Passo

Privacy Policy

How The Passo Agency handles merchant and shopper data. Written in plain English; every clause says something real about what we do with your data.

Last updated: 2026-04-23

1. Who we are

The Passo Agency is operated by The Passo Agency Ltd, a company registered in England and Wales (company number [company number pending — filing in progress], registered office [registered address pending — filing in progress]). When this policy says “we”, “us” or “Passo”, it means The Passo Agency Ltd.

For anything covered by this policy you can reach us at hello@passoagency.com. For formal data protection requests, use the same address with the subject line “Data protection request”.

2. What this policy covers

This policy covers:

  • the Passo Shopify app
  • the Passo website at passoagency.com and the report subdomain report.passoagency.com
  • any related email we send you as part of running the service

It does not cover third-party websites we link to, nor any advertising partner’s own data practices (those are governed by the partner’s own policy. See section 8, Subprocessors, for the list of partners.

3. Who this policy is for

The word “you” in this policy means the Shopify merchant who installs the Passo app, plus anyone at that merchant authorised to use the account.

Shoppers on the merchant’s storefront are not direct users of Passo and are covered by their merchant’s own privacy policy. Passo handles shopper data only on the merchant’s behalf and only to the extent set out in section 6, Shopper data, where we act as a processor for the merchant.

4. What data we collect from merchants

When you install and use Passo we collect the following categories of data about the merchant and authorised users:

Account and identity data. The email address, name and store name of the person who installs the app; the authorised users you add later; the research questionnaire answers you give us during onboarding (four multiple-choice answers about how you want to work with Passo, plus an optional free-text note capped at 500 characters).

Shopify store data. Products, orders, customers, storefront metadata, fulfilment records. Pulled from Shopify on the scopes you granted us (read_products, read_orders, read_customers) and refreshed on a schedule. We never request write scopes.

Billing data. Your billing contact email and your company billing address. Two billing carriers are involved: your platform fee subscription is billed through your Shopify account via the Shopify Billing API, so Shopify holds the card on file for that. Media spend top-ups go through Stripe, which holds a separate card on file for that purpose. We do not store card numbersfor either pipe. The only thing we keep about cards is the brand and the last four digits, so we can show you “Visa ending 4242” in the dashboard.

Advertising and performance data.The campaigns Passo ran for you, their impression and click counts, spend, and the conversion events Shopify reported back. All of this is tied to your merchant id and never leaves your tenant’s row in our database except as described in section 7 (How we use the data).

Data from advertising accounts you choose to connect. During onboarding you can optionally connect your Meta Ads, Google Ads, and Google Analytics 4 accounts so Passo can read your existing advertising performance for the Initial Strategy Report. Read-only access only. From Meta we read campaign and ad set structure, insights for the past ninety days, and ad creative metadata, via the ads_read and business_management permissions. From Google Ads and Google Analytics 4 we read equivalent campaign performance and traffic data. We never request or use write permissions on these accounts. You can revoke each connection at any time from the dashboard, after which the access token is removed within one hour and any cached insights are removed within thirty days.

Technical and usage data. IP address, rough geolocation (country and city), browser and device type, pages visited, timestamps, and event logs from the dashboard. Used for debugging, security and aggregate usage analysis.

Communications. Any message you send us at hello@passoagency.com, plus our reply.

5. What data we do NOT collect

In the spirit of being clear about this up front:

  • We do not scrape your storefront, nor any other website.
  • We do not buy marketing lists to augment our understanding of your customers.
  • We do not sell any data we hold about you to anyone, ever.
  • We do not use Shopify data to train generally-available AI models.

6. Shopper data, acting as a processor for the merchant

Some of the data we pull from Shopify includes information about your shoppers (order records, customer email addresses, shipping addresses). For this slice of data Passo acts as a data processoron the merchant’s behalf. The merchant is the data controller.

What we do with shopper data:

  • We use hashed shopper email addresses to build suppression audiences in ad platforms, so you do not pay to re-acquire people who have already bought from you. Hashes are one-way and are the format ad platforms accept (SHA-256 on the lowercased, trimmed email).
  • We use aggregate shopper behaviour (which products they bought, order frequency, basket sizes, country of delivery) to model your customer segments and write your media strategy. Aggregates do not identify individual shoppers.
  • We use a small sample of real order records, with personal fields redacted, to calculate your customer acquisition cost and lifetime value.

What we never do with shopper data:

  • We never send marketing to your shoppers on our own behalf.
  • We never share raw shopper email addresses with advertising partners. They receive only the hashed suppression list format.
  • We never publish shopper-level data on the dashboard or in the monthly report.

7. How we use your data

We use your data only for the purposes below. UK GDPR requires a lawful basis for each one. The basis is listed in square brackets at the end of each point.

  • Running the service you signed up for. Pulling your Shopify data, writing your media plan, buying and optimising the media, returning the monthly report. [Contract. UK GDPR Article 6(1)(b).]
  • Billing you and managing your subscription. We share only the minimum with Stripe (email, billing address, spend total). [Contract.]
  • Keeping the platform secure and working. Logging, error monitoring, abuse prevention, capacity planning. [Legitimate interests. UK GDPR Article 6(1)(f). We have balanced this against merchant privacy; the intrusion is limited and the processing is essential to running the service.]
  • Telling you about material changes to the product. Outages, new features that affect how we buy on your behalf, pricing changes. [Legitimate interests, as above.]
  • Marketing Passo to other merchants (optional, you can opt out at any time). Case studies using aggregate or explicitly-approved metrics. [Consent. UK GDPR Article 6(1)(a). Separate ask in the dashboard; off by default.]
  • Responding to legal obligations. Answering lawful requests from regulators, preserving data required for accounting or audit. [Legal obligation. UK GDPR Article 6(1)(c).]
  • Aggregate, anonymous research that benefits all Passo merchants. Category-level benchmarks, partner quality signals, and similar rollups. Individual merchant data is never identifiable in these aggregates and they are written by a scheduled batch process, not from the live request path. [Legitimate interests.]

8. Subprocessors

We use a small set of third-party vendors to run Passo. Each is bound by a data processing agreement with terms at least as strict as those in this policy. The current list lives at passoagency.com/subprocessors and covers Supabase (database), Vercel (hosting), Stripe (billing), Anthropic (Claude API), ElevenLabs (voiced report), OpenAI (segment portraits), Google (analytics), and the agentic media buying partners confirmed at Stage 1 sign-off.

We will notify merchants at least 30 days before adding a new subprocessor that materially changes this list. The live list at https://passoagency.com/subprocessors is always current.

9. International transfers

Some of our subprocessors are based outside the UK / EEA (notably the US). Where that is the case the transfer is covered by one of the legal transfer mechanisms the UK government accepts: the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision where one applies. You can request a copy of the relevant clauses by emailing hello@passoagency.com.

10. How long we keep your data

  • Shopify-sourced data (products, orders, customers). Kept for as long as the app is installed, plus 30 days after uninstall so you can reinstall without losing history. After 30 days this data is deleted from our primary database; backups are purged within a further 60 days.
  • Billing records. Kept for 7 years after the last invoice, as UK tax law requires.
  • Audit logs (what Passo did, when, on whose behalf). Kept for 24 months. These exist for governance and regulatory traceability and are not used to profile you.
  • Research questionnaire answers and waitlist survey answers. Kept until we have finished analysing the results to set the final product pricing, then deleted in aggregate form only.
  • Support correspondence. Kept for 24 months.

11. Shopify GDPR webhooks

Shopify sends three GDPR-related webhooks to all apps. We handle them as follows:

  • customers/data_request. Received at /api/shopify/webhooks/gdpr/customers/data-request. On receipt we acknowledge within Shopify’s required window and compile the data we hold about the specified shopper for you to pass on.
  • customers/redact. Received at /api/shopify/webhooks/gdpr/customers/redact. We redact the specified shopper from all of our systems, including hashed-email suppression lists and any cached aggregate reports, within 30 days.
  • shop/redact. Received at /api/shopify/webhooks/gdpr/shop/redact. 48 hours after you uninstall, Shopify asks us to delete all data about your store. We run that deletion within 30 days and write an audit record of the fact.

All three webhooks are HMAC-verified on receipt. Requests that fail verification are rejected with HTTP 401 and nothing is stored.

12. Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Correct any personal data that is inaccurate or incomplete.
  • Deleteyour personal data (the “right to be forgotten”), subject to the legal retention periods in section 10.
  • Restrict or object to our processing of your data.
  • Port your data to another service in a machine-readable format.
  • Withdraw consent at any time where we rely on consent as the lawful basis (section 7).
  • Lodge a complaintwith the UK Information Commissioner’s Office at ico.org.uk. We would appreciate the chance to put things right first, but you do not need our agreement to complain.

To exercise any of these rights, email hello@passoagency.comwith the subject line “Data protection request”. We will respond within 30 days. We may ask you to verify your identity before we act, so we are sure the request is really coming from you.

13. Cookies and similar technologies

On passoagency.com and report.passoagency.com we use a small number of first-party cookies and, with your consent, Google Analytics 4.

  • Session cookies. Essential to keeping you logged in. Cannot be disabled because without them the app does not work.
  • Preference cookies. Remember your last-used dashboard filters and your consent choice for analytics.
  • Analytics cookies(GA4). These load only after you click “Allow” on the consent banner. You can withdraw consent any time by clearing your browser’s cookies for our domain.

We do not use advertising cookies on our own properties. The advertising we buy on your behalf is served by the ad partners, not from our website.

14. Security

We take security seriously because losing a merchant’s trust is the only thing that ends this business.

  • All data in transit uses TLS 1.2+.
  • All data at rest in our primary Postgres is encrypted at the disk level by our infrastructure provider.
  • Access to production data is restricted to on-call staff, audited, and requires two-factor authentication.
  • Row Level Security in the database means a bug in our application code cannot expose one merchant’s data to another.
  • Secrets (tokens, API keys, shopper PII) are never written to audit logs.
  • We run automated dependency scanning and respond to high-severity vulnerabilities within 7 days.

If we ever suffer a personal data breach that is likely to cause a risk to merchant rights, we will notify you and the ICO within 72 hours of confirming the breach, as UK GDPR requires.

15. Children

Passo is a business-to-business service. It is not directed at anyone under 18 and we do not knowingly collect data from anyone under 18.

16. Changes to this policy

We may update this policy from time to time. If the changes are material (new subprocessor with broad data access, change to retention periods, change to lawful basis) we will email the merchant account contact at least 30 days before the change takes effect. Other, minor updates (formatting, clarification) will be posted here with a new “Last updated” date.

17. Contact

For any question about this policy or your data: