Privacy Policy

This policy explains how EcomPulse AS collects, uses, and protects your personal data when you use the EcomHero platform.

Last updated: May 25, 2026 · Applies to: app.ecomhero.io · Governed by: GDPR / Norwegian law

1. Who We Are

EcomHero is a profit-focused analytics platform for e-commerce businesses, operated by:

EcomPulse AS Sofienberggata 3D, 0551 Oslo, Norway Organisation number: 936 175 678 Contact: henrik@ecomhero.io

EcomPulse AS is the data controller for all personal data processed through the EcomHero platform. We are subject to the General Data Protection Regulation (GDPR) as implemented in Norwegian law via the EEA Agreement.

2. Data We Collect

When you create an account and use EcomHero, we collect the following categories of personal data:

Account information

  • Full name
  • Email address
  • Business name and relevant business details you provide

Payment information

EcomHero uses a third-party payment processor (Stripe Payments Europe, Limited) to handle billing for merchants who subscribe directly with us, while subscriptions purchased through the Shopify App Store are billed by Shopify under its own terms. We do not store any credit card numbers, bank account details, or other payment card data on our servers. All payment data is processed and stored directly by the relevant payment processor under their own privacy policy and PCI-DSS compliance programme.

Usage data

  • Login timestamps and IP addresses
  • Platform usage patterns (pages visited, features used)
  • Technical diagnostics and error logs

Connected-store data

When you connect a Shopify or WooCommerce store to EcomHero, we receive order data from that store — including your end customers’ names, email addresses, shipping addresses, and order contents (line items, totals, currency). This data is used to calculate store-level metrics such as profitability, cohorts, and customer lifetime value. For this category of data, EcomPulse AS acts as a data processor on your behalf; you, the store owner, remain the data controller. Processing is governed by the data processing terms you accept when connecting your store.

OAuth tokens

When you connect a third-party integration (Meta, Google, Microsoft, Klaviyo, Shopify, WooCommerce), EcomHero stores the OAuth refresh tokens issued by that provider so we can keep the connection alive. Tokens are encrypted at rest on our EU infrastructure and are used solely to obtain short-lived access tokens for the scopes you granted.

3. Integrations

EcomHero connects to your advertising, analytics, email, and store platforms through their official APIs using OAuth 2.0. You grant each integration explicitly; the scopes below are requested only for the platforms you choose to connect, and you can revoke access at any time from within the provider (or by disconnecting the integration inside EcomHero).

For every integration, the same principles apply:

  • We use granted access only to provide the features of EcomHero — displaying your performance data and executing actions you explicitly trigger.
  • We do not perform write actions on your connected accounts without your instruction.
  • We do not sell, rent, or transfer data obtained through these integrations to any third party, except the subprocessors listed in Section 5 and only for the purposes described there.

Revoking access at the provider will stop EcomHero from retrieving updated data, but will not automatically delete data already stored in our system. See Section 7 for your deletion rights.

3.1 Meta (Facebook & Instagram Ads)

Scopes: ads_read, ads_management, business_management, pages_show_list, pages_read_engagement.

What we store: ad account, campaign, ad set, ad, and creative metadata plus performance metrics (impressions, spend, clicks, results, audience-level summaries) for the accounts you connect.

What we do with this access: display your ad performance inside EcomHero, and — on your instruction — pause or enable campaigns, ad sets, and ads, update daily budgets, and submit ad drafts to your Meta ad account.

Revoke: Meta Business Settings → Business integrations → remove EcomHero.

3.2 Google (Ads, Analytics 4, Search Console)

EcomHero connects to Google Ads, Google Analytics 4 (GA4), and Google Search Console on your behalf. You grant these scopes explicitly; you can revoke at any time at https://myaccount.google.com/permissions or by disconnecting the integration inside EcomHero.

Scopes requested and why:

  • https://www.googleapis.com/auth/adwords — Google Ads API. Used to read campaign, ad group, asset group, keyword, search term, conversion, and impression-share performance from accounts you choose, and — with your confirmation — to pause or enable campaigns and ad groups and update campaign daily budgets when you act on a recommendation in EcomHero.
  • https://www.googleapis.com/auth/analytics.readonly — GA4 Data API. Read-only access used to pull channel, event, page, and realtime traffic metrics from GA4 properties you select.
  • https://www.googleapis.com/auth/webmasters.readonly — Search Console API. Read-only access used to pull search analytics (queries, pages, clicks, impressions, CTR, position) for properties you select.

What we store: aggregated advertising, analytics, and search performance data at the account, campaign, ad group, keyword, landing-page, and daily level for the accounts you connect.

Limited Use. EcomHero’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not:

  • sell, rent, or transfer Google user data to third parties;
  • use Google user data to serve ads;
  • use Google user data for purposes unrelated to the features you have signed up for;
  • allow humans to read Google user data, except (a) with your explicit consent, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised.

AI processing: when generating recommendations, aggregated, non-personally-identifiable business metrics derived from Google data (e.g. spend, clicks, conversions, ROAS at the campaign level) may be sent to our AI subprocessor (Anthropic PBC). We do not send Google user identifiers, email addresses, or raw event-level data to Anthropic.

Revoke: https://myaccount.google.com/permissions, or disconnect the integration inside EcomHero.

3.3 Microsoft (Bing) Ads

Scopes: openid, offline_access, https://ads.microsoft.com/msads.manage.

What we store: campaign, ad group, and performance data for the accounts you connect.

What we do with this access: display your Microsoft Advertising performance inside EcomHero, and — on your instruction — update campaign and ad-group settings.

Revoke: Microsoft account → Privacy → Apps and services that can access your data.

3.4 Klaviyo

Scopes: accounts:read, campaigns:read, campaigns:write, flows:read, lists:read, metrics:read, forms:read, templates:read, templates:write.

What we store: account, campaign, flow, list, metric, form, and template metadata plus campaign and flow performance reports for the accounts you connect.

What we do with this access: display your Klaviyo performance inside EcomHero. The campaigns:write and templates:write scopes are requested so that planned authoring features will work without reconnecting, but EcomHero does not currently exercise those write scopes.

Revoke: Klaviyo account → Settings → API Keys → remove the EcomHero integration.

3.5 Shopify

Scopes: read_orders, read_all_orders, read_products, read_inventory.

read_all_orders is required because EcomHero is an analytics platform that needs the full order history beyond Shopify’s default 60-day window to compute cohort analysis, customer lifetime value, and historical performance trends.

What we store: order history, product catalogue, and inventory state from the store(s) you connect. Order data includes your end customers’ names, email addresses, shipping addresses, and order line items; for this data EcomPulse AS acts as a data processor on your behalf (see Section 2).

GDPR obligations: EcomHero implements Shopify’s mandatory GDPR webhooks — customers/data_request, customers/redact, and shop/redact — so that data-access and erasure requests originating from Shopify reach EcomHero and are acted upon.

What we do with this access: display store and order metrics inside EcomHero and compute profitability, cohort, and lifetime-value views.

Revoke: Shopify admin → Apps → uninstall EcomHero. Uninstalling triggers the Shopify redact webhooks.

3.6 WooCommerce

Scopes: read_write (WooCommerce does not offer a read-only scope above read).

What we store: order history, product catalogue, inventory state, and system-status reports from the store(s) you connect. As with Shopify, order data includes your end customers’ names, email addresses, shipping addresses, and order line items, processed by EcomPulse AS as a data processor.

What we do with this access: display store and order metrics inside EcomHero. Although the read_write scope is granted (because WooCommerce does not expose a narrower equivalent), EcomHero does not currently call any WooCommerce write endpoints.

Revoke: WordPress admin → WooCommerce → Settings → Advanced → REST API → revoke the EcomHero key.

4. How We Use Your Data

We process your personal data for the following purposes and on the following legal bases under GDPR:

  • To provide the EcomHero service (legal basis: performance of a contract) — account management, displaying your analytics, executing ad management actions you request
  • To process payments (legal basis: performance of a contract) — billing for your subscription via our payment processor
  • To communicate with you (legal basis: legitimate interest) — service notifications, product updates, and support responses
  • To improve the platform (legal basis: legitimate interest) — aggregated, anonymised usage analytics to understand how the platform is used
  • To comply with legal obligations (legal basis: legal obligation) — accounting, tax records, and other statutory requirements under Norwegian law

5. Third Parties & Subprocessors

EcomHero shares data with the following categories of third-party service providers, solely to operate the platform:

  • Hetzner Online GmbH — infrastructure and database hosting (EU-based servers). Your account data, connected-integration data, and OAuth tokens (encrypted at rest) are stored here.
  • Anthropic PBC — AI analysis features. We send aggregated, non-personally-identifiable business metrics (such as ad performance summaries and sales aggregates) to Anthropic’s API to generate insights. We do not send your name, email, or any directly identifying information to Anthropic.
  • Stripe Payments Europe, Limited — subscription billing for merchants who subscribe directly with EcomHero. Stripe acts as merchant of record and processes payment details directly; we receive only the limited billing information needed to manage your subscription.
  • Shopify — for merchants who install EcomHero through the Shopify App Store, subscription billing is handled entirely by Shopify through the Shopify Billing API. Payment data is processed by Shopify under its own terms and is never shared with us or with Stripe.
  • Meta Platforms, Inc. — Marketing API, per Section 3.1.
  • Google LLC / Google Ireland Limited — Google Ads API, GA4 Data API, and Search Console API, per Section 3.2.
  • Microsoft Corporation — Microsoft Advertising API, per Section 3.3.
  • Klaviyo, Inc. — Klaviyo API, per Section 3.4.
  • Shopify International Ltd. — Shopify Admin API and associated GDPR webhooks, per Section 3.5.
  • Your WooCommerce store host — for WooCommerce integrations, the data source is your own WordPress/WooCommerce installation, not a separate SaaS subprocessor, per Section 3.6.

We do not sell your personal data to any third party. We do not use your data for advertising purposes.

All subprocessors are subject to data processing agreements and are required to handle your data in compliance with GDPR.

6. Data Retention

We retain your personal data and associated ad performance data for as long as your EcomHero account is active. When you cancel your subscription or request account deletion:

  • Your account and associated data will be permanently deleted within 30 days of your request or subscription end date
  • Certain records (such as billing and transaction history) may be retained for up to 5 years to comply with Norwegian accounting and tax legislation

Backups containing your data may persist for up to 30 additional days following deletion before being purged from backup storage.

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure — request deletion of your personal data (“right to be forgotten”)
  • Right to restriction — request that we restrict processing of your data in certain circumstances
  • Right to data portability — request your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interest

How to exercise your rights: Send your request by email to henrik@ecomhero.io with the subject line “Data Request — [your name]”. We will respond within 30 days. We may ask you to verify your identity before processing the request.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Norwegian data protection authority:

Datatilsynet Postboks 458 Sentrum, 0105 Oslo www.datatilsynet.no

8. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These measures include:

  • Encrypted data transmission (TLS/HTTPS) for all communications with the platform
  • Access controls limiting data access to authorised personnel only
  • Regular security reviews of our infrastructure and code
  • EU-based hosting infrastructure through Hetzner

No method of transmission over the internet or electronic storage is 100% secure. If you believe your account security has been compromised, please contact us immediately at henrik@ecomhero.io.

9. Cookies

EcomHero uses cookies and similar technologies to maintain your session (keeping you logged in) and to understand how the platform is used. We do not use third-party advertising cookies or tracking pixels.

You can control cookie settings through your browser. Note that disabling session cookies will prevent you from logging in to the platform.

10. Contact Us

For any questions, requests, or concerns regarding this privacy policy or how we handle your data, please contact us:

EcomPulse AS — Data Controller

  • Company: EcomPulse AS
  • Org. number: 936 175 678
  • Address: Sofienberggata 3D, 0551 Oslo, Norway
  • Email: henrik@ecomhero.io
  • Response time: Within 30 days of receipt

© 2026 EcomPulse AS · EcomHero · Sofienberggata 3D, 0551 Oslo, Norway

This policy is governed by Norwegian law and the General Data Protection Regulation (GDPR).

cta-image

Take back control of your store

Try EcomHero free for 21 days.

Get Started