Privacy Policy
Last updated: June 2026
This Privacy Policy (“Policy”) describes how Mojoo (“Mojoo”, “we”, “us”, “our”) collects, uses, shares and protects personal information from users (“you”, “your”) of our website at mojoo.io and the Mojoo dashboard at app.mojoo.io, together with all related applications, APIs and services (collectively, the “Service”). It is incorporated by reference into our Terms of Service. Mojoo is a business-to-business product for online merchants. We act as a controller for data relating to your account and our website, and as a processor for the store, order and end-customer data you connect on your behalf. By using the Service, you agree to this Policy.
1. Contacting us
If you have any questions about this Policy or wish to exercise your rights, contact us at support@mojoo.io.
2. What information do we collect?
2.1 Information you provide directly
When you create an account, we collect your name (optional), email address and a securely hashed password. If you sign in with Google, we receive your Google account identifier, email and name. We also store the settings and cost figures you enter (for example product costs, shipping costs and payment fees), and any content you send us when you contact support.
2.2 Information collected automatically
When you use the Service we automatically collect technical data such as your IP address, browser and device type, operating system, device settings, the page or referrer you came from, and the actions, features and times of your activity. We collect this in server logs and through cookies and similar technologies (see section 2.6).
To attribute advertising clicks to purchases, the Service also records information about visits to connected stores that arrive through tracked links — including whether an advertisement was clicked, the landing and referring URLs, advertising parameters (such as fbclid, gclid, utm_*, ad_id, adset_id and campaign_id), IP address, user agent, timestamps, and a pseudonymous visitor identifier stored in a first-party cookie (_cid). Where feasible, directly identifying values (such as email addresses) are processed only as an irreversible SHA-256 hash.
2.3 Store & customer end-user data (processed on the merchant’s behalf)
When you connect a Shopify store, we receive order, product and customer data from that store — including order value, currency, line items, order and creation dates, payment gateway, refunds, and customer identifiers such as a hashed email address and an internal customer ID. This “Customer End-User Data” is processed on your behalf and on your instructions to produce your revenue, cost, profit and attribution reports.
2.4 Advertising platform data (Facebook / Meta)
If you connect a Facebook (Meta) ad account, we store an encrypted access token together with your ad account ID, business and pixel/dataset IDs, your Facebook user ID (used to match deletion and de-authorization requests), and advertising performance data (spend, impressions, clicks). We use this to import your daily ad spend and to send purchase events back to Meta via the Conversions API.
2.5 Information from other sources
We receive information about you and your business from the platforms you choose to connect (such as Shopify and Meta), as described above. We do not buy personal information from data brokers and do not enrich your profile with externally purchased data.
2.6 Cookies and similar technologies
We use first-party cookies only and do not place third-party advertising cookies in your browser:
sid— a session cookie that keeps you signed in to the dashboard (strictly necessary)._cid— a pseudonymous first-party visitor identifier used for attribution.
You can block or delete cookies in your browser settings, though some features may then not work. Where supported, we honor the Global Privacy Control (GPC) signal as a request to opt out of any “sale” or “sharing” of personal information.
2.7 Sensitive information
We do not intentionally collect or process special/sensitive categories of personal data (such as data revealing health, racial or ethnic origin, religious beliefs, biometric or genetic data, precise geolocation, or government identifiers). Please do not submit such information to the Service.
3. How do we use personal information?
- To create and secure your account and provide the Service you request;
- To send you a welcome/verification email and administrative notices (e.g. security or maintenance);
- To attribute purchases to the correct ad, ad set and campaign and compute metrics such as ROAS, contribution margin and new-customer cost;
- To send conversion events to connected advertising platforms via their server-side APIs, deduplicated by order ID;
- To import advertising spend and performance data;
- To operate, maintain, improve and develop the Service and to conduct internal analytics and research;
- To prevent fraud, abuse and bot traffic and to keep the Service secure;
- To investigate disputes, enforce our terms and respond to legal, government or regulatory requests;
- For any other purpose described to you at the time of collection.
4. When do we share personal information?
We do not sell your personal information, share it with data brokers, or share it for cross-context behavioral (targeted) advertising. We disclose information only as follows:
- Service providers (processors): providers that help us run the Service under confidentiality obligations and on our instructions — namely Shopify (store connection), Meta Platforms (Conversions API & Marketing API; hashed identifiers and event data are sent to Meta, including in the United States), Render (cloud hosting and database) and Resend (transactional email).
- Business transfers: in connection with a merger, acquisition, financing or sale of assets, or insolvency, in which case we will take steps to ensure your data remains protected.
- To protect our interests: where we believe disclosure is necessary to enforce our agreements, protect our or others’ rights, property and safety, or the security of the Service.
- To comply with the law: in response to lawful requests by public authorities or where required by law.
5. Communication choices
If we ever send you marketing emails, you can unsubscribe at any time via the link in the email or by contacting support@mojoo.io. Even after opting out, you will still receive administrative, security and transactional messages about your use of the Service.
6. Rights to access
You can access and update much of your account information by signing in to your account settings. To access or amend other personal information we hold, contact support@mojoo.io. If you request deletion of your account, we will action it within a reasonable period, subject to any legal retention requirements.
7. Deleting your Facebook data
You can request deletion of your Facebook-connected data at any time: remove the app in your Facebook settings (which automatically triggers deletion), or email support@mojoo.io. When a deletion is triggered we remove the related access token, ad account, pixel and imported spend data, and provide a confirmation code you can use to verify the deletion status.
8. Links to external sites
The Service may link to third-party sites and services (such as Shopify and Meta). This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review their policies before providing personal information to them.
9. How long do we keep your personal information?
We retain personal information for the period necessary to fulfil the purposes described in this Policy, unless a longer period is required or permitted by law. Tracking and attribution data is deleted or anonymized after no more than 24 months. Account and connection data (including access tokens) is retained while your account is active and deleted when you disconnect, delete your account, or upon request. Aggregated and anonymized data that no longer identifies anyone may be kept to operate the Service.
10. Children’s privacy
The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from individuals under 16. If you believe a child has provided us data, contact us and we will delete it.
11. How do we secure your personal information?
We use appropriate technical and organizational measures, including encryption in transit (HTTPS/TLS), encryption at rest for sensitive secrets such as access tokens (AES-256-GCM), hashing of passwords and identifiers, access controls and least-privilege practices, and vendor due diligence. No method of transmission or storage is completely secure, but we work to protect your data and continuously improve our safeguards.
12. European Privacy Notice
Where this applies: this section applies to individuals located in the EEA, the UK or Switzerland. References to “personal information” include “personal data” as defined in the EU GDPR, the UK GDPR and the Swiss FADP.
Controller: Mojoo is the controller for the processing described in this Policy. See section 1 for contact details.
12.1 Legal bases for processing
| Category of personal information | Legal basis |
|---|---|
| Account & contact information | Performance of a contract; our legitimate interests in administering and communicating about the Service; compliance with legal obligations. |
| Store, order & end-customer data you connect | Processing on your documented instructions as a processor (on your legal basis as the merchant). |
| Tracking & attribution data, cookies | Legitimate interests in reliable measurement and security; consent where required for non-essential storage. |
| Advertising platform data (Meta) | Performance of a contract; legitimate interests in providing the requested ad reporting and conversion features. |
12.2 Your rights
You have the right to access, rectify, erase, restrict and port your personal data, and to object to processing based on legitimate interests (including direct marketing). Where processing is based on consent, you may withdraw it at any time with effect for the future. We do not carry out solely automated decision-making with legal or similarly significant effects. To exercise a right, contact support@mojoo.io. You also have the right to lodge a complaint with your local data protection authority.
12.3 International transfers
Some providers (in particular Meta and parts of our infrastructure) process data outside the EEA, including in the United States. Where we transfer personal data internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses or, where applicable, an adequacy decision. Details can be provided on request.
13. California Privacy Notice
This section describes how we handle the personal information of California residents under the CCPA (as amended by the CPRA), and applies to data subject to the CCPA.
13.1 Categories we collect and disclose
| Category | Disclosed to (business purpose) | Sold/Shared? |
|---|---|---|
| Identifiers (name, email, hashed customer IDs) | Service providers (hosting, email, Shopify, Meta) | No |
| Internet/network activity (clicks, IP, device, ad parameters) | Service providers (hosting, Meta) | No |
| Commercial information (orders, costs, ad spend) | Service providers (hosting, Meta) | No |
13.2 Sales and sharing
We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA, and we have no actual knowledge of selling or sharing the personal information of consumers under 16.
13.3 Your California rights
You have the right to know, access, correct and delete your personal information, to opt out of any sale/sharing (which we do not do), and to be free from discrimination for exercising your rights. To make a request, contact support@mojoo.io; we will verify your request as required by law. We honor valid Global Privacy Control (GPC) signals.
13.4 Shine the Light
We do not share personal information with third parties for their own direct marketing purposes.
14. Privacy Notice for Other US States
This section supplements the Policy for residents of US states with applicable privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others). Depending on your state, you may have the right to access, correct, delete and obtain a portable copy of your personal information, and to opt out of targeted advertising, sale of personal information, and certain profiling. We do not sell personal information, share it for targeted advertising, or conduct profiling that produces legal or similarly significant effects. We do not discriminate against you for exercising your rights. To make a request, contact support@mojoo.io.
15. Updates to this Policy
We may update this Policy from time to time. We will post the updated version here and revise the “Last updated” date, and will communicate material changes where appropriate. Continued use of the Service after changes take effect constitutes acceptance.