Privacy Policy

1. Introduction

Astronaut Party Inc. ("we," "us," or "our") operates a software-as-a-service application that helps businesses optimize their marketing performance through cross-platform analytics combining Meta advertising, Google Ads, Microsoft Advertising, Northbeam attribution, Shopify e-commerce data, and first-party attribution tracking. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our service.

By using our service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, and authentication credentials when you create an account
• Third-Party Authentication Data: Basic profile information required for OAuth authentication with Meta, Google, and Microsoft (name, email, user ID)

2.2 Meta Business Data

When you connect your Meta account, we access and store:

• Meta Ads account data and performance metrics
• Meta Pages data associated with your Business Manager
• Meta Business Manager information
• Advertising campaign data, including ad performance, spend, and audience insights

We access this data through Meta's Marketing API using the following permissions:

• ads_read - To read your advertising data and performance metrics
• ads_management - To read and manage your ad campaigns, including pausing and resuming ads
• business_management - To access your Business Manager data and ad accounts
• catalog_management - To read and manage your product catalogs for dynamic and catalog-based ads
• pages_read_engagement - To read content and metadata from your Facebook Pages associated with ads
• pages_manage_ads - To create and manage ads associated with your Facebook Pages
• pages_show_list - To display the list of Facebook Pages you manage for account setup

2.3 Google Ads Data

When you connect your Google Ads account, we access and store:

• Google Ads campaign, ad group, and ad performance metrics
• Shopping and Performance Max asset group data
• Product-level performance metrics from Shopping campaigns
• Advertising spend, conversions, and impression data

We access this data through the Google Ads API using the following OAuth scope:

• https://www.googleapis.com/auth/adwords - To read and manage your Google Ads data

2.4 Microsoft Advertising Data

When you connect your Microsoft Advertising account, we access and store:

• Microsoft Advertising campaign, ad group, ad, and keyword performance metrics
• Advertising spend, impressions, clicks, conversions, and revenue data
• Account structure and campaign configuration data

We access this data through the Microsoft Advertising API using the following OAuth scope:

• https://ads.microsoft.com/msads.manage - To read campaign performance data and manage ad delivery (pause/resume)
• offline_access - To maintain access via refresh tokens without requiring re-authentication

2.5 Northbeam Data

When you connect your Northbeam account, we access and store:

• Attribution and marketing analytics data
• Cross-channel marketing performance metrics
• Customer journey and touchpoint data
• Revenue attribution data across marketing channels

We access this data through Northbeam's Data Export API to provide cross-platform attribution insights.

2.6 Shopify Data

When you connect your Shopify store, we access and store:

• Order and transaction data (including order ID, revenue, customer email for attribution matching)
• Product catalog data, variants, and collection information
• Inventory cost data for profitability analysis
• Customer purchase history (for attribution matching via one-way email hashing)

We access this data through Shopify's API using the following permissions:

• read_orders - To read your order data for attribution analysis
• read_products - To read your product catalog and variant data
• read_inventory - To read inventory cost data for profitability analysis

We also receive real-time data via Shopify webhooks for the following events:

• Order creation and updates (for attribution and revenue tracking)
• Refunds (for revenue adjustment)
• Customer data deletion requests (for GDPR compliance)
• Shop data deletion requests (when a merchant uninstalls our app)

2.7 Moonmap Attribution Tracking Data

When you enable first-party attribution tracking, we install a Shopify Web Pixel on your store that collects:

• Browsing events: Page views, product views, add-to-cart actions, checkout starts, and checkout completions
• Page and referrer URLs: To determine how visitors arrive at your store and navigate through it
• UTM parameters: Campaign source, medium, campaign name, content, and term from URL parameters
• Ad platform click IDs: fbclid (Meta), gclid (Google), msclkid (Microsoft) — collected only with marketing consent (consent tier 2)
• First-party cookie: A unique visitor identifier stored as a first-party cookie on your store domain (2-year expiry) for session and visitor tracking
• Email hash: Customer email addresses from Shopify orders are processed using one-way cryptographic hashing with a unique per-client key for attribution matching. Plaintext emails are never stored in the attribution system.

We implement a tiered consent model:

• Essential only: No tracking cookies or marketing identifiers collected
• Analytics: Cookie-based visitor identification and UTM parameter tracking
• Marketing: Ad platform click IDs (fbclid, gclid, msclkid) additionally collected

When a visitor downgrades their consent from Tier 2 to a lower tier, all previously collected click IDs are immediately cleared from their historical touchpoints.

2.8 Google Drive Data

When you connect your Google Drive account, we access:

• File metadata (name, size, MIME type) for files you explicitly select via Google's file picker
• File content for selected files, downloaded once at import time and stored as creative assets in our platform

We access this data using the following OAuth scope:

• https://www.googleapis.com/auth/drive.file - Per-file access only to the specific Google Drive files you explicitly select via Google's file picker. We do not have access to any other files in your Drive, and we cannot list, browse, or modify files you have not selected.

2.9 Usage and Analytics Data

• Service usage information collected through PostHog analytics
• Log data including IP addresses, browser type, and device information
• Cookies and similar tracking technologies necessary for service functionality
• Live chat conversations and support interactions via Crisp (including your email address when authenticated)

2.10 Data Sync Frequency

We sync with Meta's API, Google Ads API, Microsoft Advertising API, Northbeam's API, and Shopify's API on hourly, daily, and on-demand schedules to ensure your data is current. Shopify order data and attribution events are also received in real-time via webhooks and pixel event collection.

3. How We Use Your Information

We use your information solely to:

• Provide and improve our marketing analytics and campaign optimization services
• Authenticate your identity and manage your account
• Analyze and optimize your advertising performance across platforms
• Provide cross-platform attribution analysis combining data from Meta, Google Ads, Microsoft Advertising, Northbeam, and Shopify
• Provide first-party conversion attribution by connecting ad interactions to purchases
• Display your marketing and e-commerce data to you within our application
• Generate AI-powered insights and recommendations for your marketing campaigns
• Provide customer support via live chat
• Communicate with you about your account and our services
• Comply with legal obligations

We do not:

• Sell your data to third parties
• Use your data for purposes other than marketing analytics and campaign optimization
• Share your advertising or e-commerce data with other users or unauthorized parties
• Store plaintext customer email addresses in our attribution system (only one-way hashes)

4. Data Sharing and Disclosure

4.1 Sub-processors

We rely on the following sub-processors to operate the service. Each is bound by a data processing agreement and, where applicable, Standard Contractual Clauses for cross-border transfers (see Section 11):

• Supabase: Primary database hosting and authentication (US)
• Vercel: Application hosting and serverless infrastructure (US)
• PostHog: Product analytics (US) — only when you grant consent
• Crisp: Live chat support (EU) — only when you grant consent
• Resend: Transactional email delivery (US)
• Google AI (Gemini): AI-powered insight generation from your marketing data (US)
• Meta Marketing API, Google Ads API, Microsoft Advertising API: Ad platform data ingestion (when you connect the respective platform)
• Northbeam: Attribution data integration (when you connect Northbeam)
• Shopify: Order and store data ingestion (when you connect a Shopify store)
• Meta Pixel: On our public /earlyaccess landing page (US) — only when you grant consent

These providers are contractually obligated to protect your data and use it only for providing services to us. We update this list when we add, change, or remove a sub-processor.

4.2 Legal Requirements

We may disclose your information if required by law, court order, or governmental regulation, or to protect our rights, property, or safety.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

5. Platform Compliance

5.1 Meta Data Usage

• We comply with Meta's Platform Terms and Policies
• Meta advertising data is used exclusively for optimizing your campaigns
• We do not use Meta data to build or augment user profiles
• We do not transfer Meta data to any data broker or advertising network
• Your Meta data is only visible to you and authorized users of your account

5.2 Meta Data Retention

• We retain your Meta advertising data while your account is active
• Upon account deletion or disconnection from Meta, we immediately delete all associated Meta data from our systems

5.3 Google Ads Data Usage

• We comply with the Google API Services User Data Policy
• Google Ads data is used exclusively for analytics, reporting, and campaign optimization
• We do not use Google Ads data to build or augment user profiles for advertising purposes
• We do not transfer Google Ads data to any data broker or advertising network
• Your Google Ads data is only visible to you and authorized users of your account

5.4 Google Ads Data Retention

• We retain your Google Ads data while your account is active
• Upon account deletion or disconnection from Google Ads, we immediately delete all associated Google Ads data from our systems

5.5 Google Drive Data Usage

• We comply with the Google API Services User Data Policy
• Google Drive data is accessed only when you explicitly select files via Google's file picker, for importing as creative assets
• We do not modify, delete, or share your Google Drive files
• Your Google Drive data is only visible to you and authorized users of your account
• We do not use Google Drive data to train AI models, build user profiles, or for advertising purposes

5.6 Google Drive Data Retention

• We do not permanently store Google Drive file content — assets are imported to our platform storage upon selection
• Upon disconnection from Google Drive, we delete stored access credentials

5.7 Microsoft Advertising Data Usage

• We comply with the Microsoft Advertising API Terms of Use
• Microsoft Advertising data is used exclusively for analytics, reporting, and campaign optimization
• We do not use Microsoft Advertising data to build or augment user profiles for advertising purposes
• We do not transfer Microsoft Advertising data to any data broker or advertising network
• Your Microsoft Advertising data is only visible to you and authorized users of your account

5.8 Microsoft Advertising Data Retention

• We retain your Microsoft Advertising data while your account is active
• Upon account deletion or disconnection from Microsoft Advertising, we immediately delete all associated Microsoft Advertising data from our systems

5.9 Northbeam Data Usage

• We comply with Northbeam's API Terms of Service
• Northbeam data is used exclusively for attribution analysis and marketing optimization
• We do not transfer Northbeam data to any third parties except as required to provide our services
• Your Northbeam data is only visible to you and authorized users of your account

5.10 Northbeam Data Retention

• We retain your Northbeam data while your account is active
• Upon account deletion or disconnection from Northbeam, we immediately delete all associated Northbeam data from our systems

5.11 Shopify Data Usage

• We comply with Shopify's API Terms of Service and Partner Program Agreement
• Shopify order data is used exclusively for attribution analysis and e-commerce performance insights
• Shopify customer email addresses are processed for attribution matching using one-way cryptographic hashing with a unique per-client key — plaintext emails are never stored in our attribution system
• We do not use Shopify customer data for marketing or advertising purposes
• We do not transfer Shopify data to any third parties except as required to provide our services
• Your Shopify data is only visible to you and authorized users of your account
• We respond to Shopify GDPR webhooks (customer data deletion and shop data deletion) by immediately removing all associated personal data, including attribution tracking records

5.12 Shopify Data Retention

• We retain your Shopify data while your account is active
• Upon account deletion or disconnection from Shopify, we immediately delete all associated Shopify data from our systems
• Customer data is immediately deleted upon receiving a GDPR customer redaction webhook from Shopify

5.13 Moonmap Attribution Data Usage

• Attribution tracking data is used exclusively for first-party conversion attribution — connecting ad interactions to purchases
• Customer email addresses are processed using one-way cryptographic hashing — plaintext emails are never stored
• First-party cookies are used solely for visitor session tracking on your connected store
• Ad platform click IDs are only collected when the visitor has granted marketing consent (consent tier 2)
• When a visitor revokes marketing consent, all previously collected click IDs are immediately cleared from their historical data
• Consent change events are logged for GDPR audit purposes and preserved anonymously even after visitor data deletion
• Your attribution data is only visible to you and authorized users of your account

5.14 Moonmap Attribution Data Retention

• We retain your attribution tracking data while your account is active
• Upon account deletion, all associated attribution data is immediately and permanently deleted
• Upon receiving a GDPR customer deletion request via Shopify, all attribution data for that customer is immediately and permanently deleted, and the customer is added to a blocklist to prevent re-ingestion of their data

6. Data Retention and Deletion

6.1 Active Accounts

We retain your data while your account is active to provide our services.

6.2 Account Deletion

You can delete your account at any time through our user interface. Upon deletion:

• We immediately remove all your data, including Meta, Google Ads, Microsoft Advertising, Northbeam, Shopify, and attribution tracking data
• Your personal information and account data are permanently deleted
• We may retain certain information for legal compliance purposes only (e.g., financial records)

6.3 Deletion Requests

You can request data deletion by:

• Using the account deletion feature in our application
• Emailing us at data@astronautparty.com

We will process deletion requests immediately upon receipt.

7. Your Privacy Rights

7.1 European Users (GDPR)

If you are located in the European Union or United Kingdom, you have the following rights:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data
• Restriction: Request limitation of data processing
• Portability: Receive your data in a structured, machine-readable format. Logged-in users can self-serve via Settings → Privacy → Download my data, which exports a ZIP archive containing a JSON summary and per-section CSV files.
• Objection: Object to certain data processing activities
• Withdraw Consent: Withdraw consent for data processing at any time. You can do this immediately via the Cookie Preferences link in any page footer or in Settings → Privacy. Withdrawing consent triggers deletion of the corresponding data from our analytics and chat providers.

To exercise rights we do not yet automate (access, rectification, erasure, restriction, objection), contact us at data@astronautparty.com — we respond within 30 days as required by GDPR.

7.2 California Users (CCPA)

California residents have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of personal information
• Opt-out of the sale of personal information (Note: We do not sell personal information)
• Non-discrimination for exercising privacy rights

To submit a request, email data@astronautparty.com or use our in-app account deletion feature.

8. Cookies and Tracking Technologies

We use cookies and similar technologies in two distinct contexts:

8.1 On the Moonmap Platform (moonmap.ai)

We distinguish between essential and non-essential cookies:

Essential cookies (always active, do not require consent as they are strictly necessary for the service):

• Session authentication (Supabase)
• Selected workspace and brand
• Sidebar and UI preferences
• Unsaved changes tracking

Non-essential cookies and tracking (require your consent before being activated):

• PostHog product analytics (usage events, pageviews)
• Crisp in-app live chat support
• Meta Pixel on our public early-access landing page

When you first visit moonmap.ai, a consent banner appears asking you to either Accept All or choose Essential Only. The platform is fully functional with Essential Only — you simply won't have analytics or in-app chat.

Automatic Privacy-Signal Honoring: If your browser sends a Do-Not-Track (DNT) or Global Privacy Control (GPC) signal, we automatically apply Essential Only without showing the banner. The choice is recorded in our consent audit log with a via_privacy_signal flag. You can override at any time via the Cookie Preferences link in the page footer or in Settings → Privacy. This satisfies CPRA §1798.135 and analogous GDPR Article 7 expectations.

You can change your choice at any time by clicking Cookie Preferences in the footer of any page, or (for logged-in users) by visiting Settings → Privacy for granular per-service controls. Withdrawing consent triggers deletion of the corresponding third-party data (e.g., your historical PostHog events are deleted when you disable analytics).

8.2 On Our Clients' Shopify Stores

Our first-party attribution pixel (a visitor identification cookie) runs on Shopify stores of our clients, subject to the consent tier model described in Section 2.7. End-shoppers on those stores manage their consent via the store's own consent banner, not moonmap.ai.

9. Data Security

We implement appropriate technical and organizational security measures to protect your data, including:

• Encryption of data in transit and at rest
• Industry-standard encryption for all stored OAuth tokens and API credentials
• Unique per-client cryptographic keys for email hashing in attribution (preventing cross-client correlation)
• Secure authentication mechanisms
• Regular security assessments
• Access controls and monitoring
• Database-level access controls to enforce tenant isolation

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Children's Privacy

Our service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. Our primary infrastructure providers (Supabase, Vercel) host data in the United States.

For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to countries that have not received an adequacy decision, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2, controller-to-processor) to provide appropriate safeguards. Our sub-processors listed in Section 4 each have SCCs in place with us or offer equivalent protections.

Where required, we also implement supplementary technical and organizational measures (encryption in transit and at rest, access controls, audit logging) to protect transferred data.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

• Posting the updated policy on our website
• Updating the "Last Updated" date
• Emailing registered users (for significant changes)

Your continued use of our service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For data protection inquiries from EU/UK users, you may also contact your local data protection authority.