Privacy Policy — FirstBridge Analytics

        Short version: We process your Shopify store data to show you analytics. We do not sell your data, do not store raw order records, and do not share anything with third parties beyond what it takes to run the app (Cloudflare for hosting, OpenStreetMap for map tiles). All configuration data lives in your own Shopify store as metafields.
      

1. Who we are

FirstBridge Analytics ("we", "us", "our") is a Shopify app built and operated by First Bridge Consulting (firstbridgeconsulting.com). We build practical analytics tools for Shopify merchants. FirstBridge Analytics is our flagship product — a free-to-start sales analytics, profit tracking, and geographic insights app designed for growing Shopify stores.

Contact: support@firstbridgeconsulting.com

2. What data we access

When you install FirstBridge Analytics we request these Shopify API scopes:

read_orders — order totals, dates, refunds, and return status for analytics aggregation.
read_all_orders — orders older than 60 days, required to deliver the Pro plan's unlimited-history feature and the Free plan's 90-day window.
read_customers — customer IDs and aggregate fields (lifetime orders, segment) used to compute unique-customer counts, cohort retention, LTV, and RFM segments. We never read customer names, phone numbers, or marketing-consent fields.
read_products — product and variant IDs, titles, and images for Top Products, COGS settings, and per-product reports.
read_inventory — inventory levels for the Inventory at Risk view.
read_returns — return reason codes for the Returns analytics panel.
read_shopify_payments_payouts — payout records for the Payouts report (only stores using Shopify Payments are affected).
read_checkouts — abandoned-checkout summaries for the Abandoned Cart marketing report.
read_gift_cards — gift-card issuance and redemption for the Gift Cards report.
read_locations — physical store locations referenced by orders, used to label sales by POS location in the Sales Attribution report.

Access to shipping address country/region data (used in Geographic Analytics) is covered by the Analytics use case under Shopify's Protected Customer Data framework. We request only the minimum fields needed and never read individual customer contact details.

3. How we use the data

All order data is processed in real time on our servers to produce aggregated metrics (totals, averages, percentages). The raw order records are never written to any database or third-party service. The only data we persist are:

Your COGS / cost settings — stored in a Shopify metafield in your own store under the namespace firstbridge_analytics. You can delete them by uninstalling the app.
Your preferences (e.g., dismissed banners, default date range) — also stored as a Shopify metafield in your store.
Plan cache — a 30-second ephemeral cache key in Cloudflare KV recording whether your plan is Free or Pro. It is invalidated when you change or cancel your subscription.

We do not build merchant profiles, sell data, or use your store data to train machine-learning models.

4. Geographic Analytics and map tiles

The Geographic Analytics map is rendered by Leaflet in your browser using OpenStreetMap tile images. When you view the map, your browser fetches tile images directly from OpenStreetMap servers. This means OpenStreetMap may log your browser's IP address. We have no control over OpenStreetMap's data practices; see their privacy policy.

Heat-map data we return is pre-aggregated by country (Free plan) or 0.1° grid cell (~11 km, Pro plan). Individual order coordinates are never sent to your browser.

5. Infrastructure and sub-processors

Cloudflare, Inc. — our backend runs on Cloudflare Workers and Cloudflare Pages. Request metadata (IP, URL, timestamps) may appear in Cloudflare's access logs per their privacy policy. Data is not transferred outside the standard Cloudflare infrastructure.
Shopify, Inc. — all data originates in and is returned to your Shopify store. Shopify's own privacy policy governs their handling of your store data.
OpenStreetMap Foundation — map tile images only, as described above.

We do not use Google Analytics, Facebook Pixel, Segment, or any other analytics or advertising platform on either the app or this website.

6. Data retention and deletion

When you uninstall FirstBridge Analytics, Shopify automatically removes all app-owned metafields from your store. The 30-second KV plan cache is purged by our app/uninstalled webhook handler immediately on uninstall. No other merchant data is held by us beyond that point.

7. GDPR and merchant customer data requests

We implement all mandatory Shopify GDPR webhooks:

customers/data_request — we hold no individually identifiable customer data; we acknowledge the request.
customers/redact — same; we acknowledge.
shop/redact — we purge any remaining ephemeral state for the shop.

Because we store only aggregated counts and your own configuration (not customer records), there is no individual customer data to export or erase on our side.

8. Cookies and local storage

FirstBridge Analytics does not set any cookies. The Shopify App Bridge SDK may use browser session storage to manage the embedded-app session token; this is governed by Shopify's own terms.

9. Security

All traffic between your browser, our backend, and Shopify's API is encrypted via TLS 1.3. Session tokens are Shopify-signed JWTs verified on every request using HMAC-SHA256. We do not persist access tokens anywhere.

10. Changes to this policy

We may update this policy when we add new features or sub-processors. Material changes will be communicated via the Shopify Partner email associated with your store. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Questions or data requests: support@firstbridgeconsulting.com
First Bridge Consulting · firstbridgeconsulting.com