Privacy Policy
ClearSignal — Bot Traffic Detection for Shopify
Effective date: March 28, 2026
This Privacy Policy explains how Alpenglow Software LLC ("we," "us," "our"), operator of ClearSignal ("the App") collects, uses, stores, and protects information when you install and use the App through the Shopify platform. ClearSignal detects bot traffic that may be polluting your store's analytics by combining client-side fingerprinting, web pixel events, and server-side signal correlation.
1. Information We Collect
Data from Shopify APIs
When you install the App, we access the following through the Shopify Admin API using the read_customer_events, write_pixels, and read_orders scopes:
write_pixels— registers a web pixel extension on your storefront to capture page view, cart, and checkout events.read_customer_events— reads customer events captured by the web pixel extension.read_orders— queries aggregate order counts to calculate true conversion rates. This scope grants access to order data; however, the App queries only aggregate order counts and does not access or store individual order details, customer information, or payment data.
Data collected through Shopify session
Shopify provides the following data as part of the standard app authentication process:
- Shop domain
- Staff member name, email address, and user ID
- Account role (store owner or collaborator) and email verification status
- Locale preference
- Session tokens, access tokens, and refresh tokens
This session data is managed by Shopify's official session storage library and is required for the App to function within the Shopify Admin.
Data from the Theme App Extension (storefront visitors)
ClearSignal installs a lightweight app embed block on your storefront that runs entirely in your visitors' browsers. This extension collects the following signals from storefront sessions:
- Browser fingerprint data — a bot probability score and browser attributes generated by FingerprintJS BotD, an open-source library that runs entirely in the visitor's browser. No data is sent to FingerprintJS servers.
- Behavioral signals — mouse movement patterns, scroll behavior, and interaction timing, used to distinguish automated from human behavior.
- Honeypot interactions — whether a session triggered invisible form fields that only automated scripts typically interact with.
- Page URL and referrer — the current page URL and referring URL, including whether UTM parameters or click IDs (such as
gclidorfbclid) are present. We store only the boolean presence of these parameters — not their raw values.
This data is transmitted to the App's server via a Shopify app proxy endpoint, which verifies request authenticity using HMAC signature validation.
Data from server-side processing
When a storefront session is scored, the App processes and stores:
- IP addresses — used for geographic analysis and queried against an IP reputation service. IP addresses are retained as part of session records.
- IP reputation scores — scores from the IPQualityScore API indicating the likelihood that an IP address is associated with bots, proxies, or data centers.
- Data center and ASN classification — whether the session originated from a cloud provider, hosting service, or residential network.
- Bot classification and session scores — the final classification verdict (DEFINITE_BOT, LIKELY_BOT, SUSPICIOUS, or LIKELY_HUMAN) and the underlying signal breakdown that produced it.
Data from the optional Klaviyo integration
If you connect your Klaviyo account, the App additionally collects:
- Klaviyo OAuth tokens — stored encrypted at rest using AES-256-GCM. Used to authenticate API calls to your Klaviyo account.
- Klaviyo profile data — email addresses, profile IDs, and activity metrics for profiles in your Klaviyo account, used to assess bot risk. This data is queried from Klaviyo's API and processed to generate bot scores.
- ClearSignal tags applied to profiles — when a profile is flagged, a tag (e.g., "ClearSignal: Bot Suspect") is written back to the Klaviyo profile through the Klaviyo API.
Klaviyo tokens are deleted immediately when you disconnect the integration or uninstall the App.
Data we do NOT collect
- Customer names, postal addresses, or payment information
- Individual order details or transaction amounts
- Raw click ID values (gclid, fbclid, etc.) — only whether they are present
- Theme files or store source code
- Customer email addresses, unless you connect the Klaviyo integration and Klaviyo provides them as part of profile data
2. How We Use Your Information
We use the data we collect solely to provide and improve the App's services:
- Bot detection — we correlate fingerprint, behavioral, pixel event, and IP reputation signals to score storefront sessions and classify them as bot or human traffic.
- Analytics impact reporting — we use order count data and session classifications to calculate your true conversion rate and estimate how bot traffic may be distorting your analytics.
- Dashboard display — we surface bot percentage, session breakdowns, and signal details in the App's merchant dashboard.
- Klaviyo profile audit (if connected) — we analyze Klaviyo profiles for bot-like behavior and tag suspected bot profiles so they can be excluded from campaigns.
- Subscription management — we store your current billing plan to gate features appropriately.
- App functionality — we use your shop domain and session data to authenticate requests and deliver the App within the Shopify Admin.
- AI/ML — We do not use artificial intelligence or machine learning to process your data. Your data and your visitors' data are not used to train AI or machine learning models.
For the purposes of applicable data protection laws, you (the merchant) are the data controller for storefront visitor data collected through the App. Alpenglow Software LLC acts as a data processor, processing this data solely on your behalf and as described in this policy. For data we collect directly (such as support communications), we act as an independent data controller.
3. How We Process Visitor Data
Storefront visitor data flows through the App as follows:
- The theme app extension loads on your storefront and runs FingerprintJS BotD in the visitor's browser. No data leaves the browser until the next step.
- The Web Pixel extension captures page view, cart, and checkout events through Shopify's sandboxed event pipeline.
- Fingerprint and behavioral signals are sent to the App's server via a Shopify app proxy endpoint with HMAC verification.
- The server correlates all available signals — fingerprint score, behavioral patterns, pixel events, and IP reputation — and computes a bot probability score.
- The classification verdict and signal breakdown are stored in the database. Raw behavioral signal data is not stored after scoring.
- Aggregated results are displayed in your merchant dashboard.
Bot classifications represent probabilistic assessments, not definitive verdicts. Individual session records include the contributing signals so you can evaluate the basis for any classification.
4. Data Storage and Security
- All data is stored in a PostgreSQL database hosted on Railway (United States).
- Shopify access tokens and Klaviyo OAuth tokens are encrypted at rest using AES-256-GCM encryption.
- All connections use HTTPS/TLS encryption in transit.
- IP reputation results are cached with a 24-hour TTL and expire automatically.
- We do not sell your data or your visitors' data. We do not share data with third parties for marketing, advertising, or profiling purposes.
- In the event of a data breach affecting your data, we will notify you and Shopify within 24 hours of discovery, in accordance with Shopify's Partner Program Agreement and applicable law.
5. Third-Party Services
The App uses the following third-party services to operate:
| Service | Purpose | Data shared |
|---|---|---|
| Shopify Admin API | Authentication, order counts, web pixel registration | Session tokens, GraphQL queries |
| FingerprintJS BotD | Browser-side bot detection (open source) | Runs entirely in visitor's browser — no data sent to FingerprintJS servers |
| IPQualityScore | IP reputation scoring | Visitor IP addresses |
| Inngest | Background job scheduling | Shop ID, session metadata (not visitor PII) |
| Railway | Application and database hosting | All stored data (encrypted in transit) |
| Klaviyo API (optional) | Profile audit and bot tagging | OAuth tokens, profile queries, tag writes — only when integration is connected |
6. Data Retention
- While installed — All session data, detection records, and reports are retained for as long as the App is installed on your store.
- On uninstall — All data associated with your shop is permanently deleted immediately and automatically. This includes sessions, detections, Klaviyo tokens, and your shop record. Deletion is atomic and irreversible.
- GDPR shop/redact — If Shopify sends a shop data erasure request, all shop data is deleted within 48 hours.
- IP reputation cache — IP reputation scores are cached with a 24-hour TTL and expire automatically.
- Klaviyo tokens — Deleted immediately on disconnect or uninstall.
7. Your Rights
You have the right to:
- Access — View session classifications, signal breakdowns, and detection history through the App's dashboard.
- Deletion — Uninstalling the App immediately deletes all your data. You may also contact us to request deletion without uninstalling.
- Data portability — Contact us to request an export of your stored data.
- Correction — Contact us if you believe any stored data is inaccurate.
Regarding your store's visitors: ClearSignal does not collect names, email addresses, or other personally identifying information from storefront visitors (unless the Klaviyo integration is connected and Klaviyo provides email addresses as part of profile data). If a visitor contacts you with a data request, you may contact us and we will assist.
We respond to all data requests within 30 days.
8. International Data Transfers
Your data and your visitors' data are processed and stored on servers located in the United States. By using the App, you consent to the transfer of data to the United States for processing.
9. Storefront Tracking
ClearSignal's theme app extension runs in your store's storefront to collect bot detection signals from visitor sessions. This extension does not use cookies. It uses browser fingerprinting techniques (via FingerprintJS BotD) and behavioral signals to assess session characteristics. It does not track visitors across different websites, and all collected signals are used solely for bot detection purposes on your store.
By enabling the App's storefront extension, you represent that your store's privacy policy and consent mechanisms adequately disclose the use of browser fingerprinting and behavioral analysis for bot detection purposes. You are responsible for compliance with applicable privacy laws regarding your store's visitors.
10. Children's Privacy
The App is designed for use by Shopify merchants (business users) and is not directed at children under 13. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date at the top of this page. Continued use of the App after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or want to exercise your data rights, contact us at: