1. Introduction
This Privacy Policy describes how Omniconvert SRL (“Omniconvert”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal data in connection with the website and audit service operated at https://shopifybenchmark.com (the “Service”).
We have prepared this Policy to satisfy the information requirements of Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”) and to provide the disclosures required by the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively, the “CCPA”). Where additional rights or disclosures are required by other applicable laws, they apply in addition to (and not in substitution for) those described below.
You can use the Service anonymously. If you choose to provide an email address (lead capture) or accept analytics or marketing cookies, the additional processing described in this Policy will apply. Account creation is not currently available on the Service. If this changes in the future, this Policy will be updated accordingly.
2. Data Controller
The controller of personal data in connection with the Service is:
Omniconvert SRL — a private limited liability company organised under the laws of Romania, having its registered office at Strada Vasile Vasilievici Stroescu 14, 021374 Bucharest, Romania.
Contact for any privacy matter (including domain-removal requests for the public leaderboard): support@omniconvert.com. Mark leaderboard removals with “Leaderboard removal” in the subject line so they're routed to the operations queue (5-business-day SLA).
3. Personal Data We Process
We minimise the personal data we collect. The categories below reflect the totality of personal data we process in connection with the Service.
3.1 Data you provide to us directly
3.1.1 Audit submissions (no account required)
- The Shopify storefront domain you submit for audit. A domain (e.g. examplestore.com) is not by itself personal data, but where the submitter chooses to audit their own store, the combination of domain + IP + timestamp can be associated with an identified or identifiable person.
- Optional industry-category and country-of-operation filters you select.
3.1.2 Lead-capture submissions
- Your email address, when you choose to provide it via the audit-results page or any other lead-capture surface.
- The audit context (domain, score, module identifier) at the time of submission, associated with your email for the purpose of delivering the requested report by email.
- Timestamp of the submission.
3.2 Data we collect automatically
- Technical metadata: IP address, user-agent string, screen size, referrer URL, accept-language header. Used for the operation, security, and rate-limiting of the Service, and (with consent) for anonymised analytics.
- Server access logs: request method, path, response status, response duration. Retained for 7 days.
- Audit results we generate: per-domain scores and module breakdowns that we compute from public data, cached for 24 hours to avoid redundant work.
- Cookies and similar technologies: see our Cookie Policy.
- Error and performance telemetry (Sentry): when an application error or significant performance event occurs, anonymised technical traces (route, status code, stack trace, browser/OS labels) are sent to Sentry. We do not enable Sentry session replay (both
replaysSessionSampleRateandreplaysOnErrorSampleRateare configured at zero) and we apply SDK-level scrubbing of URL query strings and form data before transmission.
3.3 Data we obtain from third parties and public sources
- Public web data about audited domains: when an audit runs, our systems fetch publicly available information about the audited storefront (robots.txt, sitemap, llms.txt, on-page metadata, JSON-LD structured data, payment-method indicators, and similar public signals). We do not retrieve protected or login-walled content.
- Vendor-supplied aggregate data: our Creative and Reviews modules consume aggregated data from third-party vendors (see §6 — Subprocessors) that themselves only process publicly accessible content (e.g. Meta Ad Library, Google Ads Transparency Center, publicly displayed customer reviews).
3.4 Special-category data
We do not knowingly or intentionally collect special categories of personal data (Article 9 GDPR) — including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning sexual orientation. We ask that you do not submit such data through the Service.
4. Purposes and Legal Bases of Processing
We process personal data only where one of the legal bases set out in Article 6(1) GDPR applies. The matrix below maps each processing purpose to its legal basis.
| Processing purpose | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|
| Operate the audit pipeline (anonymous users) | Legitimate interest — Art. 6(1)(f) (offering the Service) | 24h per audit; 7d server logs |
| Send the lead-capture confirmation email | Consent — Art. 6(1)(a) | Until unsubscribe / deletion |
| Rate limiting and abuse prevention | Legitimate interest — Art. 6(1)(f) (security) | 30 days IP-correlated |
| Public leaderboard of audit scores | Legitimate interest — Art. 6(1)(f) (informational benchmarking — see §7) | Until removal request |
| Cookies and similar analytics technologies | Consent — Art. 6(1)(a) (per banner) | Per cookie — see Cookie Policy |
| Marketing-cookie deployment (Meta, LinkedIn) | Consent — Art. 6(1)(a) (per banner) | Per cookie — see Cookie Policy |
| Error and security telemetry (Sentry) | Legitimate interest — Art. 6(1)(f) | 30 days |
| Comply with legal obligations (e.g. response to lawful orders) | Legal obligation — Art. 6(1)(c) | As required by law |
You may withdraw any consent at any time, without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent, use the “Cookie preferences” control in the Service footer (for cookies) or contact us at support@omniconvert.com (for all other consents).
4.1 Marketing communications
We will not send you marketing communications (newsletters, product announcements, or commercial offers) by email or SMS unless you have given prior opt-in consent in compliance with the European ePrivacy Directive and applicable member-state implementations (in Romania, Law 506/2004), the UK Privacy and Electronic Communications Regulations 2003, the United States CAN-SPAM Act of 2003, and other applicable laws. The lead-capture confirmation email (a single message containing the audit summary you have explicitly requested) is a transactional communication and is sent on the basis of your explicit request, not as a marketing communication.
Every marketing communication we send (if any) will include a working unsubscribe mechanism.
5. Legitimate Interests
Where we rely on the legitimate-interests legal basis (Article 6(1)(f) GDPR), we have conducted a balancing test taking account of your reasonable expectations, the nature of the processing, and the safeguards we apply. In summary:
- Anonymous audit operation. Providing an industry-benchmarking tool serves the legitimate interest of Omniconvert and of Shopify merchants seeking visibility into competitive positioning. Processing is limited to short-lived technical metadata and is necessary to operate the Service.
- Public leaderboard. Publication of aggregate audit results by domain is an industry-recognised form of public benchmarking comparable to similar e-commerce ranking tools. We mitigate impact by (i) restricting publication to objectively computable, non-personal metrics (numeric scores derived from public data), (ii) providing an immediate, no-questions-asked opt-out via support@omniconvert.com, and (iii) honouring opt-outs within five business days.
- Error and security telemetry. Necessary to detect, investigate, and remediate faults and security incidents. Data is pseudonymised and not used for profiling.
On request, we can provide a more detailed Legitimate Interests Assessment for any processing activity listed above. Contact support@omniconvert.com.
6. Subprocessors and Recipients
We rely on the following third-party service providers (“subprocessors”) to operate the Service. Each acts as a processor or sub-processor for Omniconvert under written contractual terms incorporating the data-protection obligations required by Article 28 GDPR. We maintain on file with Omniconvert legal a record of the data-processing terms and (where applicable) Standard Contractual Clauses or equivalent transfer mechanisms for each subprocessor.
| Subprocessor | Function | Data | Location |
|---|---|---|---|
| DigitalOcean LLC | Managed MySQL database hosting | Audit, lead-capture, leaderboard data | EU region |
| Vercel Inc. | Application hosting + edge cache | HTTP request/response, technical metadata | EU + US edge nodes |
| Google LLC (Gemini API) | LLM probes for the AI Visibility module | Audited domain + public web context only | US (DPF-certified) |
| Google LLC (GA4 + GTM) | Analytics + tag management | Cookie-based, consent-gated | US (DPF-certified) |
| Sentry (Functional Software Inc.) | Error tracking and performance monitoring | Anonymised stack traces and request metadata | US (DPF-certified) |
| SendGrid (Twilio Inc.) | Transactional email (lead-capture confirmation) | Email address + audit context | US (DPF-certified) |
| Meta Platforms Ireland Ltd. | Marketing pixel (consent-gated) | Cookie/pixel events | EEA (Meta Ireland) + US transfer |
| LinkedIn Ireland Unlimited Co. | Marketing Insight Tag (consent-gated) | Cookie/pixel events | EEA (LinkedIn Ireland) + US transfer |
| Omniconvert Nexus (Omniconvert SRL internal service) | Creative & Ads module data aggregation | Public ad-library data per audited domain | EEA (Romania) |
| Brandfeel (internal service) | Reviews & UGC module data aggregation | Public review-platform data per audited domain | EEA |
| CRO Benchmark (Omniconvert internal service) | Auxiliary scoring data | Public store-audit data per audited domain | EEA (Romania) |
We do not sell, rent, or trade your personal data to any third party. We do not share personal data with any party other than the subprocessors above except where (i) you direct us to, (ii) we are legally compelled by a court order or equivalent lawful demand, or (iii) we are required to in connection with a corporate transaction (e.g. merger, acquisition, asset sale), in which case any new controller will inherit obligations equivalent to those in this Policy and you will be notified.
7. Public Leaderboard
The Service publishes a public leaderboard at https://shopifybenchmark.com/leaderboard listing audited domains alongside numeric scores by industry category and country. The leaderboard is intended as an informational benchmarking tool for the Shopify ecosystem and is indexed by general search engines.
The leaderboard does not display the name, email address, or other personally identifying information of any data subject. It displays only the storefront domain (as a public identifier of the store) and computed scores.
Opt-out. If you operate an audited store and wish to have your domain removed from the leaderboard, email support@omniconvert.com from an email address associated with the domain (e.g. WHOIS contact, postmaster@, or a documented owner address). We will action the removal within five business days and add the domain to a do-not-re-audit list which is honoured by all future audits.
8. International Data Transfers
Some of our subprocessors are established outside the European Economic Area, primarily in the United States. Where personal data is transferred to a recipient in a country that has not received an adequacy decision under Article 45 GDPR, we rely on one or more of the following safeguards (Article 46 GDPR):
- EU-US Data Privacy Framework (DPF). Where the recipient has self-certified under the DPF (or its UK or Swiss extensions), we rely on that certification as the adequacy mechanism. Recipients we believe to be DPF-certified are marked accordingly in §6.
- Standard Contractual Clauses (SCCs). Where DPF certification is not available or not applicable, we rely on the European Commission's 2021 Standard Contractual Clauses (Decision 2021/914), incorporated into our agreement with the subprocessor, supplemented as appropriate by a transfer-impact assessment.
- Consent. In a small number of cases (e.g. the transmission of cookie-set data to Meta or LinkedIn ad systems following your explicit acceptance of marketing cookies), the transfer occurs on the basis of your explicit consent under Article 49(1)(a) GDPR.
You may request a copy of the safeguards in place for any specific transfer by contacting support@omniconvert.com.
9. Retention
We retain personal data only for as long as is necessary for the purposes for which it was collected, after which it is deleted or anonymised. The following default retention periods apply:
| Data category | Retention period |
|---|---|
| Audit submissions (anonymous) | 24 hours cache; 7 days in server access logs |
| Audit results by domain (leaderboard) | Until domain removal request or audit re-run overwrites the score |
| Lead-capture submissions | 24 months from submission, then deleted unless the data subject otherwise instructs |
| IP-correlated rate-limit data | 30 days |
| Error and security telemetry (Sentry) | 30 days |
| Server access logs | 7 days |
| Records of consent and consent withdrawal | 3 years (to evidence compliance with Art. 7(1) GDPR) |
| Records relating to legal claims or regulatory inquiries | Until 6 years after the matter is concluded |
10. Your Rights
10.1 GDPR rights (EEA / UK)
Where the GDPR or UK GDPR applies to the processing of your personal data, you have the following rights:
- Right of access — to obtain confirmation of whether we process your personal data, and a copy of that data (Art. 15).
- Right to rectification — to have inaccurate data corrected and incomplete data completed (Art. 16).
- Right to erasure (“right to be forgotten”) — to have your data deleted in the circumstances set out in Art. 17.
- Right to restriction of processing — to limit how we use your data in certain circumstances (Art. 18).
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller, where the processing is based on consent or contract and carried out by automated means (Art. 20).
- Right to object — to object on grounds relating to your particular situation to processing carried out on a legitimate-interest basis (Art. 21), including profiling.
- Right not to be subject to automated decision-making — see §11 below. We do not carry out automated decision-making with legal or similarly significant effects on data subjects.
- Right to information about the source of indirectly collected data — where personal data is collected from sources other than you directly (see §3.3), you have the right under Article 14 GDPR to know the source of that data. We will provide this information on request.
- Right to withdraw consent — at any time and without giving reasons, where processing is based on consent (Art. 7(3)).
- Right to lodge a complaint — with a supervisory authority, in particular in the member state of your habitual residence, place of work, or place of the alleged infringement.
For Romanian residents, the competent supervisory authority is the Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), B-dul G-ral Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania — https://www.dataprotection.ro.
For UK residents, the competent supervisory authority is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom — https://ico.org.uk.
10.2 CCPA rights (California residents)
If you are a California resident, the CCPA grants you the following rights with respect to the personal information we collect about you:
- Right to know — the categories of personal information collected, the categories of sources, the business or commercial purpose for collection, the categories of third parties with whom we share, and the specific pieces collected.
- Right to delete — request deletion of personal information we have collected from you, subject to legal exceptions.
- Right to correct — request correction of inaccurate personal information.
- Right to opt-out of sale or sharing — we do not sell personal information for monetary consideration. We do disclose pixel events to Meta and LinkedIn only after you explicitly enable marketing cookies; this may constitute “sharing” under the CPRA. You may decline marketing cookies via the consent banner at any time, with effect equivalent to an opt-out of sharing.
- Right to limit use of sensitive personal information — we do not process sensitive personal information as defined by the CPRA (Cal. Civ. Code §1798.140(ae)), so this right does not arise in practice.
- Right to non-discrimination — we will not deny or charge differently for the Service in retaliation for exercising any of these rights.
See §10.3 below for how to exercise any of these rights. CCPA requests should use the subject line “CCPA request”; we'll verify them as required by Cal. Civ. Code §1798.130 before responding.
10.3 How to exercise your rights
To exercise any right under either GDPR or CCPA, email support@omniconvert.com from the email address associated with your data, or use the “Cookie preferences” control in the footer to manage cookie consent. We will respond within one month of receiving a verifiable request, extendable by two further months where necessary in light of the complexity and number of requests (Art. 12(3) GDPR); if we extend, we will inform you within the initial one-month period.
We may need to verify your identity before acting on a request. For anonymous-use data, please provide identifying information sufficient to locate the record (e.g. approximate timestamp and audited domain) and reply from an email address you can demonstrate ownership of (where applicable).
Data exported in response to a portability request is provided in a structured, commonly used, machine-readable format (currently JSON; CSV available on request) and is delivered by a secure download link sent to the verified email address associated with the request.
11. Automated Decision-Making and Profiling
We do not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you (Article 22 GDPR). Audit scores are produced by a deterministic technical algorithm operating on public data; they are informational benchmarks and do not constitute decisions about any person.
12. Children
The Service is intended for users acting in a business capacity (e.g. e-commerce operators, marketers, agencies). It is not directed at children.
We do not knowingly process personal data of children under the age applicable in your jurisdiction (16 years in Romania and most EEA member states, lower thresholds may apply where a member state has so legislated under Article 8(1) GDPR; 13 years in the United States under COPPA). If you are below the applicable age, do not use the Service. If you believe we may have inadvertently collected data from a child, contact support@omniconvert.com and we will promptly delete it.
13. Security
We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, having regard to the state of the art, the costs of implementation, and the nature of the processing (Article 32 GDPR). These include, without limitation:
- TLS encryption for all data in transit; HTTPS with HSTS for all site traffic.
- Database connections encrypted in transit; encryption at rest at the infrastructure layer.
- Modern HTTP security headers, including Strict-Transport-Security (with includeSubDomains and preload), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Cross-Origin-Opener-Policy. A Content-Security-Policy is deployed in report-only mode pending stabilisation in production traffic.
- Principle-of-least-privilege access controls for personnel; secret material handled exclusively via Doppler and equivalent secret-managers, never in source code or chat.
- Periodic review of subprocessor security posture and contractual data-protection terms.
- Automated dependency vulnerability scanning on the application codebase; manual review of significant changes.
No method of transmission over the internet or method of electronic storage is fully secure. While we strive to use commercially reasonable means, we cannot guarantee absolute security.
14. Data Breach Notification
In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it (Article 33 GDPR). Where a breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay (Article 34 GDPR).
15. Changes to This Policy
We may amend this Policy from time to time to reflect changes in the Service, in applicable law, or in industry practice. The “Last updated” date above will be revised on each amendment. Material changes (those that materially expand the scope of processing or reduce your rights) will be highlighted on the Service for at least 30 days before taking effect.
16. Contact
For any question relating to this Policy, to your personal data, or to request domain removal from the public leaderboard, contact support@omniconvert.com. We'll route your message to the appropriate team. Postal address (for matters that require it): Omniconvert SRL — Privacy, Strada Vasile Vasilievici Stroescu 14, 021374 Bucharest, Romania.