1. Introduction & Scope
ArchwayAI LLC ("ArchwayAI," "we," "us," or "our") operates the website www.archwayai.com, the ArchwayAI SaaS analytics platform (the "Platform"), the ArchwayAI Pixel SDK, and integrations with third-party services including Meta (Facebook), Google Ads, Shopify, and Klaviyo (collectively, the "Services").
This Privacy Policy describes how we collect, use, disclose, retain, and protect personal data in connection with our Services. It applies to:
- Merchant Users — individuals who subscribe to ArchwayAI on behalf of an e-commerce business.
- End Consumers — visitors and buyers on merchant storefronts whose behavioral and transactional data flows through our Platform via the Pixel SDK or merchant integrations.
- Website Visitors — visitors to archwayai.com.
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy should be read together with our Terms of Service, Data Processing Agreement, and Cookie Policy.
2. Data Controller and Data Processor Roles
ArchwayAI operates in different capacities depending on the type of data processed:
| Data Category | ArchwayAI's Role | Description |
|---|---|---|
| Account & User Data | Data Controller | Information about merchant employees who register for and use the Platform (name, email, organization). |
| Merchant Platform Data | Data Processor | Shopify order, customer, and product data; ad campaign performance data from Meta, Google Ads, and Klaviyo — processed on the merchant's behalf and under the merchant's instructions. |
| End Consumer Behavioral Data | Data Processor | Pseudonymous browsing and conversion data collected via the Pixel SDK on merchant storefronts, processed on the merchant's behalf. |
| Website Visitor Data | Data Controller | Data from visitors to archwayai.com (analytics, contact form submissions). |
Where ArchwayAI acts as a Data Processor, our processing is governed by our Data Processing Agreement (DPA). The merchant is the Data Controller and is responsible for ensuring a lawful basis for collection, providing privacy notices to end consumers, and handling data subject requests.
3. Data We Collect
3.1 Account & User Data (Controller)
When you register for an ArchwayAI account, we collect:
- Name and email address (via Better Auth, our self-hosted authentication system — authentication data is stored in our own database and is not shared with any third-party identity service)
- Organization name and role
- Billing and payment information (processed by our payment processor; we do not store full payment card numbers)
- Usage logs — feature interactions, login timestamps, and Platform activity
3.2 Merchant Platform Data (Processor)
When a merchant connects their e-commerce and advertising accounts, we process the following data on their behalf:
- Shopify data: orders, customers (customer ID, email, name, phone, address, order history, marketing opt-in status), products, fulfillments, and inventory.
- Ad platform campaign data: campaign IDs, campaign names, ad spend, impressions, clicks, and conversions.
- Klaviyo data: account metadata and campaign performance metrics.
3.3 End Consumer Behavioral Data (Processor, via Pixel SDK)
The ArchwayAI Pixel SDK is a JavaScript snippet installed on merchant storefronts. When enabled, it collects the following pseudonymous data on the merchant's behalf:
- Identifiers: a persistent anonymous ID (
arch_uid, stored in a first-party cookie with a 1-year maximum age) and a session ID (30-minute inactivity timeout). - Page context: page URL, referrer URL.
- Marketing attribution parameters: UTM source, medium, campaign, term, and content.
- Ad platform click identifiers:
gclid(Google),fbclid(Meta),fbp(Meta browser pixel cookie),fbc(Meta click ID cookie). - Device information: device type (mobile/desktop/tablet), browser locale.
- Network information: IP address (extracted server-side from request headers, not sent by the pixel) and user agent string.
- Consent scope: whether the end consumer has granted marketing consent, analytics consent, or denied consent (via the Shopify Customer Privacy API).
- Event data: event name (e.g., page_view, add_to_cart), currency, and monetary value.
The Pixel SDK respects consent signals from the Shopify Customer Privacy API. If an end consumer denies tracking consent, the pixel records the denial and does not collect behavioral data beyond the consent scope field.
3.4 Data from the Meta Platform (Marketing API)
When a merchant connects their Meta (Facebook) ad account, we access the following data via the Meta Marketing API:
- Ad campaign performance data: spend, impressions, clicks, conversions, and cost metrics.
- Ad account metadata: business account ID, ad account ID, and pixel ID.
We do not collect Meta user profile data, friend lists, private messages, or any data beyond what is necessary to provide cross-channel analytics to the authorizing merchant. Access tokens are stored encrypted and are isolated per merchant tenant.
3.5 Data from Google Ads API
When a merchant connects their Google Ads account, we access campaign performance data (spend, impressions, clicks, conversions) and account metadata. Refresh tokens are stored encrypted.
3.6 Data from Klaviyo
When a merchant connects their Klaviyo account via API key, we access account metadata and campaign performance metrics for cross-channel analytics.
4. How We Use Data
We use the data described above for the following purposes:
- Providing the Platform: delivering the SaaS analytics dashboard, reports, and insights to merchants.
- Cross-channel marketing attribution: connecting ad spend to revenue across Meta, Google Ads, Klaviyo, and organic channels.
- Identity stitching: linking anonymous pixel sessions to known customer records at checkout to build a unified customer journey (see Section 7).
- AI-powered commerce analysis: generating data-driven insights and recommendations using large language models (see Section 6).
- Aggregated benchmarks: creating de-identified, aggregated industry benchmarks that cannot be traced to any individual merchant or end consumer.
- Account management: processing payments, communicating about your subscription, and providing customer support.
- Service improvement: debugging, performance monitoring, and improving Platform reliability.
- Legal compliance: complying with applicable laws and responding to lawful requests.
5. Legal Bases for Processing (GDPR)
For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b)) — to provide the Platform and fulfill our obligations under the Terms of Service.
- Legitimate interests (Article 6(1)(f)) — for service improvement, security, and fraud prevention, where these interests are not overridden by your data protection rights.
- Consent (Article 6(1)(a)) — for marketing communications. You may withdraw consent at any time.
- Data Processor basis(Article 28) — for all Merchant Platform Data and End Consumer Behavioral Data, we process strictly on the merchant's behalf and under the merchant's instructions as documented in our Data Processing Agreement.
6. AI and Machine Learning
ArchwayAI uses third-party large language model (LLM) providers, including OpenAI and Anthropic, to power AI-driven analytics features within the Platform. Key details:
- Data sent to LLM providers consists of aggregated, anonymized commerce metrics. We do not send raw personally identifiable information (PII) to LLM providers.
- LLM API calls are ephemeral requests — our LLM providers do not use customer data to train their models.
- LLM providers are treated as sub-processors and are listed in our Data Processing Agreement.
- We do not engage in automated decision-making that produces legal effects or similarly significant effects on individuals (GDPR Article 22).
- AI-generated insights are informational and should not be treated as financial, legal, or professional advice.
7. Identity Resolution
ArchwayAI performs identity stitching to help merchants understand end consumer journeys from first ad click to purchase. This process:
- Links anonymous browsing sessions (identified by the
arch_uidcookie) to known customer records when a purchase occurs or a customer identifies themselves. - Uses SHA-256 hashing for email addresses before storage in the identity graph.
- Assigns confidence scores to identity links (e.g., 0.7 for pixel-based correlation, 1.0 for webhook-confirmed matches).
- Is performed exclusively as a processor on the merchant's behalf. Merchants may request deletion of their identity graph data at any time.
8. Cookies and Tracking Technologies
For full details, see our Cookie Policy.
Cookies Set by the ArchwayAI Pixel SDK
archwayai_uid— a first-party, persistent anonymous identifier with a 1-year maximum age andSameSite=Laxattribute. This cookie is set on the merchant's storefront domain (not archwayai.com).- Session data is stored in the browser's
sessionStorage(not a cookie) with a 30-minute inactivity timeout.
Third-Party Cookies Read (Not Set) by the Pixel
_fbp— Meta browser pixel cookie (set by Meta, read by ArchwayAI for attribution)._fbc— Meta click ID cookie (set by Meta, read by ArchwayAI for attribution).
ArchwayAI does not place third-party advertising cookies. We do not participate in cross-site ad tracking networks.
9. Data Sharing and Sub-Processors
We share personal data only as necessary to provide the Services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Tinybird | Real-time analytics data warehouse | US / EU |
| Inngest | Durable workflow execution | US |
| Resend | Transactional email delivery | US |
| OpenAI | AI analysis features | US |
| Anthropic | AI analysis features | US |
| Vercel | Hosting and deployment | US |
| Neon | PostgreSQL database hosting | US |
| Sentry | Error monitoring and diagnostics | US |
We do not sell personal data to any third party.
We may disclose personal data to law enforcement or government authorities only in response to valid legal process (subpoena, court order, or equivalent). We will notify affected merchants before disclosure unless legally prohibited from doing so.
In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the business transaction. We will notify affected users and provide choices where required by law.
10. Meta Platform Data Handling
ArchwayAI complies with the Meta Platform Terms, Meta Developer Policies, and the Supplemental Terms for the Meta Marketing API. Specifically:
- Data obtained through the Meta Marketing API is used solely to provide analytics services to the merchant who authorized the connection. It is never shared with other advertisers, data brokers, or ad networks.
- Meta data is stored encrypted and is logically isolated per merchant tenant. Each merchant's Meta ad account connection is scoped to their organization.
- We implement Meta's Data Deletion Callback. When a user deauthorizes our app or requests data deletion through Meta, we process the deletion request within 30 days and provide a confirmation status URL as required by Meta.
- We do not use Meta data to build independent user profiles, enrich third-party datasets, or train AI or machine learning models.
- When a merchant terminates their ArchwayAI subscription or disconnects their Meta integration, all Meta-sourced data is deleted within 30 days.
- We do not cache, store, or use Meta data beyond what is necessary to provide the authorized analytics service.
11. Data Retention
We retain personal data only as long as necessary to fulfill the purposes described in this Privacy Policy:
| Data Type | Retention Period |
|---|---|
| Account & user data | Duration of subscription + 30 days |
| Pixel event data | 24-month rolling window |
| Ad spend / campaign data | 36 months for historical reporting |
| Identity graph edges | Duration of merchant subscription |
| Webhook receipts | 90 days |
| Audit logs | 12 months |
| Aggregated / anonymized data | May be retained indefinitely (cannot be linked to individuals) |
12. Data Deletion
- Merchant-initiated deletion: When a merchant deletes their account, all associated data (including Merchant Platform Data, End Consumer Data, and identity graph data) is permanently deleted within 30 days. Merchants may request data export prior to deletion.
- End consumer deletion requests: Because ArchwayAI acts as a Data Processor for end consumer data, deletion requests from end consumers should be directed to the merchant (the Data Controller). ArchwayAI will assist merchants in fulfilling these requests.
- Meta data deletion:Handled via our Data Deletion Callback endpoint. Upon receiving a deletion request from Meta, we delete the associated data within 30 days and provide a confirmation code and status URL per Meta's specifications.
- Shopify GDPR webhooks: We handle
customers/redactandshop/redactwebhooks to delete customer and store data upon request. - Written confirmation: Available upon request after deletion is complete.
13. Multi-Tenant Data Isolation
ArchwayAI is a multi-tenant SaaS platform. All data is logically isolated by merchant organization:
- Every record is scoped to an
organizationId. No cross-tenant data access is possible through the Platform. - Integration access tokens (Meta, Google Ads, Klaviyo, Shopify) are encrypted before storage and isolated per merchant.
- API keys are cryptographically hashed before storage; only the hash is retained.
- Role-based access control enforced via Better Auth organizations (self-hosted) ensures only authorized users within a merchant organization can access that organization's data. Authentication is handled entirely on our own infrastructure.
14. Data Security
We implement technical and organizational measures to protect personal data:
- Encryption in transit using TLS 1.2 or higher.
- Encryption at rest for all databases.
- Integration access tokens and API secrets are encrypted before storage.
- Role-based access control (RBAC) via Better Auth organizations (self-hosted).
- Regular security assessments and code reviews.
- Error monitoring and alerting via Sentry.
While we strive to protect your data, no method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us at privacy@archwayai.com.
15. International Data Transfers
ArchwayAI primarily processes data in the United States. Some sub-processors may process data in other jurisdictions (e.g., Tinybird in the EU, Shopify in Canada).
For transfers of personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, as supplemented by additional safeguards where required.
16. Your Rights Under the GDPR (EEA, UK, and Swiss Residents)
If you are a resident of the EEA, UK, or Switzerland, you have the following rights regarding your personal data:
- Right of access — to obtain a copy of the personal data we hold about you.
- Right to rectification — to correct inaccurate or incomplete data.
- Right to erasure — to request deletion of your personal data.
- Right to restriction — to request that we limit processing of your data.
- Right to data portability — to receive your data in a structured, machine-readable format.
- Right to object — to object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
- Right to lodge a complaint — with your local data protection supervisory authority.
For end consumer data where ArchwayAI acts as a Processor, data subject requests should be directed to the merchant (the Controller). ArchwayAI will assist the merchant in responding within 30 days.
To exercise your rights, contact us at gdpr@archwayai.com.
17. Your Rights Under the CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to know — what personal information we collect, use, disclose, and sell or share.
- Right to delete — to request deletion of your personal information.
- Right to opt-out — of the sale or sharing of your personal information.
- Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.
ArchwayAI does not sell personal information.
The ArchwayAI Pixel SDK reads Meta cookies (_fbp, _fbc) for attribution purposes. Under CPRA, this may constitute "sharing" of personal information. Merchants are responsible for providing end consumers with opt-out mechanisms via the Shopify Customer Privacy API or an equivalent consent management platform. ArchwayAI respects Global Privacy Control (GPC) signals.
Categories of personal information collected (per CCPA categories): identifiers, internet or other electronic network activity information, commercial information, and geolocation data (derived from IP address).
To exercise your rights, contact us at privacy@archwayai.com.
18. Children's Privacy
Our Services are designed for businesses and are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we discover that we have inadvertently collected data from a child under 16, we will promptly delete it. If you believe a child has provided us with personal data, please contact us at privacy@archwayai.com.
19. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice by posting the updated policy on our website and, for registered users, by sending an email notification. Your continued use of the Services after the effective date of the updated policy constitutes acceptance of the changes.
20. Contact Information
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
- General privacy inquiries: privacy@archwayai.com
- GDPR-specific requests: gdpr@archwayai.com
- Entity: ArchwayAI LLC