Privacy Policy

Effective date: March 18, 2026

This Privacy Policy describes how the Meta Conversions API app for Commerce7 ("the App", "we", "us") collects, uses, stores, and shares data when you install and use the App.

1. What the App Does

The App receives Commerce7 webhook events (orders, club memberships, reservations, customer registrations) and forwards them as server-side conversion events to the Meta Conversions API on your behalf. It also optionally collects browser signals from your storefront via a JavaScript snippet you install.

2. Data Collected

3. How We Use Data

• Forwarding conversion events: Customer PII (email, name, phone, address) is SHA-256 hashed immediately upon receipt and forwarded to the Meta Conversions API. We do not store the plaintext PII beyond the lifetime of the in-memory request.
• Signal enrichment: Browser signals collected via the snippet (fbp, fbc, IP, UA, page URL) are temporarily stored for up to 30 minutes solely to enrich server-side webhook events with browser context for better attribution. They are deleted automatically.
• Event logging: We log event names, statuses, and error messages per tenant for display in your dashboard. No customer PII is stored in the event log.
• Retry queue: If a Meta API call fails, the serialized event (already-hashed, no plaintext PII) is stored for automatic retry with up to 3 attempts over 15 minutes.

4. Data Shared with Third Parties

The only third party we share data with is Meta Platforms, Inc. (Facebook). Conversion events including hashed customer identifiers are sent to the Meta Conversions API endpoint at graph.facebook.com. Meta's use of this data is governed by Meta's Privacy Policy and your agreement with Meta as a Business Tools user.

We do not sell data, share it with advertisers, or use it for any purpose beyond operating the App.

5. Data Security

• All PII is SHA-256 hashed before being transmitted to Meta and is never stored in plaintext.
• Browser signals are stored in an encrypted SQLite database accessible only to the App server.
• Meta Access Tokens are stored encrypted at rest and transmitted only over HTTPS.
• App settings are accessible only to authenticated Commerce7 admins of your tenancy.

6. CCPA / California Privacy Rights

The App supports Meta's Limited Data Use (LDU) flag for California residents. LDU is automatically applied to conversion events for customers whose Commerce7 address shows a California state code, or whose customer record includes the facebook-limited-data-use metadata field set to true. This restricts how Meta uses the data consistent with CCPA requirements.

7. Data Retention and Deletion

• Browser signals: Automatically deleted after 30 minutes.
• Event log: You can clear the event log at any time from your dashboard. All logs are deleted when the app is uninstalled.
• Tenant settings (credentials, configuration): Deleted when the app is uninstalled from your Commerce7 account.
• Retry queue: Cleared automatically after successful delivery or after 3 failed attempts.

8. Children's Privacy

The App is a B2B tool designed for use by winery businesses. It is not directed at children under 13 and we do not knowingly collect data from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top of this page will be updated accordingly. Continued use of the App after changes constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy or your data, please contact us at 7labs@dmitru.com.