Chartimatic

Privacy Policy

Last updated: May 14, 2026

Overview

Chartimatic is operated by Averva Corporation (“we,” “us,” or “our”). We are committed to protecting the privacy and security of our users' information. This Privacy Policy describes how we collect, use, store, and share data when you use our Shopify app and related services at chartimatic.com and app.chartimatic.com.

Information We Collect

Account Information

When you sign up for Chartimatic, we collect your email address and, optionally, your name and business context you provide during onboarding (such as business name, industry, and goals).

Store Data (via Shopify API)

When you install Chartimatic on your Shopify store, we request read-only access to the following Shopify scopes in order to generate your briefings:

  • read_analytics— To retrieve your store's analytics and performance metrics for your daily briefing.
  • read_orders — To analyze order trends, revenue patterns, and sales data at an aggregate level.
  • read_products — To identify top products and category performance in your briefings.

Chartimatic generates aggregate, store-level insights and does not require access to Shopify Protected Customer Data. We do not build individual customer profiles, contact your customers, or use customer-level personal data for advertising, profiling, or enrichment. To the extent that order or analytics payloads from Shopify include any customer-identifying fields, we treat that information as confidential, do not display it outside of your store's own dashboard view, and delete it on uninstall in accordance with Shopify's GDPR webhook requirements described below.

We access this data using Shopify's official APIs with OAuth 2.0 authorization. We only request read-only access — we never modify your store data. The exact set of OAuth scopes requested at install time is governed by our current Shopify app configuration and may change as features evolve; the Shopify install screen always shows the authoritative list before you approve.

Third-Party Integration Data

In addition to Shopify, Chartimatic currently supports the following platforms, which you may connect from the Chartimatic dashboard with your explicit authorization: Google Analytics, Google Ads, and Klaviyo. When you connect a platform, we collect read-only analytics and reporting data from that service via its official API to generate your briefings, dashboards, and trend analysis inside Chartimatic.

Other platforms (such as TikTok and Amazon Seller Central) may be referenced on the marketing site as planned or roadmap integrations. Planned integrations are not part of the current OAuth verification scope, are not active in the product, and do not have any OAuth or data access until they are launched and disclosed in an updated version of this Privacy Policy.

Google User Data (via Google OAuth)

When you connect your Google Analytics account to Chartimatic, we use Google OAuth 2.0 to request your authorization for the following Google API scope:

  • https://www.googleapis.com/auth/analytics.readonly — Read-only access to your Google Analytics 4 reporting data (sessions, users, conversions, traffic sources, page-level metrics, and configured custom dimensions/metrics) for the specific GA4 properties you choose to connect.
  • https://www.googleapis.com/auth/adwords — Read-only access to your Google Ads reporting data (campaign, ad group, and keyword performance metrics, spend, impressions, clicks, conversions, and audience metadata) for the specific Google Ads accounts you choose to connect. We use this data solely to surface paid-acquisition performance and ROAS context inside your Chartimatic briefings and dashboard. We do not create, edit, pause, or modify campaigns, budgets, audiences, or any other Google Ads entities, and we do not push data back to Google Ads.

Account login to Chartimatic is handled by Supabase using email and password. Chartimatic does not currently offer Google sign-in, and we do not request the openid, email, or profile scopes for authentication. The Google OAuth scopes listed above are requested only when you explicitly connect Google Analytics or Google Ads from inside the Chartimatic dashboard.

We do not request, access, or store any other Google data. We never request write access to your Google account. You may revoke our access at any time from your Chartimatic dashboard or directly at myaccount.google.com/permissions.

Usage Data

We collect standard web analytics (via Google Analytics) including page views, session duration, and referral sources. We do not use this data for advertising.

How We Use Your Data

  • Daily Briefings — We process your connected data to generate AI-powered business intelligence briefings delivered to your email.
  • Industry Intelligence — We use aggregated, anonymized data patterns to provide industry benchmarks and market context. Individual store data is never shared.
  • Product Improvement — We use usage patterns to improve the service. We do not sell your data.

Google API Services User Data Policy

Chartimatic's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use Disclosure

We use Google user data obtained via the Google APIs (specifically the Google Analytics Data API and the Google Ads API) only to provide the features described in this Privacy Policy. In particular:

  • Use — Google Analytics and Google Ads data are used solely to generate your daily briefings, dashboards, and trend analysis within Chartimatic. We do not use this data for any purpose outside of the user-facing Chartimatic briefings, dashboards, and analyses described in this Privacy Policy.
  • Transfer— We do not transfer Google user data to third parties except as necessary to operate or improve user-facing features that are visible and prominent in the Chartimatic user interface. Google user data is stored only with the infrastructure providers listed in the "Data Sharing" section below (Supabase, Vercel). We do not send raw Google Analytics or Google Ads data to our AI provider; only aggregated, de-identified summaries derived from your reporting data (e.g., percentage changes, period-over-period trends, and top-N category rollups) are processed by the AI provider to generate the natural-language briefing text shown in your Chartimatic dashboard. We do not transfer Google user data to data brokers, advertising platforms, or for any purpose unrelated to the user-facing Chartimatic features you have authorized.
  • Human Access — We do not allow humans to read Google user data unless (a) we have obtained your explicit consent to view specific data, (b) it is necessary for security purposes (such as investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized so that it cannot be linked to any individual user or account.
  • No Advertising — We do not use Google user data for advertising, including retargeting, personalized advertising, or interest-based advertising.
  • No Resale — We do not sell Google user data.
  • No Model Training — We do not use Google user data to develop, improve, or train generalized or non-personalized AI or ML models. AI models we use to generate your briefings receive only the minimum data required to produce the user-facing output for your account, and do not retain that data after the request.

Retention and Deletion of Google User Data

OAuth refresh tokens issued by Google (for both Google Analytics and Google Ads) are stored encrypted at rest and only for as long as your integration remains connected. Reporting data fetched from Google Analytics and Google Ads is cached for up to 90 days to support trend analysis in your briefings; older data is automatically purged. You may disconnect either Google integration at any time from your dashboard, which immediately revokes our refresh token for that integration and queues the associated stored Google data for deletion within 7 days. You may also request immediate deletion by emailing privacy@chartimatic.com.

Data Storage and Security

Your data is stored securely using Supabase (hosted on AWS infrastructure) with Row-Level Security policies enforcing data isolation between users. OAuth tokens are encrypted at rest. All data transmission uses TLS 1.2+.

We retain your store metrics data for the period required to generate trend analysis in your briefings (typically 90 days of historical snapshots). OAuth tokens are stored only while your integration remains active.

Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

  • Service Providers — Supabase (database hosting), Vercel (application hosting), Resend (email delivery), Stripe (payment processing), and xAI (natural-language generation for briefings). These providers process data solely on our behalf. Raw Google user data (Google Analytics and Google Ads reporting data) is never sent to the AI provider; only aggregated, de-identified summaries derived from your reporting data are processed by the AI provider to generate the user-facing briefing text.
  • Legal Obligations — When required by law or to protect our rights and safety.

Shopify GDPR Compliance

We comply with Shopify's mandatory data protection requirements by supporting the following webhook-based requests:

  • Customer Data Request — Upon receiving a customers/data_request webhook from Shopify, we compile and return all data we hold about the specified customer.
  • Customer Data Erasure — Upon receiving a customers/redact webhook, we delete all personally identifiable data associated with the specified customer.
  • Shop Data Erasure — Shopify sends the shop/redact webhook approximately 48 hours after a merchant uninstalls the Chartimatic app. Upon receiving that webhook, Chartimatic processes the request and deletes all remaining shop-scoped data (including store metrics snapshots, generated briefings, OAuth tokens, and any cached payloads from Shopify) within 30 days, in line with our retention policy. OAuth tokens themselves are revoked immediately on uninstall and are no longer usable to access your store data even before the shop/redact webhook arrives.

Your Rights

You have the right to:

  • Access — Request a copy of the data we hold about you.
  • Correction — Request correction of inaccurate data.
  • Deletion — Request deletion of your account and associated data. You can also disconnect integrations at any time from your dashboard.
  • Portability — Request your data in a machine-readable format.
  • Uninstall— Uninstalling the Shopify app immediately revokes our OAuth access to your store data. Shopify sends the shop/redact webhook approximately 48 hours after uninstall, and Chartimatic deletes the remaining shop-scoped data within 30 days of that webhook in line with the “Shop Data Erasure” section above.

Cookies and Tracking

We use essential cookies for authentication (Supabase session tokens). We use Google Analytics for aggregate traffic analysis. We do not use third-party advertising cookies or retargeting pixels.

Children's Privacy

Chartimatic is not intended for use by individuals under 16 years of age. We do not knowingly collect data from children.

Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email or in-app notification. The “Last updated” date at the top reflects the most recent revision.

Contact Us

For privacy-related questions, data requests, or concerns: