← Back to the scanner

Privacy Policy

Checkout Pixel Migrator, operated by Tryful
Effective date: July 9, 2026

This Privacy Policy explains how Tryful (“we”, “us”, “our”) handles information in connection with the Checkout Pixel Migrator application (the “App”) for Shopify. Tryful is an independent software developer operating under the brand “Tryful” (domain tryful.dev); it is not a registered company. If you have any questions, contact us at support@tryful.dev.

1. Who we are

The App helps Shopify merchants migrate their legacy checkout tracking before Shopify removes the “Additional Scripts” field from the Thank You and Order Status pages on August 26, 2026. The App scans the tracking snippets a merchant pastes in, identifies the tracking vendors involved, and moves supported purchase tracking to a Shopify web pixel. For any privacy request, email support@tryful.dev.

2. Scope of this policy

This policy covers three surfaces:

3. Information we collect and process

a. Merchant and store account data

When a merchant installs the App, Shopify authorizes it through OAuth. We store the information Shopify provides to operate the App: the store domain, the Shopify staff user identifier, first and last name, email address, locale, and the API access and refresh tokens needed to call Shopify on the store’s behalf. This is merchant / staff account information — it is not shopper personal data.

b. Tracking-script content and migration configuration

To scan and migrate tracking, we process the tracking code a merchant pastes in and the configuration derived from it:

c. Optional AI assistance (paid, admin-only)

Signed-in merchants may optionally use a paid AI feature to help identify tracking snippets our scanner does not recognize. When (and only when) a merchant explicitly triggers it, the App sends those unrecognized snippets to a configured third-party AI provider for identification, and stores the resulting analysis. The provider is named in the App at the point of use, and that provider’s own terms govern how it handles the data. This feature is never available on the public scanner, and public pastes are never sent to any AI provider.

d. App-usage analytics

To understand how the App is used and improve it, we collect basic product-analytics events — for example which pages are viewed and which actions are taken (running a scan, requesting AI analysis, activating or deactivating the pixel). These events are keyed to the store domain and record only the page path and aggregate counts. They never include the pasted tracking-script content, the public scanner’s input, or any shopper personal data. Events from the public scanner are collected anonymously (no store identifier). We process these events with PostHog, our analytics provider (see section 7). This analytics is captured on our servers, not by third-party code running in your browser.

4. We do not collect shopper personal data

The App does not request access to Shopify customer or order records, and it does not store shopper names, email addresses, or postal addresses in our systems. Because we hold no shopper personal data, Shopify’s mandatory customers/data_request and customers/redact privacy requests have no shopper data to return or erase. When a store is uninstalled and Shopify sends a shop/redact request (approximately 48 hours after uninstall), we delete all data associated with that store.

5. The web pixel and data sent to your configured vendors

After a merchant activates migration, the App installs a Shopify web pixel that runs at checkout. When a purchase completes, the pixel sends purchase-event data directly to the advertising and analytics vendors the merchant has configured (such as Google Analytics 4, Meta, TikTok, and Pinterest). That event data includes the order or checkout token, currency, order value, tax and shipping amounts, line-item details (SKU, title, price, and quantity), the page URL, and the vendor advertising cookies present in the shopper’s browser (for example _ga, _fbp, _fbc, _ttp, ttclid, and _epik). It does not include the shopper’s name, email, or address.

This transmission is gated by the shopper’s consent choices through Shopify’s Customer Privacy API: analytics tracking runs only with analytics consent, and marketing/advertising vendors run only with marketing consent. The merchant is the data controller for the vendor accounts they configure, and each vendor processes the data it receives under its own privacy policy. Tryful does not receive or store this checkout event data — it flows from the shopper’s browser to the merchant’s chosen vendors.

6. How we use information

7. Sharing and service providers

We do not sell personal data. We share information only with the providers needed to run the App:

The advertising and analytics vendors described in section 5 are configured by the merchant, not by us; they receive checkout event data directly and act under the merchant’s direction.

8. Data retention and deletion

We retain merchant account data and migration configuration for as long as the App is installed. When a store uninstalls the App, Shopify sends a shop/redact request (approximately 48 hours later), and we delete all scans, detections, AI analyses, migration configuration, and session records associated with that store. Public scanner pastes are never stored, so there is nothing to retain for them. You may also request deletion of your data at any time by emailing support@tryful.dev.

9. Data security

We use Shopify’s OAuth and session mechanisms, transmit data over encrypted connections (HTTPS/TLS), and limit access to the App’s data. No method of transmission or storage is completely secure, but we take reasonable measures to protect the information we hold.

10. International data transfers

We and our providers may process data in countries other than the one you or your shoppers are located in. Where we transfer data, we rely on appropriate safeguards to protect it.

11. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing (for example under the GDPR or the CCPA). To exercise any of these rights, email support@tryful.dev and we will respond within the time required by applicable law. Merchants can also have their data erased by uninstalling the App, which triggers the deletion described in section 8.

12. Children’s privacy

The App is a business tool for merchants and is not directed at children. We do not knowingly collect personal data from children.

13. Changes to this policy

We may update this policy from time to time. When we do, we will revise the “Effective date” above and, where appropriate, notify merchants. Continued use of the App after an update means you accept the revised policy.

14. Contact us

For any question about this policy or your data, contact us at support@tryful.dev.

← Back to the scanner