our attribution system
• We do not use Shopify customer data for marketing or advertising purposes
• We do not transfer Shopify data to any third parties except as required to provide our services
• Your Shopify data is only visible to you and authorized users of your account
• We respond to Shopify GDPR webhooks (customer data deletion and shop data deletion) by immediately removing all associated personal data, including attribution tracking records

5.12 Shopify Data Retention

• We retain your Shopify data while your account is active
• Upon account deletion or disconnection from Shopify, we immediately delete all associated Shopify data from our systems
• Customer data is immediately deleted upon receiving a GDPR customer redaction webhook from Shopify

5.13 Moonmap Attribution Data Usage

• Attribution tracking data is used exclusively for first-party conversion attribution — connecting ad interactions to purchases
• Customer email addresses are processed using one-way cryptographic hashing — plaintext emails are never stored
• First-party cookies are used solely for visitor session tracking on your connected store
• Ad platform click IDs are only collected when the visitor has granted marketing consent (consent tier 2)
• When a visitor revokes marketing consent, all previously collected click IDs are immediately cleared from their historical data
• Consent change events are logged for GDPR audit purposes and preserved anonymously even after visitor data deletion
• Your attribution data is only visible to you and authorized users of your account

5.14 Moonmap Attribution Data Retention

• We retain your attribution tracking data while your account is active
• Upon account deletion, all associated attribution data is immediately and permanently deleted
• Upon receiving a GDPR customer deletion request via Shopify, all attribution data for that customer is immediately and permanently deleted, and the customer is added to a blocklist to prevent re-ingestion of their data

6. Data Retention and Deletion

6.1 Active Accounts

We retain your data while your account is active to provide our services.

6.2 Account Deletion

You can delete your account at any time through our user interface. Upon deletion:

• We immediately remove all your data, including Meta, Google Ads, Microsoft Advertising, Northbeam, Shopify, and attribution tracking data
• Your personal information and account data are permanently deleted
• We may retain certain information for legal compliance purposes only (e.g., financial records)

6.3 Deletion Requests

You can request data deletion by:

• Using the account deletion feature in our application
• Emailing us at data@astronautparty.com

We will process deletion requests immediately upon receipt.

7. Your Privacy Rights

7.1 European Users (GDPR)

If you are located in the European Union or United Kingdom, you have the following rights:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data
• Restriction: Request limitation of data processing
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to certain data processing activities
• Withdraw Consent: Withdraw consent for data processing at any time

To exercise these rights, contact us at data@astronautparty.com.

7.2 California Users (CCPA)

California residents have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of personal information
• Opt-out of the sale of personal information (Note: We do not sell personal information)
• Non-discrimination for exercising privacy rights

To submit a request, email data@astronautparty.com or use our in-app account deletion feature.

8. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• User authentication and session management
• Service functionality and performance
• Analytics through PostHog to improve our service
• Live chat functionality via Crisp
• First-party attribution tracking via our Shopify Web Pixel (a visitor identification cookie on your connected store, subject to the consent tier model described in Section 2.7)

You can control cookies through your browser settings, but disabling cookies may affect service functionality. Attribution tracking consent is managed through your Shopify store's consent banner.

9. Data Security

We implement appropriate technical and organizational security measures to protect your data, including:

• Encryption of data in transit and at rest
• Industry-standard encryption for all stored OAuth tokens and API credentials
• Unique per-client cryptographic keys for email hashing in attribution (preventing cross-client correlation)
• Secure authentication mechanisms
• Regular security assessments
• Access controls and monitoring
• Database-level access controls to enforce tenant isolation

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Children's Privacy

Our service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Posting the updated policy on our website
• Updating the "Last Updated" date
• Emailing registered users (for significant changes)

Your continued use of our service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For data protection inquiries from EU/UK users, you may also contact your local data protection authority.