passoagency.comData & privacy
Data & privacy

What we read, why, and how it’s protected.

Plain-English explanation of every external data source we connect to. If you are reviewing this page on behalf of a platform, Google, Meta, or Shopify, this is the canonical reference for what we do with your merchants’ data. The legal policy lives at /privacy.

The Passo data pact

We read, we never write, and we never resell.

We always

  • Read only. Every external API call we make to Google Ads, Meta Ads, and Google Analytics is read-only at our current access tier. We never create, edit, pause, or delete anything in your accounts.
  • Store data in the EU. All raw and derived rows live in a Supabase-managed Postgres database in eu-west-2. Row-Level Security partitions every row by merchant, so no merchant can ever see another merchant’s data.
  • Honour disconnect immediately. When you disconnect a source from the dashboard, we revoke the OAuth token with the upstream provider and delete the encrypted credential the same day.

We never

  • Resell, export, or share your Google Ads, Meta Ads, or Google Analytics data with any third party. Not even an aggregated anonymised version, without explicit opt-in.
  • Train cross-merchant models on your data without explicit opt-in. The recommendation engine reads only your own store’s data when it generates your strategy.
  • Send credentials to the browser. OAuth refresh tokens, developer tokens, and access tokens are server-side only and never logged.

Google Ads

We connect to Google Ads through Google’s standard OAuth 2.0 flow with the https://www.googleapis.com/auth/adwords scope. Every API call is read-only, made server-side from a Vercel-hosted worker using the official google-ads-api Node client against the latest stable Google Ads API.

What we read

Read-only

Resources customer, customer_client, campaign, ad_group, ad_group_ad, keyword_view, search_term_view, product_group_view, shopping_performance_view, change_event, geo_target_constant.

Methods CustomerService.listAccessibleCustomers, GoogleAdsService.search / searchStream, GeoTargetConstantService.suggestGeoTargetConstants.

Why So the strategy report can show your campaign structure, surface the search queries that triggered your ads, tie Shopping and Performance Max spend back to specific Shopify SKUs, comment on recent changes to your account, reconcile Google-attributed conversions against Shopify orders, and compute channel-level cost per acquisition.

What we will never call

Excluded

No mutate* method on any service. That includes CampaignService.mutateCampaigns, CampaignBudgetService.mutateCampaignBudgets, AdGroupAdService.mutateAdGroupAds, RecommendationService.applyRecommendation, and every other write call.

If we ever add the ability to apply changes inside your account, we will apply for Standard Access first and update this page before any data is touched. The full breakdown of API resources, methods, and rate-limit budgets is on our how it works page.

Storage The OAuth refresh token is AES-256 encrypted at rest in Supabase Postgres (eu-west-2). The developer token is a server-side environment secret, never sent to the browser, never logged. Report rows are kept 13 months rolling.

Compliance Use of Google Ads data follows the Google Ads API Required Minimum Functionality policy for reporting tools and the Google Ads API Terms of Service. Disclosure of how we process Google Ads data is included in our privacy policy.

Meta Ads

Connected via the standard Meta Marketing API through the OAuth flow at Meta for Developers. Read-only, with the same row-level partitioning and EU-only storage as the Google Ads path. The full lawful-basis breakdown is in our privacy policy.

Google Analytics

Optional. Connected via the GA4 Data API with the read-only analytics scope. We use it to triangulate paid-channel performance against on-site engagement so the strategy report can comment on landing-page conversion rates by source. If you skip the connection we use Shopify and ad-account data only.

Shopify

Connected through the Shopify App Bridge under the scopes declared in our App Store listing. Order history, customer cohorts, and catalogue. Used as the source of truth for revenue and customer attribution against which paid-channel data is reconciled.

Where the data lives

All raw and derived data is stored in a single Supabase-managed Postgres database in eu-west-2. Application servers run on Vercel, in the same region. We do not currently process merchant data outside the EU.

Backups are encrypted and retained for 30 days. If you uninstall the Shopify app, all your data, including raw rows, aggregates, encrypted refresh tokens, and backups, is purged within 30 days. The subprocessor list is at /subprocessors.