Privacy Policy.

Last Updated: June 2026

1. Introduction

Mocha Analytics ("we", "us", or "our") operates the Mocha Analytics dashboard (the "Service"). This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

This Privacy Policy is publicly accessible and applies to all users of our Service.

2. Shopify Store Data Access

To provide our analytics services, we request the following Shopify API permissions:

• read_orders: To analyse sales performance, revenue metrics, order trends, and customer purchase patterns
• read_products: To track product performance, inventory levels, and calculate product-level metrics
• read_customers: To provide customer analytics, segmentation, cohort analysis, and lifetime value calculations
• read_inventory: To monitor stock levels, provide reorder alerts, and track inventory turnover
• read_locations: To support multi-location inventory analytics
• read_returns: To analyse return patterns and calculate return rates

Data Usage Restrictions: This data is accessed solely to provide the analytics dashboard and reporting features described in our Service. We do not:

• Sell, rent, or trade your Shopify store data to third parties
• Use your data for competitive benchmarking against other merchants
• Directly contact your customers using data obtained through Shopify APIs, unless explicitly authorised by you or the information was obtained through another legitimate source
• Use your data for any purpose other than providing our stated services to you

Your use of Shopify is separately governed by Shopify's Terms of Service and Privacy Policy.

3. Google API Services Data

3.1 Google Analytics 4 (GA4)

When you connect your Google Analytics account, we access:

• Website traffic and session data
• User behaviour and conversion metrics
• Traffic source and channel information
• Audience demographics and interests (aggregated)

Scope requested: analytics.readonly

3.2 Google Ads

When you connect your Google Ads account, we access:

• Campaign performance metrics (impressions, clicks, cost, conversions)
• Ad group and keyword performance data
• Search terms reports
• Device and geographic performance breakdowns

Scope requested: https://www.googleapis.com/auth/adwords

3.3 Google Search Console

When you connect your Search Console account, we access:

• Search performance data (impressions, clicks, CTR, position)
• Search query reports
• Page-level performance metrics

Scope requested: webmasters.readonly

3.4 Google API Limited Use Disclosure

Mocha Analytics' use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we:

• Only use Google user data to provide or improve user-facing features that are prominent in our application's user interface
• Do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, with user consent, for security purposes, or to comply with applicable laws
• Do not use Google user data for serving ads, including retargeting, personalised, or interest-based advertising
• Do not use Google user data to determine credit-worthiness or for lending purposes
• Do not use Google user data to train generalised AI or machine learning models
• Do not allow humans to read Google user data unless we have obtained affirmative agreement from the user, it is necessary for security purposes, or it is required to comply with applicable law

4. Marketing and Support Platform Integrations

When you choose to connect a marketing or support platform, we access its data on a read-only basis solely to display analytics within our dashboard and scheduled email reports. We never modify your data on these platforms, send communications on your behalf, or share this data with third parties. Each connection can be revoked at any time from Settings > Integrations.

4.1 Klaviyo

When you connect your Klaviyo account, we access:

• Email campaign performance (sends, opens, clicks, revenue)
• Flow and automation metrics
• List and segment sizes
• Profile counts and engagement data

Scopes requested: accounts:read, metrics:read, campaigns:read, flows:read, lists:read

Your use of Klaviyo is separately governed by Klaviyo's Terms of Service and Privacy Notice.

4.2 Omnisend

Mocha Analytics accesses your Omnisend account data via the Omnisend API using an encrypted API key. The API key is stored with AES encryption and is never exposed in logs or client-side code.

Data types accessed:

• Email and SMS campaign performance (sends, opens, clicks)
• Automation and workflow metrics
• Engagement metrics (open rates, click rates, unsubscribe rates)

Data stored: Campaign and automation performance metrics.

This data is used solely to display marketing analytics and performance insights within your Mocha Analytics dashboard and scheduled email reports. We do NOT:

• Use your Omnisend data for profiling, advertising, or targeting
• Sell, share, or transfer your Omnisend data to any third party
• Modify your campaigns, automations, contacts, or message content
• Send communications on your behalf
• Use your data for any purpose other than displaying analytics to you

You may revoke Mocha Analytics' access to your Omnisend data at any time by disconnecting the integration in your Mocha Analytics account settings, or by revoking the API key from your Omnisend account under Store settings > Integrations & API. Your use of Omnisend is separately governed by Omnisend's Terms of Service and Privacy Policy.

4.3 HubSpot

Mocha Analytics accesses your HubSpot account data via the HubSpot API using OAuth 2.0 authorisation. We store encrypted access and refresh tokens to maintain your connection.

Data types accessed:

• Marketing email campaign performance metrics (sends, opens, clicks, bounces, unsubscribes)
• Email campaign metadata (name, subject line, send date, type)

This data is used solely to display analytics and performance insights within your Mocha Analytics dashboard and scheduled email reports. We do NOT:

• Use your HubSpot data for profiling, advertising, or targeting
• Sell, share, or transfer your HubSpot data to any third party
• Modify your campaigns, contacts, or email content
• Use your data for any purpose other than displaying analytics to you

You may revoke Mocha Analytics' access to your HubSpot data at any time by disconnecting the integration in your Mocha Analytics account settings, or by removing the app from your HubSpot account under Settings > Integrations > Connected Apps.

4.4 Meta Ads

Mocha Analytics accesses your Meta Ads account data via the Meta Marketing API using read-only OAuth 2.0 authorisation.

Data types accessed:

• Campaign performance metrics (impressions, clicks, spend, CPM, CPC)
• Ad set and ad creative performance
• Account-level spend and return on ad spend

This data is used solely to display analytics and performance insights within your Mocha Analytics dashboard and scheduled email reports. We do NOT:

• Use your Meta Ads data for profiling, advertising, or targeting
• Sell, share, or transfer your Meta Ads data to any third party
• Modify your campaigns, budgets, audiences, or ad creative
• Use your data for any purpose other than displaying analytics to you

You may revoke Mocha Analytics' access to your Meta Ads data at any time by disconnecting the integration in your Mocha Analytics account settings, or by removing access from your Meta Business Settings.

4.5 Snapchat Ads

Mocha Analytics accesses your Snapchat Ads account data via the Snapchat Marketing API using OAuth 2.0 authorisation. We store encrypted access and refresh tokens to maintain your connection.

Data types accessed:

• Campaign performance metrics (spend, impressions, swipes/clicks, conversions)
• Campaign metadata (name, status, start and end dates)
• ROAS and cost-per-action calculations

Data stored: Campaign-level daily performance metrics.

This data is used solely to display analytics and performance insights within your Mocha Analytics dashboard and scheduled email reports. We do NOT:

• Use your Snapchat Ads data for profiling, advertising, or targeting
• Sell, share, or transfer your Snapchat Ads data to any third party
• Modify your campaigns, budgets, audiences, or ad creative
• Use your data for any purpose other than displaying analytics to you

You may revoke Mocha Analytics' access to your Snapchat Ads data at any time by disconnecting the integration in your Mocha Analytics account settings, or by removing the app from your Snapchat Ads Manager under Manage Connections.

4.6 Pinterest Ads

Mocha Analytics accesses your Pinterest Ads account data via the Pinterest Ads API using OAuth 2.0 authorisation. We store encrypted access and refresh tokens to maintain your connection.

Data types accessed:

• Campaign performance metrics (spend, impressions, clicks, conversions)
• Campaign metadata (name, status, start and end dates)
• ROAS and cost-per-action calculations

Data stored: Campaign-level daily performance metrics. Note that Pinterest returns spend values in USD regardless of your account currency.

This data is used solely to display analytics and performance insights within your Mocha Analytics dashboard and scheduled email reports. We do NOT:

• Use your Pinterest Ads data for profiling, advertising, or targeting
• Sell, share, or transfer your Pinterest Ads data to any third party
• Modify your campaigns, budgets, audiences, or pin creative
• Use your data for any purpose other than displaying analytics to you

You may revoke Mocha Analytics' access to your Pinterest Ads data at any time by disconnecting the integration in your Mocha Analytics account settings, or by removing the app from your Pinterest Business account under Apps settings.

4.7 TikTok Ads

Mocha Analytics accesses your TikTok Ads account data via the TikTok Marketing API using read-only OAuth 2.0 authorisation. We store encrypted access and refresh tokens to maintain your connection.

Data types accessed:

• Advertiser account information
• Campaign performance metrics (impressions, clicks, cost, conversions)
• Campaign metadata (name, status, start and end dates)
• ROAS and cost-per-action calculations

Data stored: Campaign-level daily performance metrics.

This data is used solely to display analytics and performance insights within your Mocha Analytics dashboard and scheduled email reports. We do NOT:

• Use your TikTok Ads data for profiling, advertising, or targeting
• Sell, share, or transfer your TikTok Ads data to any third party
• Create, modify, or manage your campaigns, budgets, audiences, or ad creative
• Use your data for any purpose other than displaying analytics to you

You may revoke Mocha Analytics' access to your TikTok Ads data at any time by disconnecting the integration in your Mocha Analytics account settings, or by removing the app from your TikTok Ads Manager under authorised apps. Your use of TikTok Ads is separately governed by TikTok's Terms of Service and Privacy Policy.

4.8 Gorgias

Mocha Analytics accesses your Gorgias helpdesk data via the Gorgias API using an encrypted API key. The API key is stored with AES encryption and is never exposed in logs or client-side code.

Data types accessed:

• Support ticket statistics (ticket count, response times, satisfaction scores)
• Individual ticket metadata (subject, status, channel, assignee)
• Customer email addresses from tickets (used solely for matching to your store customers)

Data stored: Daily support statistics and recent ticket details.

This data is used solely to display support performance insights within your Mocha Analytics dashboard and scheduled email reports. We do NOT:

• Use your Gorgias data for profiling, advertising, or targeting
• Sell, share, or transfer your Gorgias data to any third party
• Create, modify, or respond to support tickets on your behalf
• Contact your customers using email addresses obtained from tickets
• Use your data for any purpose other than displaying analytics to you

You may revoke Mocha Analytics' access to your Gorgias data at any time by disconnecting the integration in your Mocha Analytics account settings, or by revoking the API key from your Gorgias account under Settings > REST API.

4.9 Recharge

Mocha Analytics accesses your Recharge subscription data via the Recharge API using an encrypted API key. The API key is stored with AES encryption and is never exposed in logs or client-side code.

Data types accessed:

• Subscription details (product, price, billing interval, status)
• Charge and billing data (amounts, success/failure status)
• Customer email addresses from subscriptions (used solely for matching to your store customers)
• Computed metrics such as MRR, churn rate, and subscriber counts

Data stored: Subscription details, charge history, and daily subscription metrics.

This data is used solely to display subscription analytics and performance insights within your Mocha Analytics dashboard and scheduled email reports. We do NOT:

• Use your Recharge data for profiling, advertising, or targeting
• Sell, share, or transfer your Recharge data to any third party
• Create, modify, cancel, or pause subscriptions on your behalf
• Process charges or modify billing settings
• Contact your customers using email addresses obtained from subscriptions
• Use your data for any purpose other than displaying analytics to you

You may revoke Mocha Analytics' access to your Recharge data at any time by disconnecting the integration in your Mocha Analytics account settings, or by revoking the API key from your Recharge account under Settings > API tokens.

5. Data We Collect

We collect several types of information for various purposes to provide and improve our Service:

6. How We Use Your Data

We use the collected data to:

• Provide and maintain the Service
• Display your store analytics and metrics
• Generate forecasts and recommendations
• Send you scheduled reports (if enabled)
• Notify you about changes to our Service
• Provide customer support
• Monitor usage to improve our Service
• Detect and prevent technical issues and security threats

We do not use your data to:

• Serve advertisements
• Sell to third parties
• Create competitive benchmarking reports
• Train AI or machine learning models for purposes unrelated to your service
• Contact your customers directly

7. Legal Basis for Processing (GDPR)

If you are from the European Economic Area (EEA), our legal basis for processing your data is:

• Contract: Processing necessary to provide the Service you requested
• Consent: For optional features like email reports and third-party integrations
• Legitimate Interest: To improve and secure the Service

8. Data Retention and Deletion

We retain your data for as long as your account is active or as needed to provide the Service. Historical analytics data is retained to enable year-over-year comparisons.

Data Deletion Triggers: All personal data and store data is permanently deleted within 30 days when:

• You uninstall the Mocha Analytics app from your Shopify store
• You request deletion of your Mocha Analytics account by contacting us
• Your data is no longer required to provide the Service
• We receive an enforceable deletion request from you, your customers, or Shopify
• A connected integration (Google, Klaviyo) is disconnected and you request deletion

Data Access: Under the GDPR you have the right to access and receive a copy of your personal data. You can request a copy of your data by contacting us, and we will provide it within the timeframe required by law.

9. Data Sharing and Service Providers

We do not sell your data.

We may share data with:

Service Provider Protections: All service providers are bound by data protection agreements that:

• Protect your data with terms at least as protective as those required by Shopify and Google
• Limit use of your data solely to providing services to our Application
• Prohibit use of your data for their own independent purposes
• Require keeping your data secure and confidential
• Require notification of any security incidents

Other Disclosures: We may disclose data if required by law, legal process, or to protect our rights and the safety of our users.

10. Data Security

We implement industry-standard security measures including:

• Encryption in Transit: All data transferred using TLS 1.2 or higher
• Encryption at Rest: All sensitive data encrypted using AES-256
• API Credentials: Encrypted using Fernet symmetric encryption (AES-128 with HMAC-SHA256)
• Passwords: Hashed using PBKDF2-SHA256 with 100,000 iterations
• Authentication: Secure httpOnly cookies with CSRF protection
• Rate Limiting: Protection against brute force and denial of service attacks
• Access Logging: Activity logs retained for security monitoring
• Regular Audits: Periodic security reviews and vulnerability assessments

OAuth tokens and API credentials are stored securely and never exposed in client-side code.

11. Data Breach Notification

In the event of a data breach affecting your data, we will:

• Notify Shopify: Within 24 hours of becoming aware of any actual or suspected breach involving Shopify merchant data
• Notify Google: Promptly if the breach involves Google user data, in accordance with Google's requirements
• Notify Other Platform Providers: Promptly notify the relevant platform provider for any connected integration (including Meta Ads, Snapchat Ads, Pinterest Ads, TikTok Ads, Klaviyo, Omnisend, HubSpot, Gorgias, or Recharge) affected by the breach
• Investigate: Immediately investigate the incident and take reasonable actions to prevent further data loss
• Notify Affected Users: Notify affected users as required by applicable law (including GDPR's 72-hour requirement) and without unreasonable delay
• Cooperate: Cooperate with relevant authorities and provide regular updates on our investigation

12. International Data Transfers

Your data is processed primarily in the European Union and United States. Data may be transferred to countries outside your country of residence. We ensure appropriate safeguards through:

• EU-US transfers: Standard Contractual Clauses (SCCs) and/or EU-US Data Privacy Framework
• UK transfers: UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
• Other transfers: Appropriate safeguards as required by applicable law

We only transfer data to countries with adequate protection levels or where appropriate safeguards are in place.

13. Children's Privacy (COPPA Compliance)

Our Service is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us. If we become aware that we have collected personal information from children without verification of parental consent, we will take steps to remove that information from our servers.

In compliance with the Children's Online Privacy Protection Act (COPPA), we do not use Google Sign-In or any Google API Service that accesses data associated with a Google Account for any functionality directed at children under 13.

14. Your Rights

14.1 GDPR Rights (EEA Residents)

If you are a resident of the European Economic Area, you have the following rights:

• Access: Request a copy of your data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data
• Restriction: Limit processing of your data
• Portability: Receive your data in a structured, commonly used, and machine-readable format (JSON or CSV)
• Objection: Object to processing based on legitimate interest
• Withdraw Consent: Withdraw consent for optional data processing at any time

14.2 CCPA Rights (California Residents)

California residents have the right to:

• Know what personal information is collected
• Know whether personal information is sold or disclosed
• Say no to the sale of personal information (we do not sell your data)
• Access your personal information
• Request deletion of your personal information
• Equal service and price (non-discrimination)

14.3 UK GDPR Rights (UK Residents)

Following Brexit, UK residents have equivalent rights under the UK General Data Protection Regulation. You have the same rights as listed in Section 14.1 above.

14.4 PIPEDA Rights (Canadian Residents)

Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including the right to access, correct, and withdraw consent for the use of your personal information.

To exercise any of these rights, use the data export and deletion features in Settings, disconnect any integration from your Mocha Analytics account settings, or contact us at the email below. Google services can also be revoked at myaccount.google.com/permissions.

15. Cookies

We use strictly necessary cookies for authentication (httpOnly, secure). We do not use:

• Tracking cookies
• Third-party advertising cookies
• Analytics cookies that collect personal information

16. Third-Party Links

Our Service may contain links to external sites that are not operated by us. We have no control over their content or privacy practices and encourage you to review their policies.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date
• Sending an email notification for significant changes
• Requesting consent for changes that affect how we process your data

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

18. Contact Us

Response Time: We aim to respond to all privacy-related requests within 30 days, or sooner as required by applicable law.