Privacy Policy

Last updated: June 2026

US State Privacy Rights: See the California Privacy Notice and Privacy Notice for Other US States sections below for important information about your rights under applicable US state privacy laws.
European Users: See the European Privacy Notice section below for additional information for individuals located in the European Economic Area, the United Kingdom, or Switzerland (together, “Europe”).

This Privacy Policy (“Policy”) describes how Mojoo (“Mojoo”, “we”, “us”, “our”) collects, uses, shares and protects personal information from users (“you”, “your”) of our website at mojoo.io and the Mojoo dashboard at app.mojoo.io, together with all related applications, APIs and services (collectively, the “Service”). It is incorporated by reference into our Terms of Service. Mojoo is a business-to-business product for online merchants. We act as a controller for data relating to your account and our website, and as a processor for the store, order and end-customer data you connect on your behalf. By using the Service, you agree to this Policy.

1. Contacting us

If you have any questions about this Policy or wish to exercise your rights, contact us at support@mojoo.io.

2. What information do we collect?

2.1 Information you provide directly

When you create an account, we collect your name (optional), email address and a securely hashed password. If you sign in with Google, we receive your Google account identifier, email and name. We also store the settings and cost figures you enter (for example product costs, shipping costs and payment fees), and any content you send us when you contact support.

2.2 Information collected automatically

When you use the Service we automatically collect technical data such as your IP address, browser and device type, operating system, device settings, the page or referrer you came from, and the actions, features and times of your activity. We collect this in server logs and through cookies and similar technologies (see section 2.6).

To attribute advertising clicks to purchases, the Service also records information about visits to connected stores that arrive through tracked links — including whether an advertisement was clicked, the landing and referring URLs, advertising parameters (such as fbclid, gclid, utm_*, ad_id, adset_id and campaign_id), IP address, user agent, timestamps, and a pseudonymous visitor identifier stored in a first-party cookie (_cid). Where feasible, directly identifying values (such as email addresses) are processed only as an irreversible SHA-256 hash.

2.3 Store & customer end-user data (processed on the merchant’s behalf)

When you connect a Shopify store, we receive order, product and customer data from that store — including order value, currency, line items, order and creation dates, payment gateway, refunds, and customer identifiers such as a hashed email address and an internal customer ID. This “Customer End-User Data” is processed on your behalf and on your instructions to produce your revenue, cost, profit and attribution reports.

2.4 Advertising platform data (Facebook / Meta)

If you connect a Facebook (Meta) ad account, we store an encrypted access token together with your ad account ID, business and pixel/dataset IDs, your Facebook user ID (used to match deletion and de-authorization requests), and advertising performance data (spend, impressions, clicks). We use this to import your daily ad spend and to send purchase events back to Meta via the Conversions API.

2.5 Information from other sources

We receive information about you and your business from the platforms you choose to connect (such as Shopify and Meta), as described above. We do not buy personal information from data brokers and do not enrich your profile with externally purchased data.

2.6 Cookies and similar technologies

We use first-party cookies only and do not place third-party advertising cookies in your browser:

You can block or delete cookies in your browser settings, though some features may then not work. Where supported, we honor the Global Privacy Control (GPC) signal as a request to opt out of any “sale” or “sharing” of personal information.

2.7 Sensitive information

We do not intentionally collect or process special/sensitive categories of personal data (such as data revealing health, racial or ethnic origin, religious beliefs, biometric or genetic data, precise geolocation, or government identifiers). Please do not submit such information to the Service.

3. How do we use personal information?

4. When do we share personal information?

We do not sell your personal information, share it with data brokers, or share it for cross-context behavioral (targeted) advertising. We disclose information only as follows:

5. Communication choices

If we ever send you marketing emails, you can unsubscribe at any time via the link in the email or by contacting support@mojoo.io. Even after opting out, you will still receive administrative, security and transactional messages about your use of the Service.

6. Rights to access

You can access and update much of your account information by signing in to your account settings. To access or amend other personal information we hold, contact support@mojoo.io. If you request deletion of your account, we will action it within a reasonable period, subject to any legal retention requirements.

7. Deleting your Facebook data

You can request deletion of your Facebook-connected data at any time: remove the app in your Facebook settings (which automatically triggers deletion), or email support@mojoo.io. When a deletion is triggered we remove the related access token, ad account, pixel and imported spend data, and provide a confirmation code you can use to verify the deletion status.

8. Links to external sites

The Service may link to third-party sites and services (such as Shopify and Meta). This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review their policies before providing personal information to them.

9. How long do we keep your personal information?

We retain personal information for the period necessary to fulfil the purposes described in this Policy, unless a longer period is required or permitted by law. Tracking and attribution data is deleted or anonymized after no more than 24 months. Account and connection data (including access tokens) is retained while your account is active and deleted when you disconnect, delete your account, or upon request. Aggregated and anonymized data that no longer identifies anyone may be kept to operate the Service.

10. Children’s privacy

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from individuals under 16. If you believe a child has provided us data, contact us and we will delete it.

11. How do we secure your personal information?

We use appropriate technical and organizational measures, including encryption in transit (HTTPS/TLS), encryption at rest for sensitive secrets such as access tokens (AES-256-GCM), hashing of passwords and identifiers, access controls and least-privilege practices, and vendor due diligence. No method of transmission or storage is completely secure, but we work to protect your data and continuously improve our safeguards.

12. European Privacy Notice

Where this applies: this section applies to individuals located in the EEA, the UK or Switzerland. References to “personal information” include “personal data” as defined in the EU GDPR, the UK GDPR and the Swiss FADP.

Controller: Mojoo is the controller for the processing described in this Policy. See section 1 for contact details.

12.1 Legal bases for processing

Category of personal informationLegal basis
Account & contact informationPerformance of a contract; our legitimate interests in administering and communicating about the Service; compliance with legal obligations.
Store, order & end-customer data you connectProcessing on your documented instructions as a processor (on your legal basis as the merchant).
Tracking & attribution data, cookiesLegitimate interests in reliable measurement and security; consent where required for non-essential storage.
Advertising platform data (Meta)Performance of a contract; legitimate interests in providing the requested ad reporting and conversion features.

12.2 Your rights

You have the right to access, rectify, erase, restrict and port your personal data, and to object to processing based on legitimate interests (including direct marketing). Where processing is based on consent, you may withdraw it at any time with effect for the future. We do not carry out solely automated decision-making with legal or similarly significant effects. To exercise a right, contact support@mojoo.io. You also have the right to lodge a complaint with your local data protection authority.

12.3 International transfers

Some providers (in particular Meta and parts of our infrastructure) process data outside the EEA, including in the United States. Where we transfer personal data internationally, we rely on appropriate safeguards such as the EU Standard Contractual Clauses or, where applicable, an adequacy decision. Details can be provided on request.

13. California Privacy Notice

This section describes how we handle the personal information of California residents under the CCPA (as amended by the CPRA), and applies to data subject to the CCPA.

13.1 Categories we collect and disclose

CategoryDisclosed to (business purpose)Sold/Shared?
Identifiers (name, email, hashed customer IDs)Service providers (hosting, email, Shopify, Meta)No
Internet/network activity (clicks, IP, device, ad parameters)Service providers (hosting, Meta)No
Commercial information (orders, costs, ad spend)Service providers (hosting, Meta)No

13.2 Sales and sharing

We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA, and we have no actual knowledge of selling or sharing the personal information of consumers under 16.

13.3 Your California rights

You have the right to know, access, correct and delete your personal information, to opt out of any sale/sharing (which we do not do), and to be free from discrimination for exercising your rights. To make a request, contact support@mojoo.io; we will verify your request as required by law. We honor valid Global Privacy Control (GPC) signals.

13.4 Shine the Light

We do not share personal information with third parties for their own direct marketing purposes.

14. Privacy Notice for Other US States

This section supplements the Policy for residents of US states with applicable privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others). Depending on your state, you may have the right to access, correct, delete and obtain a portable copy of your personal information, and to opt out of targeted advertising, sale of personal information, and certain profiling. We do not sell personal information, share it for targeted advertising, or conduct profiling that produces legal or similarly significant effects. We do not discriminate against you for exercising your rights. To make a request, contact support@mojoo.io.

15. Updates to this Policy

We may update this Policy from time to time. We will post the updated version here and revise the “Last updated” date, and will communicate material changes where appropriate. Continued use of the Service after changes take effect constitutes acceptance.