Logo
Last updated: June 25, 2026

Privacy Policy

ab.one – A/B Testing for Shopify

1. Introduction

This Privacy Policy explains how kreativkonnekt GmbH ("we", "us", "our"), operating the ab.one application, collects, uses, discloses, and protects information when you use our A/B testing and conversion-optimization service for Shopify stores (the "Service").

This policy applies to:

  • Merchants: Shopify store owners who install and use the ab.one app
  • Storefront Visitors and Customers: People who visit or purchase from Shopify stores where ab.one is installed

It is written to meet the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and Shopify's App Store privacy and Protected Customer Data requirements. By using ab.one, you agree to the collection and use of information in accordance with this policy.

2. Data Controller

kreativkonnekt GmbH
Fuhlsbüttler Straße 421
22309 Hamburg, Germany

Managing Directors: Michael Wanjek, Nikolas Schaffmann

Commercial Register: HRB 188943 (Amtsgericht Hamburg)
VAT ID: DE451767536
Tax Number: 43/738/02587

Privacy Contact: [email protected]

3. Our Role: Controller and Processor

Data protection law distinguishes the controller (who decides why and how data is processed) from the processor (who processes data on a controller's behalf). ab.one acts in both roles depending on the data:

  • We are the controller of merchant account data, billing, support requests, and app-usage data.
  • We are a processor for the personal data of your storefront visitors and customers — including any Shopify Protected Customer Data — which we process on the merchant's behalf under a Data Processing Agreement. The merchant is the controller of that data (see Section 12).

4. Information We Collect

4.1 From Merchants (Shopify Store Owners)

When you install and use ab.one, we collect:

Data TypePurpose
Shop name, URL, emailAccount identification and communication
Contact name, phoneSupport and billing contact
Account credentialsAuthentication (passwords stored only as Argon2 hashes; many merchants sign in by magic link)
Shopify OAuth access tokensAPI access to manage A/B tests (stored encrypted)
Theme IDTo inject tracking scripts and test variants
Plan selection, usage metricsBilling and service limits
Onboarding data (industry, company size, goals)Product improvement and personalization
Timezone, currency, countryLocalization and reporting

Billing is handled by Shopify Billing; we never receive or store your payment card details.

4.2 From Storefront Visitors (Pseudonymous Analytics)

Our tracking pixel records storefront analytics events so we can calculate test results. This data is pseudonymous — it is keyed to a random identifier, not to a visitor's name or email:

Data TypePurpose
Pseudonymous Visitor ID (UUID)Track test participation across sessions
Device type and viewportDevice-specific test targeting and responsive testing
UTM parametersTraffic source attribution
Referrer URL and domainTraffic source analysis
Country/region (from IP, then discarded)Geographic test targeting
Test variant assignmentsA/B test logic
Behavioral eventsConversion tracking

Behavioral events collected:

  • page_viewed – Page URL visited
  • product_added_to_cart – Add-to-cart action
  • checkout_started – Checkout initiation with order value
  • checkout_completed – Purchase completion with order value

We use the visitor's IP address only transiently to derive an approximate country; it is not stored as part of the event record. For split-URL tests a short-lived request log may retain the IP for up to 90 days for debugging and abuse prevention, then it is deleted automatically.

4.3 Protected Customer Data (Order & Customer Information)

To measure conversions and revenue accurately and attribute them to the right test, ab.one accesses order and customer information through Shopify's APIs and customer events. Shopify classifies some of this as Protected Customer Data. Depending on the test and your configuration, this can include:

  • Order and checkout values, currency, and line-item counts
  • Customer identifiers and contact details — name, email address, phone number, and billing/shipping address — where surfaced by Shopify order or checkout data

We access this data as the merchant's processor, apply strict data minimization (Section 6), and use it solely to power your tests and reporting. We never sell it, never use it for advertising or cross-site tracking, and never use it to train AI models.

5. How We Collect Data

5.1 Merchant Data

  • Shopify OAuth Flow: When you install the app, Shopify shares your store information with us
  • App Setup: Information you provide during onboarding
  • API Requests: Data retrieved via the Shopify Admin API for test configuration and reporting

5.2 Visitor & Customer Data

  • Theme Script: A JavaScript snippet (abone.liquid) injected into your Shopify theme that manages test assignments and emits events
  • Shopify Web Pixel Extension: A sandboxed pixel that captures standard Shopify events (page views, cart, checkout), including order/customer data where we are approved for Protected Customer Data

5.3 Shopify API Scopes

ab.one requests the following Shopify API permissions:

ScopePurpose
read_themes, write_themesInject tracking script and test variants
read_products, read_collectionsDisplay resources for test targeting
read_ordersConversion tracking and revenue attribution (Protected Customer Data)
read_contentAccess metafields for test configuration
write_pixelsDeploy Web Pixel Extension

6. Protected Customer Data Commitments

Because ab.one processes Shopify Protected Customer Data, we adhere to Shopify's data-protection requirements:

  • Data minimization: we process only the minimum customer data needed to provide test measurement and reporting.
  • Transparency & purpose limitation: we tell merchants what we process and why, and use it only for those purposes.
  • Customer consent: where applicable, we respect and apply the consent signals provided by Shopify's Customer Privacy API and your store's consent banner.
  • No sale or sharing: we never sell protected customer data and never share it for cross-context behavioural advertising.
  • Encryption of data in transit and at rest, including encrypted backups.
  • Access controls: least-privilege staff access, strong authentication, separation of test and production data, and access logging for protected customer data.
  • Incident response: a documented security incident-response and data-loss-prevention process.
  • Retention limits: protected customer data is kept only as long as needed (Section 11).

7. Purpose and Legal Basis

Under GDPR Article 6, we process data based on the following legal grounds:

PurposeLegal BasisGDPR Article
Provide A/B testing serviceContract performanceArt. 6(1)(b)
Generate test reports and analyticsLegitimate interestArt. 6(1)(f)
Billing and subscription managementContract performanceArt. 6(1)(b)
Product improvement and developmentLegitimate interestArt. 6(1)(f)
Customer support and communicationContract performanceArt. 6(1)(b)
Storefront-customer tracking where consent is requiredConsent (obtained by the merchant)Art. 6(1)(a)
Fraud prevention and securityLegitimate interestArt. 6(1)(f)

8. Artificial Intelligence Features

ab.one includes an AI assistant and AI-generated test recommendations powered by Anthropic (the Claude API). When you use these features, we send Anthropic a store context (such as your test names, page list, product titles, and audience definitions) together with your questions and conversation history.

  • We do not send storefront-customer personal data (names, emails, addresses) to Anthropic.
  • Under Anthropic's commercial API terms, your data is not used to train its models.
  • Your AI conversation history is stored in your account, and you can delete conversations at any time.

9. Data Sharing and Subprocessors

We share data with the following service providers who process data on our behalf under data processing agreements. We do not sell data or share it with anyone for their own independent purposes.

SubprocessorPurposeLocation
Shopify Inc.Platform integration, OAuth, billingCanada / Global
Hetzner Online GmbHApplication, database & analytics hosting, backupsGermany (EU)
Anthropic, PBCAI assistant and recommendationsUSA (SCCs)
Mailgun (a Sinch company)Transactional emailEU region
ClickUp (Mango Technologies, Inc.)Support-ticket and feedback managementUSA (SCCs)
Cloudflare, Inc.Custom-domain provisioning, DNS, CDN & securityGlobal / USA (SCCs)

We do NOT:

  • Sell personal information to third parties
  • Share data with advertising networks
  • Use data for cross-site tracking or profiling
  • Transfer data to parties without appropriate safeguards

10. International Data Transfers

Our primary data storage and processing occurs within the European Union, on Hetzner infrastructure in Germany. Transactional email is processed in Mailgun's EU region.

For subprocessors located in the United States (Anthropic, ClickUp, Cloudflare), we ensure appropriate safeguards through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (and equivalent UK safeguards)
  • EU-US Data Privacy Framework certification where applicable
  • Technical and organizational measures to protect data in transit and at rest

11. Data Retention

Data CategoryRetention Period
Storefront analytics events2 years, then deleted automatically
Split-URL request logs (incl. transient IP)90 days, then deleted automatically
Merchant account, configuration, tests & reportsFor the life of the account; deleted within 60 days of uninstall or account closure
AI conversation historyFor the life of the account, or until you delete it
Support tickets and feedback24 months after resolution
Shopify OAuth access tokensDeleted on uninstall (immediate)
BackupsRotated and deleted within 30 days

11.1 Uninstallation & Shopify Compliance Webhooks

We implement Shopify's three mandatory compliance webhooks:

  • customers/data_request – we provide the merchant with any personal data we hold linked to a customer, so they can fulfil a data-access request.
  • customers/redact – we delete or irreversibly anonymize personal data linked to a customer.
  • shop/redact – 48 hours after a merchant uninstalls, we delete the store's personal data from our systems.

On uninstall, our tracking script and theme modifications are removed, Shopify metafields are cleared, OAuth tokens are revoked, and merchant and associated event data are deleted within the periods above.

11.2 Data Deletion Requests

Merchants can request deletion of all their data at any time by using the in-app uninstall feature or by contacting [email protected]. We process deletion requests within 30 days.

12. Data Security

We implement appropriate technical and organizational measures to protect your data:

Technical Measures

  • Encryption in Transit: All data transmitted via TLS/HTTPS
  • Encryption at Rest: Database and analytics storage encrypted, including encrypted backups
  • Credentials: Passwords stored only as Argon2 hashes; access tokens stored encrypted and never logged
  • Access logging: for protected customer data

Organizational Measures

  • Access Control: Role-based access, principle of least privilege, strong staff authentication
  • Environment separation: Test and production data kept separate
  • Incident Response: Documented procedures for security breach handling and data-loss prevention
  • Regular Updates: Continuous security patching

Limitations

While we take reasonable precautions, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.

13. Cookies and Tracking Technologies

13.1 What We Use

For storefront test delivery, ab.one primarily uses browser local storage, and where necessary a cookie, to keep a visitor in a consistent test variant. These store:

  • Pseudonymous Visitor UUID for session continuity
  • Test variant assignments
  • A pending event queue for reliability

In the merchant dashboard we use only strictly necessary cookies for authentication and session management, plus preference cookies (language, theme).

13.2 What We Do NOT Use

  • ❌ Third-party advertising or tracking cookies
  • ❌ Advertising pixels
  • ❌ Cross-site tracking mechanisms
  • ❌ Fingerprinting technologies

13.3 Cookie Consent

Because these technologies are deployed on the merchant's storefront, the merchant is responsible for surfacing them in their cookie/consent banner and obtaining consent where required, and for configuring Shopify's customer-consent settings appropriately.

14. Your Privacy Rights

14.1 Rights Under GDPR (EU/EEA Residents)

You have the following rights regarding your personal data:

RightDescriptionHow to Exercise
Access (Art. 15)Request a copy of your dataEmail [email protected]
Rectification (Art. 16)Correct inaccurate dataEmail [email protected]
Erasure (Art. 17)Request deletion of your dataEmail [email protected] or uninstall
Restriction (Art. 18)Limit how we process your dataEmail [email protected]
Portability (Art. 20)Receive your data in portable formatEmail [email protected]
Object (Art. 21)Object to processing based on legitimate interestEmail [email protected]
Withdraw ConsentWithdraw previously given consentEmail [email protected]

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. For us, this is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (Hamburg, Germany).

14.2 Rights Under UK GDPR

UK residents have equivalent rights to those listed above under the UK General Data Protection Regulation.

14.3 Rights Under CCPA/CPRA (California Residents)

California residents have the following rights:

  • Right to Know: What personal information we collect and how it's used
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: We do not sell or share personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices

Categories of Personal Information Collected (per CCPA definitions):

  • Identifiers (pseudonymous visitor IDs, merchant contact info, and customer identifiers from orders)
  • Commercial information (plan subscriptions, usage data, order values)
  • Internet activity (page views, test interactions)
  • Geolocation (country-level)

We do NOT sell personal information as defined under CCPA. To exercise your California privacy rights, contact [email protected].

14.4 Response Timeline

  • GDPR: 30 days (extendable by 60 days for complex requests)
  • CCPA: 45 days (extendable by 45 days with notice)

For store visitors and customers: if you are a customer of a store that uses ab.one and want to exercise your rights, please contact that store (the controller) directly. We will assist the store in fulfilling your request, including through Shopify's data-request and redaction webhooks (Section 11).

15. Children's Privacy

ab.one is a business-to-business service intended for Shopify merchants and is not directed at children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact [email protected] and we will delete it.

16. Automated Decision-Making

ab.one uses automated processing for:

  • Variant Assignment: Visitors are automatically assigned to A/B test variants using randomized algorithms
  • Statistical Analysis: Bayesian statistical methods calculate test significance

These automated processes do not produce legal or similarly significant effects on individuals and are essential for providing the A/B testing service.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify registered merchants by email and/or in-app. Continued use of ab.one after changes constitutes acceptance of the updated policy.

18. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

Privacy & Support
Email: [email protected]

Postal Address
kreativkonnekt GmbH
Fuhlsbüttler Straße 421
22309 Hamburg
Germany

We aim to respond to all inquiries within 5 business days.

19. Additional Information

19.1 Third-Party Links

Our service may contain links to third-party websites (e.g., Shopify). We are not responsible for the privacy practices of these external sites and encourage you to review their privacy policies.

19.2 Business Transfers

If kreativkonnekt GmbH is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data becomes subject to a different privacy policy.

19.3 Legal Requirements

We may disclose your information if required by law, such as to comply with a subpoena, court order, or similar legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.


This Privacy Policy is effective as of June 25, 2026.

© 2026 kreativkonnekt GmbH. All rights reserved.


Questions about our privacy practices?

We're here to help. Contact us anytime with questions about how we handle your data.