Squoosh

Privacy Policy

Last updated: 3/30/2026

Business Use Only. Our Services are designed for businesses and their representatives.

1. Introduction & Scope

This Privacy Policy explains how Squoosh ("Squoosh," "we," "our," or "us") collects, uses, stores, shares, and protects information when you use our web application, APIs, and related services (the "Services"), including integrations you connect (e.g., including, without limitation, Shopify, Google Analytics/GA4, BigQuery exports, CSV uploads, and other third-party tools you authorize now or in the future).

2. Roles

For your Squoosh account data and our product analytics, Squoosh is a controller.

For store, analytics, and end-customer data you connect to Squoosh, you are the controller and Squoosh acts as your processor under your instructions and authorized scopes.

3. Key Definitions

Customer Data: Data you connect to Squoosh (e.g., from Shopify/GA/BigQuery/CSV) and related site content/configuration.

Experiment Data: Outputs and telemetry created by the Services during experiments (e.g., variant performance, conversion rates, funnel step counts, synthetic-user logs, calibration parameters).

De-identified Data: Data that cannot reasonably be used to identify a natural person or a specific customer account (e.g., aggregated statistics or data with identifiers removed/hashed).

4. Information We Collect

4.1 Account & Support

Name, email, authentication/billing metadata, and messages you send us (support, feedback).

4.2 Integration Data You Authorize

We may support additional integrations from time to time; when you enable one, we process only the data that integration makes available under the scopes/permissions you select. Depending on the features you enable and scopes you grant, we may ingest:

From Shopify (scope-dependent): store metadata (store name, domain, theme/app info); conversion and order metadata (timestamps, totals, product/category identifiers); customer attributes used for segmentation (e.g., device type, geo, gender, lifecycle stage).

Direct identifiers (optional): If you enable features that require them, we may ingest customer contact information (e.g., email, phone) solely to enrich user data to tailor your Shopify site optimization. Shopify APIs may include personal data where permitted by merchant scopes/approvals. Direct identifiers are not imported by default.

From Google Analytics / GA4: traffic & conversion events; device/tech info; geo; demographics/interest categories when enabled in your GA property. We often transform these into aggregated cohort metrics; where needed for calibration/debugging, we may store pseudonymous event-level records for a limited period.

Other Sources You Connect (now or in the future): BigQuery exports, CSV uploads, webhooks, data warehouses/CDPs, ad/analytics platforms, or other APIs you authorize.

4.3 Documents, Configs, & Sandbox Artifacts

Test plans, variant definitions (versions of your website you are testing), prompts/configuration, synthetic shopper archetypes, calibration parameters, simulation logs, experiment results, and sandbox snapshots (ephemeral unless you choose to save them).

4.4 Product Analytics & Cookies

App usage (pages, features, session duration), device/tech info, IP address, and interaction data to operate and improve the Service.

Cookies & Similar Technologies: used to keep you signed in, remember preferences, and understand product usage. You can control cookies via your browser settings; disabling may affect functionality. Our Services currently do not respond to "Do Not Track" signals.

5. How We Use Information

As Your Processor

  • Generate and calibrate synthetic shoppers; run A/B/n experiments; produce insights.
  • Provide dashboards, reports, exports, and historical comparisons.
  • Support reliability, troubleshooting, and security.
  • If you enable ingestion of customer emails/phones, we process them only to enrich user data to tailor your Shopify site optimization, under your instructions.

As Controller

  • Create and maintain your account; provide support.
  • Communicate about product updates and service notices.
  • Analyze and improve the Service (including using de-identified/aggregated analytics).

We do not use your merchants' end-customer data for our own independent marketing.

6. Model Improvement & Context Engineering

We create and use De-identified Data derived from Customer Data and Experiment Data to operate and improve the Services, including to develop, fine-tune, and evaluate models used by the Service and to update prompts/system configurations ("context engineering"). Training and evaluation datasets are prepared using de-identification (e.g., aggregation, removal or hashing of identifiers) and do not include direct identifiers (such as customer email/phone). De-identified datasets and resulting training artifacts cannot reasonably be used to identify a natural person or a specific customer account.

7. Storage & Minimization

  • Aggregated by default for demographic/device/geo signals (counts/percentages).
  • Event-level (limited): pseudonymous records only where necessary for calibration, reproducibility, fraud prevention, or debugging.
  • Direct identifiers (optional): processed only for the optimization features you enable; where feasible we hash/pseudonymize and limit access.
  • We do not store raw payment card data.

8. Sharing & Disclosures

  • Service providers. We use third-party service providers (e.g., hosting, analytics, AI processing, email). We share information with them to help deliver the Services and do not authorize their independent use of Customer Data beyond providing those services to Squoosh. We also limit what we send and favor de-identified or aggregated data where feasible.
  • We may disclose data if required by law or to protect rights/safety, or in connection with a business transaction (e.g., merger or acquisition).
  • We do not sell personal information.

9. Security

We take reasonable and appropriate measures to protect information in our possession (including role-based access and least-privilege controls).

10. Retention & Deletion

  • Account data: retained while your account is active; deleted or anonymized within 30–90 days after closure.
  • Event-level integration data (pseudonymous): retained up to 30–180 days, then deleted or aggregated/de-identified.
  • Aggregated cohorts & experiment results: retained up to 36 months for trendlines/benchmarking.
  • Sandbox snapshots & uploads: ephemeral by default; deleted after processing unless you save them.
  • Backups/logs: typically rotated within ≤35 days.
  • Disconnecting an integration: ingestion stops immediately; related stored data deleted or aggregated within 7–14 days (subject to backups).
  • Training artifacts: de-identified datasets for model improvement may be retained to maintain model quality. Previously trained model parameters are not feasibly "untrained"; we cease using your data going forward from termination/disconnection.

11. Your Rights & Choices

Subject to applicable law, you may:

  • Access, correct, or delete your personal data.
  • Export experiment results and reports.
  • Opt out of non-essential communications.
  • Manage analytics/cookies via your browser settings.

12. Changes to This Policy

We may update this Policy. Material changes will be posted here and/or sent by email. If we materially expand the categories of personal data we collect from an integration or change our purposes, we'll update this Policy and/or notify you.

13. Contact

Questions or requests: privacy@squoosh.ai