Privacy Policy

1. Who We Are

Eventabee is operated by HONEYBOUND LLC, an Arizona limited liability company with its principal place of business at 3101 N. Central Ave, Ste 183 #6958, Phoenix, Arizona 85012, United States ("honeybound", "Eventabee", "we", "us", or "our").

Eventabee is a server-side event tracking and consent management platform for Shopify merchants. This Privacy Policy explains how honeybound collects, uses, discloses, retains, and safeguards information in connection with the Eventabee application and related services (the "Service").

By installing or using the Service, you (the merchant) agree to this Privacy Policy. If you do not agree, do not install or use the Service.

2. Our Role: Processor, Not Controller

With respect to customer and end-user data originating from your Shopify store, you are the data controller / business and honeybound is a data processor / service provider acting on your documented instructions under the General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws.

Your use of the Service is also governed by the Data Processing Addendum ("DPA") incorporated into our Terms of Service, which forms a binding processor agreement under Article 28 GDPR.

With respect to merchant account information (store owner identity, billing, usage logs, support communications), honeybound is the controller.

3. Information We Process

3.1 Merchant Account Data (we are controller)

• Shopify store domain (e.g., store.myshopify.com)
• Shop owner name and email (as provided by Shopify)
• Shopify plan tier and installation timestamp
• Shopify offline access token (stored encrypted; never exposed in logs or APIs)
• Billing records provided by Shopify Billing
• Support correspondence and product usage logs

3.2 End-Customer Event Data (you are controller)

Through the Shopify web pixel, theme app embed, and Shopify webhooks, we process on your behalf:

• Page views, product views, collection views, add-to-cart, checkout, and purchase events
• Customer email address, phone number, name, and billing/shipping address (when available from Shopify)
• Order identifiers, line items, order value, currency, discounts
• Technical identifiers: IP address, user agent, browser/device, referrer, page URL
• Marketing attribution: UTM parameters, ad click IDs (fbclid, gclid, ttclid, etc.)
• Third-party cookie identifiers present on the storefront (Meta _fbp/_fbc, Google _ga, TikTok _ttp, etc.)

This information constitutes "Protected Customer Data" under Shopify's Protected Customer Data requirements. We access it only for the purposes stated below, limit access to the minimum necessary, and retain it only as long as required to deliver the Service.

3.3 Consent Management Data (you are controller)

When the consent banner is enabled on your storefront, we process:

• Consent state per visitor across four categories: essential, functional, analytics, marketing
• Geographic region (country, and US state where applicable), derived from the visitor IP via Cloudflare CF-IPCountry headers and MaxMind GeoLite2
• Banner version identifier and timestamp of the visitor's choice
• Banner impression analytics (aggregate display, accept, reject, and dismiss counts; no per-visitor profile)
• Consent receipts (Business tier only): an audit record containing a one-way visitor_hash = SHA-256(shop_domain + IP + user_agent), the consent state, action, region, and banner version. We do not retain the raw IP address or user agent for receipts.

3.4 Information We Do Not Collect

We do not collect payment card data, Social Security numbers, or government identifiers. We do not use Shopify customer data to train AI models. We do not create cross-merchant profiles of end-customers.

4. Purposes and Legal Bases for Processing

5. How We Share and Disclose Data

5.1 Destination Platforms (at your direction)

We forward event data to third-party destinations that you configure and enable. We never forward data to a destination you have not enabled. Available destinations include:

• Meta (Facebook/Instagram) — Conversions API with SHA-256 hashed PII
• Google Analytics 4, Google Ads — Measurement Protocol / Enhanced Conversions
• TikTok Events API — hashed PII
• Pinterest Conversions API
• Snapchat Conversions API
• Klaviyo — customer and event data for email marketing
• PostHog — product analytics
• Segment — customer data platform events
• Generic webhooks — JSON payloads to your chosen HTTPS endpoints
• Custom destinations (Business tier) — merchant-defined endpoints configured with field mappings and optional raw JSON templates; validated against server-side request forgery (SSRF)

Data sent to a destination is governed by that destination's privacy practices once delivered. Data sent to a custom destination you define is under your sole control, and you are solely responsible for the security and lawful use of that endpoint.

Before transmission to advertising destinations, personally identifiable fields such as email and phone are normalized and hashed with SHA-256. Raw PII is not transmitted to Meta, Google, TikTok, Pinterest, or Snapchat.

5.2 Sub-Processors

honeybound engages the following sub-processors to operate the Service. We require each sub-processor to provide protections equivalent to those in this Privacy Policy and our DPA.

We will provide notice of material sub-processor changes through in-app notification or by updating this page. You may object to a new sub-processor as set out in the DPA.

5.3 Legal Disclosures

We may disclose information where required by law, valid legal process, or to protect the rights, property, or safety of honeybound, our merchants, or the public. Where legally permitted, we will notify the affected merchant before disclosure.

5.4 Business Transfers

If honeybound is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to this Privacy Policy or a comparable successor policy.

6. International Data Transfers

honeybound is based in the United States, and all Eventabee application servers, databases, and caches are hosted in Arizona, United States. Cloudflare provides global edge services (DNS, CDN, DDoS protection) that may cause transient processing of connection metadata in regions outside the US.

Where end-customers of your store reside in the European Economic Area, United Kingdom, or Switzerland, their Personal Data will be transferred to the United States in the course of operating the Service. For such transfers, we rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two and Module Three as applicable), and, where applicable, the UK International Data Transfer Addendum. These clauses are incorporated by reference into our DPA.

7. Data Retention

• Event data — Retained per plan tier: Free: 1 day · Pro: 14 days · Business: 30 days. Automatically purged by a scheduled cleanup job.
• Browser session cache — Redis TTL of 30 days, automatically expiring.
• Shopify offline access tokens — Cached up to 30 days; invalidated on app uninstallation.
• Consent state cookies — Stored on the visitor's browser; we do not replicate them server-side for non-Business plans.
• Consent audit receipts (Business tier only) — Retained 365 days. Only the visitor_hash is stored; the raw IP and user agent are never retained.
• Banner impression analytics — Aggregated rollups retained for the duration of the subscription.
• Merchant account and billing records — Retained for the duration of the subscription and up to 7 years thereafter for tax, accounting, and legal compliance.
• Security and audit logs — Up to 12 months.
• Upon app uninstallation — Access tokens are invalidated immediately, Redis cache is cleared immediately, and all shop data is permanently deleted within 48 hours of Shopify's shop/redact webhook.

8. Consent Management and Consent Backfill

Eventabee provides a consent management platform that renders a consent banner on your storefront, determines the visitor's region, and gates each configured destination by consent category (essential, functional, analytics, marketing). Events are stored regardless of consent so that essential analytics remain available; fanout to non-consented destinations is suppressed.

Consent backfill (Business tier): when a visitor later grants consent (for example, initially rejected marketing and subsequently accepted), Eventabee may replay events stored within the plan's retention window to the newly-consented destinations, tagged as backfilled. This behavior is disclosed here so that merchants can in turn disclose it to their customers. Events outside the retention window are never replayed.

Where no explicit consent cookie is present, the pipeline falls back to Shopify's Customer Privacy API signals (analyticsProcessingAllowed, marketingAllowed).

9. "Sale" and "Sharing" Under US State Privacy Laws

The Eventabee Shopify web pixel declares sale_of_data = "enabled" because forwarding hashed customer identifiers and event data to advertising platforms for cross-context behavioral advertising can qualify as a "sale" or "share" under the CCPA/CPRA, the Colorado Privacy Act, the Virginia CDPA, the Connecticut CTDPA, and similar US state laws.

As the business / controller, the merchant is responsible for: disclosing this sale/share in the storefront privacy policy, honoring opt-out signals (including Global Privacy Control), and providing the "Do Not Sell or Share My Personal Information" link required by applicable law. Eventabee's consent banner is configured to support opt-out regions by default for the 19 US states with enacted privacy laws.

honeybound does not itself sell or share merchant account data for cross-context behavioral advertising.

10. Your Rights (Merchant) and End-Customer Rights

10.1 Merchant rights

As a merchant, you may access, correct, export, or delete your account data by emailing [email protected]. Uninstalling the app triggers deletion of all shop data within 48 hours.

10.2 End-customer rights (exercised through the merchant)

End-customers of your store should direct privacy requests to the merchant, who is the controller of that data. We support the following Shopify-mandated GDPR webhooks:

• customers/data_request — we compile the requested end-customer data for the merchant to fulfill within 30 days.
• customers/redact — we scrub personally identifiable fields from stored events while preserving non-identifying event metadata.
• shop/redact — received 48 hours after uninstallation; triggers permanent deletion of all shop data.

Under GDPR, CCPA/CPRA, and comparable laws, end-customers may have rights to access, correct, delete, port, limit processing, opt out of sale/sharing, and not be discriminated against for exercising their rights. honeybound will reasonably assist merchants in responding to such requests.

11. Security

• All data in transit is encrypted using TLS 1.2 or higher.
• Shopify access tokens are stored encrypted and never exposed in logs, error messages, or APIs.
• Database connections use SSL; Redis connections use TLS where supported.
• All webhook deliveries are HMAC-verified.
• Custom destination URLs are validated against SSRF (server-side request forgery) before connection.
• Session cookies are HMAC-signed with HttpOnly and Secure flags.
• Access to production systems is restricted, logged, and protected by multi-factor authentication.
• We maintain a documented incident-response plan and review dependencies regularly.

Breach notification: In the event of a personal data breach affecting your data, honeybound will notify you without undue delay and in any event within 72 hours of becoming aware, in accordance with GDPR Article 33 and our DPA.

12. Children

The Service is not directed to children under 16, and we do not knowingly process personal data of children under 16. Merchants must not use the Service to process data of children under 13 (COPPA) or under the applicable age of digital consent in the end-customer's jurisdiction without parental consent obtained by the merchant.

13. Automated Decision-Making

Eventabee does not engage in automated decision-making or profiling that produces legal or similarly significant effects concerning end-customers.

14. EU / UK Representative

Eventabee does not actively target merchants in the European Economic Area or United Kingdom. Where your use of the Service results in material processing of EU/EEA or UK resident data, you may request that honeybound appoint an Article 27 representative on reasonable notice by contacting [email protected].

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced through in-app notice or email to the merchant's contact address, and the "Last updated" date will be revised. Continued use of the Service after the effective date of an update constitutes acceptance of the updated policy.

16. Contact

For questions about this Privacy Policy, to exercise rights, or to submit a data request:

HONEYBOUND LLC
3101 N. Central Ave, Ste 183 #6958
Phoenix, Arizona 85012, United States
Email: [email protected]
Response time: within 30 days (within 72 hours for security incidents)