Privacy Policy

1. Who We Are

KAK is an AI-powered intelligence platform for Shopify × Meta brands. KAK is operated by KAK Digital LLC, a Wyoming limited liability company registered in the United States. This privacy policy explains how we collect, use, and protect data when you use our managed service.

2. Data We Collect

A. From You (Brand Owner/Service User)

• Name, email, business name, phone number, and contact information
• Billing and payment information (processed via Stripe — we do not store card details)
• Shopify store credentials and API access tokens
• Meta Ads account credentials (ad account ID, pixel ID, access tokens)
• Facebook Login and OAuth tokens (when you authorize KAK via Facebook)
• Business profile information and store configuration settings

B. From Your Store Visitors (via JavaScript Tracker)

KAK's JavaScript tracker collects behavioral signals from visitors on your Shopify store:

C. From Meta Ads API

• Campaign performance metrics (spend, impressions, clicks, conversions)
• Ad set and creative performance data
• Audience sizes and demographic delivery metrics
• Account structure and ad account permissions

D. From Shopify API

• Store configuration (name, URL, locale, currency)
• Product catalog (titles, images, prices, inventory)
• Customer data (email, name, purchase history — hashed for CAPI)
• Order data (date, value, items, customer identifier)
• Webhook events for real-time order and customer updates

3. How We Use Data

• Visitor intent scoring — behavioral signals converted to 0-100 purchase intent scores for audience segmentation
• RFM segmentation — customers categorized by Recency, Frequency, Monetary value for targeting
• Smart audiences — segments synced to Meta Ads for precise advertising
• Conversions API (CAPI) events — server-side events sent to Meta to optimize ad delivery and train algorithms
• Campaign performance analysis — AI-driven grading and recommendations for ad accounts
• Daily briefings — aggregated insights delivered via email
• Identity resolution — stitching visitor sessions across devices and touchpoints (first-party only)
• Service delivery and support — account management, troubleshooting, customer service

4. Meta Platform Data & CAPI Compliance

What Facebook/Instagram Data We Access

When you authorize KAK via Facebook Login or connect your Meta Ad account, we access:

• Ad account access — campaigns, ad sets, creatives, performance metrics
• Audience sync — ability to upload custom audiences and lookalike audiences to Meta
• Pixel data access — web events from your Meta Pixel (if connected)
• Account information — business account details, time zones, spend limits

How We Use Facebook Login & OAuth Tokens

• OAuth tokens are stored encrypted and used only to authenticate API requests to Meta
• We never share tokens with third parties
• Tokens are rotated and re-requested periodically for security
• You can revoke our access at any time via Meta App Settings or your Facebook account

Meta Conversions API (CAPI)

The following data is sent server-side to Meta via the Conversions API:

• Hashed identifiers — email and phone number are SHA256-hashed before transmission. We never send plaintext personal data to Meta.
• Event data — custom behavioral events (high_intent_browse, size_consideration, product_deep_engagement, purchase_intent_signal, collection_explorer, repeat_visitor_return)
• Standard conversion events — Purchase, AddToCart, ViewContent, InitiateCheckout (enhanced with behavioral context)
• Event parameters — currency, value, content ID, content type, event ID (for deduplication)

How to Revoke Facebook/Instagram Permissions

• Visit Facebook Settings > Apps and Websites
• Find "KAK" in the list of connected apps
• Click and select "Remove"
• Contact hello@kakedge.com to ensure KAK access is fully revoked in our system

5. Shopify Data Handling

KAK connects to your Shopify store via the Shopify Admin API. We access and process:

• Product data — catalog, descriptions, pricing (for audience building and insights)
• Customer data — email, name, order history (hashed before CAPI transmission)
• Order events — purchase confirmations, order status updates (via webhooks)
• Store configuration — locale, currency, store name

Shopify data is processed on your dedicated Supabase database and is never transferred to KAK's infrastructure. You retain full ownership of your store data.

6. Where Data Is Stored

• Supabase (PostgreSQL) — visitor behavioral data, customer profiles, audience segments. Hosted on your dedicated Supabase project (you retain the database).
• Vercel Edge Functions — dashboard frontend, API processing. Data is processed at the edge but not permanently stored.
• Meta Platforms — hashed CAPI events and custom audiences, subject to Meta's data retention policies
• Shopify — original store and customer data remains on Shopify's infrastructure

Important: All data is stored under your accounts (Supabase, Shopify, Meta). KAK has operational access to manage the platform but does not independently store customer data on KAK-controlled servers.

7. Data Retention & Deletion

On cancellation we enter a 30-day deletion lifecycle: 14 days full read-write access, 15 days read-only, then permanent hard delete. Full detail at /trust.html.

8. Data Deletion & User Rights

How to Request Data Deletion

If you wish to delete your account and all associated data, visit:

kakedge.com/data-deletion

You can also email hello@kakedge.com with a data deletion request. We will:

• Delete all visitor behavioral data from Supabase
• Delete your account credentials and API tokens
• Revoke Meta Conversions API permissions
• Delete audience segments from Meta
• Provide confirmation within 30 days

Your Data Rights

Under GDPR (EU/UK), CCPA/CPRA (California), DPDPA 2023 (India), and other applicable privacy laws, you have the right to:

• Access — request a copy of all data we process about you
• Correction — request correction of inaccurate personal information (GDPR Art. 16 / CPRA §1798.106 / DPDPA §12)
• Deletion — request permanent erasure of your data (GDPR Art. 17 / CPRA §1798.105 / DPDPA §12)
• Portability — receive your data in a structured, machine-readable JSON format (GDPR Art. 20 / CPRA §1798.130(a)(3) / DPDPA §11)
• Objection & restriction — object to, or restrict, our processing (GDPR Art. 18 and 21)
• Opt out of automated decision-making — object to our use of automated decision-making that produces legal or similarly significant effects on you (GDPR Art. 22 / CPRA §1798.185(a)(16))
• Limit use of sensitive personal information — CPRA-specific (§1798.121)
• Non-discrimination — we will not discriminate against you for exercising any of these rights (CCPA §1798.125)
• Withdraw consent at any time
• Lodge a complaint with your supervisory authority (GDPR Art. 77)

12-month look-back: California residents may request the categories and specific pieces of personal information we have collected, sold, or shared in the preceding 12 months (CPRA §1798.130(a)(5)).

To exercise any of these rights, email hello@kakedge.com or grievance@kakedge.com. We respond within 30 days (GDPR Art. 12 / DPDPA §13) or 45 days (CCPA/CPRA §1798.130) depending on jurisdiction. You can also export your data directly from your dashboard at any time.

9. GDPR Compliance (EU Users)

If you are located in the European Union or United Kingdom, KAK complies with the General Data Protection Regulation (GDPR):

• Legal basis: Data processing is based on your explicit consent (via Terms of Service acceptance)
• Data Processing Agreement: Available upon request for enterprise clients
• Purpose limitation: Data is used only for intent scoring, audience building, and campaign optimization
• Data minimization: We collect only the data necessary for our service
• Storage limitation: Data is retained for 12 months then auto-archived
• International transfers: Data may be transferred to the US (Meta CAPI) — we ensure appropriate safeguards
• Data Subject Rights: Full access, correction, deletion, portability, and objection rights available
• Named contact: Karthik Venkatesh, Data Protection Lead — grievance@kakedge.com (monitored daily). KAK is not currently required to appoint a formal DPO under GDPR Art. 37 but maintains an equivalent contact.

10. CCPA Compliance (California Users)

If you are a California consumer, the California Consumer Privacy Act (CCPA) grants you the following rights:

• Right to Know: You can request what personal information KAK collects, uses, and shares
• Right to Delete: You can request deletion of your personal information (with limited exceptions)
• Right to Opt-Out: You can opt out of "sales" of your personal information (we do not sell data)
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
• Shine the Light: California residents can request disclosure of information shared with third parties

To exercise CCPA rights, email hello@kakedge.com or visit /data-deletion. Requests must include: full name, email, and description of the right you're exercising.

11. Do Not Sell or Share My Personal Information (CCPA/CPRA)

KAK does not sell and does not share personal information for cross-context behavioural advertising as those terms are defined by the CCPA/CPRA (California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020). We do not:

• Sell email addresses, phone numbers, or personal identifiers for monetary or other valuable consideration
• Share personal information with third parties for their own cross-context behavioural advertising
• Provide data to data brokers or marketing-list vendors
• License personal information to third parties for commercial purposes

We DO transmit SHA-256 hashed shopper identifiers + conversion events to Meta via Conversions API, but this is on the merchant's behalf, to the merchant's own Meta ad account, for the merchant's own advertising optimization. This is a processor-to-processor data flow directed by the merchant (Controller), not a sale or share as defined by CPRA.

To exercise your Do Not Sell or Share right, visit /data-deletion or email hello@kakedge.com. This link is available in our site footer on every page.

11a. Automated Decision-Making (GDPR Art. 22 / CPRA)

Our platform uses automated systems to score shopper intent and build audience segments that are then used by Meta's ad-delivery algorithms. Meta's machine-learning models fall outside KAK's direct control, but to the extent KAK's own scoring qualifies as automated decision-making with legal or similarly significant effects, you have the right to:

• Request meaningful information about the logic involved
• Request human review of any decision
• Object to the processing and request an alternative

Email hello@kakedge.com to exercise this right.

12. DPDPA Compliance (India)

KAK complies with the Digital Personal Data Protection Act (DPDPA) 2023:

• Consent: Data processed with explicit, informed consent obtained at signup (DPDPA §6)
• Purpose limitation: Data used only for providing the KAK Edge service as documented in this policy
• Data minimization: We collect only what is necessary
• Storage limitation: Defined retention schedule (see /trust.html); deletion within 30 days of termination
• Data principal rights: Full access, correction, deletion, portability, and grievance redressal per DPDPA §11–14
• Cross-border transfers: We may transfer your data to notified jurisdictions (currently the United States and the European Union for Supabase/Vercel hosting); we rely on Standard Contractual Clauses and contractual safeguards in line with DPDPA §16

13. Cookies & Tracking

KAK's tracker uses first-party cookies on your Shopify store to maintain visitor sessions and enable intent scoring:

• _kak_vid — anonymous visitor ID (365 days)
• _kak_sid — session ID (30 minutes)
• _kak_consent — consent status for visitor tracking (365 days)

No third-party advertising cookies are set by KAK. This website (kakedge.com) uses Google Analytics (GA4) for traffic analysis.

Cookie Consent

Your store visitors can opt out of KAK tracking. KAK respects Do Not Track (DNT) and Global Privacy Control (GPC) browser signals and provides a clear opt-out mechanism in the tracker initialization.

On our own public websites (kakedge.com), we display a cookie consent banner on first visit in accordance with GDPR, CPRA, and DPDPA. You can withdraw consent at any time by clearing localStorage or using your browser's cookie controls.

14. Third-Party Services & Data Sharing

KAK integrates with the following third-party services:

• Meta/Facebook/Instagram — CAPI events (hashed), audience sync, campaign data retrieval
• Shopify — store data, customer data, order webhooks
• Supabase — database hosting and storage
• Vercel — frontend hosting, edge functions
• Stripe — payment processing (PCI-DSS compliant)
• Google Analytics — website traffic analysis (kakedge.com domain only)

We do not share your personal data with any other services without your explicit consent.

15. Security & Data Protection

• HTTPS/TLS encryption — all data transmitted over encrypted connections
• At-rest encryption — API tokens and secrets encrypted in database
• Row-level security — database-level access controls on all tables
• API authentication — JWT-based authentication on all endpoints
• Rate limiting — protection against brute force and DDoS attacks
• SHA256 hashing — all PII hashed before external transmission (Meta, analytics)
• Annual policy review — this privacy policy, DPA, and sub-processor list are reviewed and dated annually (next review: April 2027). Third-party security certifications (SOC 2, ISO 27001) are inherited from our sub-processors (Vercel, Supabase, Cloudflare); KAK itself is not yet independently certified but plans to pursue SOC 2 Type I within 12 months.
• Access controls — principle of least privilege for employee access

16. International Data Transfers

KAK operates from the United States. Merchant data is processed in the US by default. EU-based merchants can request Supabase Frankfurt (EU) hosting at signup to keep data in the EU.

For transfers of personal data from the EEA, UK, or Switzerland to the US or other third countries:

• We rely on the Standard Contractual Clauses (Module 2, Controller-to-Processor) of Commission Implementing Decision (EU) 2021/914, incorporated by reference into our Data Processing Addendum
• UK transfers rely on the UK International Data Transfer Addendum to the EU SCCs
• All data in transit uses TLS 1.3; all data at rest uses AES-256 encryption (inherited from our infrastructure sub-processors)
• Hashed CAPI data transmitted to Meta is governed by Meta's own EU-US Data Privacy Framework certification
• Our sub-processors are listed at /subprocessors.html with their certifications

16a. Data Breach Notification

If we become aware of a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data we process, we will:

• Notify affected merchants (as controllers) without undue delay and in any event within 72 hours of confirmation (GDPR Art. 33)
• Include in the notification: nature of the breach, categories and approximate number of records, likely consequences, and measures taken or proposed
• Assist controllers with their own notification duties to supervisory authorities and data subjects where required (GDPR Art. 33 / Art. 34)
• For DPDPA-triggered notifications, notify the Data Protection Board of India per DPDPA §8(6)
• For California residents, follow California Civil Code §1798.82 notification requirements
• Preserve forensic evidence for regulator / auditor review

Security issues can be reported confidentially to security@kakedge.com.

16b. Sub-processors & Data Processing Addendum

A current list of every sub-processor that touches merchant data is maintained at /subprocessors.html. Our Data Processing Addendum is available at /dpa.html and is automatically incorporated into every merchant's Terms of Service. Signed-and-countersigned PDF copies are available on request at no cost.

17. Policy Updates & Communication

KAK may update this privacy policy as our service evolves. We will:

• Post changes here with the updated date
• Notify active clients via email of material changes
• Require explicit opt-in consent for any new data collection or use cases

18. Contact & Privacy Inquiries

For privacy questions, data requests, or concerns:

Email: hello@kakedge.com

Data Deletion: kakedge.com/data-deletion

Mailing Address: KAK Digital LLC, Wyoming, USA

We will respond to all privacy inquiries within 30 days.