Logo
Last updated: January 18, 2026

Privacy Policy

ab.one – A/B Testing for Shopify

1. Introduction

This Privacy Policy explains how kreativkonnekt GmbH ("we", "us", "our"), operating the ab.one application, collects, uses, discloses, and protects information when you use our A/B testing service for Shopify stores.

This policy applies to:

  • Merchants: Shopify store owners who install and use the ab.one app
  • Storefront Visitors: End users who visit Shopify stores where ab.one is installed

By using ab.one, you agree to the collection and use of information in accordance with this policy.

2. Data Controller

kreativkonnekt GmbH
Fuhlsbüttler Straße 421
22309 Hamburg, Germany

Managing Directors: Michael Wanjek, Nikolas Schaffmann

Commercial Register: HRB 188943 (Amtsgericht Hamburg)
VAT ID: DE451767536
Tax Number: 43/738/02587

Privacy Contact: hi@ab.one

3. Information We Collect

3.1 From Merchants (Shopify Store Owners)

When you install and use ab.one, we collect:

Data TypePurpose
Shop name, URL, emailAccount identification and communication
Contact name, phoneSupport and billing contact
Shopify OAuth access tokensAPI access to manage A/B tests (stored encrypted)
Theme IDTo inject tracking scripts and test variants
Plan selection, usage metricsBilling and service limits
Onboarding data (industry, company size, goals)Product improvement and personalization
Timezone, currency, countryLocalization and reporting

3.2 From Storefront Visitors (End Users)

When visitors browse a Shopify store using ab.one, we collect:

Data TypePurpose
Pseudonymous Visitor ID (UUID)Track test participation across sessions
Device type (mobile/desktop)Device-specific test targeting
Viewport dimensionsResponsive design testing
UTM parametersTraffic source attribution
Referrer URL and domainTraffic source analysis
Country/region (from Shopify)Geographic test targeting
Test variant assignmentsA/B test logic
Behavioral eventsConversion tracking

Behavioral events collected:

  • page_viewed – Page URL visited
  • product_added_to_cart – Add-to-cart action
  • checkout_started – Checkout initiation with order value
  • checkout_completed – Purchase completion with order value

3.3 What We Do NOT Collect

We explicitly do NOT collect the following from storefront visitors:

  • ❌ Names or personal identifiers
  • ❌ Email addresses
  • ❌ Phone numbers
  • ❌ Physical addresses
  • ❌ Payment or credit card information
  • ❌ Shopify customer account data
  • ❌ Order details beyond aggregated conversion values
  • ❌ Any data that directly identifies an individual

The Visitor ID we generate is a random UUID stored in the visitor's browser localStorage. It cannot be linked to any personal identity.

4. How We Collect Data

4.1 Merchant Data

  • Shopify OAuth Flow: When you install the app, Shopify shares your store information with us
  • App Setup: Information you provide during onboarding
  • API Requests: Data retrieved via Shopify Admin API for test configuration

4.2 Visitor Data

  • Theme Script: A JavaScript snippet (abone.liquid) injected into your Shopify theme that manages test assignments and emits events
  • Shopify Web Pixel Extension: A sandboxed pixel that captures standard Shopify events (page views, cart, checkout)

4.3 Shopify API Scopes

ab.one requests the following Shopify API permissions:

ScopePurpose
read_themes, write_themesInject tracking script and test variants
read_products, read_collectionsDisplay resources for test targeting
read_ordersConversion tracking and revenue attribution
read_contentAccess metafields for test configuration
write_pixelsDeploy Web Pixel Extension

5. Purpose and Legal Basis

Under GDPR Article 6, we process data based on the following legal grounds:

PurposeLegal BasisGDPR Article
Provide A/B testing serviceContract performanceArt. 6(1)(b)
Generate test reports and analyticsLegitimate interestArt. 6(1)(f)
Billing and subscription managementContract performanceArt. 6(1)(b)
Product improvement and developmentLegitimate interestArt. 6(1)(f)
Customer support and communicationContract performanceArt. 6(1)(b)
Fraud prevention and securityLegitimate interestArt. 6(1)(f)

Legitimate Interest Assessment: Our legitimate interests in providing analytics and improving our service do not override the privacy rights of individuals, as we only process pseudonymous data that cannot identify specific persons.

6. Data Sharing and Subprocessors

We share data with the following service providers who process data on our behalf:

SubprocessorPurposeLocation
SupabaseDatabase and authenticationEU (Frankfurt)
ShopifyPlatform integration, OAuthGlobal
PostHogProduct analyticsEU
InfisicalSecrets managementUS
MailgunTransactional emailUS/EU

We do NOT:

  • Sell personal information to third parties
  • Share data with advertising networks
  • Use data for cross-site tracking or profiling
  • Transfer data to parties without appropriate safeguards

7. International Data Transfers

Our primary data processing occurs within the European Union (Supabase Frankfurt region).

For subprocessors located in the United States (Infisical, Mailgun), we ensure appropriate safeguards through:

  • EU-US Data Privacy Framework certification where applicable
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Technical and organizational measures to protect data in transit

8. Data Retention

Data CategoryRetention PeriodDeletion Trigger
Merchant account dataDuration of serviceApp uninstallation
Test configurationsDuration of serviceApp uninstallation
Visitor event dataUntil merchant deletion requestMerchant request or uninstall
Aggregated reportsRetained for historical analysisMay be anonymized and retained
Access tokensDuration of serviceApp uninstallation (immediate)

8.1 Uninstallation Process

When a merchant uninstalls ab.one:

  1. All Shopify metafields are deleted
  2. Theme files (abone.liquid) are removed
  3. Theme modifications are reverted
  4. All merchant data is deleted from our database
  5. Associated visitor event data is deleted

This process is automated and immediate upon uninstallation.

8.2 Data Deletion Requests

Merchants can request deletion of all their data at any time by:

  • Using the in-app uninstall feature
  • Contacting hi@ab.one

We will process deletion requests within 30 days.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

Technical Measures

  • Encryption in Transit: All data transmitted via TLS/HTTPS
  • Encryption at Rest: Database encryption enabled
  • Access Tokens: Stored encrypted, never logged
  • Authentication: Secure session management via Supabase Auth

Organizational Measures

  • Access Control: Role-based access, principle of least privilege
  • Employee Training: Privacy and security awareness
  • Incident Response: Procedures for security breach handling
  • Regular Updates: Continuous security patching

Limitations

While we take reasonable precautions, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.

10. Cookies and Tracking Technologies

10.1 What We Use

ab.one primarily uses browser localStorage (not cookies) to store:

  • Visitor UUID for session continuity
  • Test variant assignments
  • Pending event queue for reliability

10.2 What We Do NOT Use

  • ❌ Third-party tracking cookies
  • ❌ Advertising pixels
  • ❌ Cross-site tracking mechanisms
  • ❌ Fingerprinting technologies

10.3 Shopify Cookies

We read (but do not set) the Shopify _shopify_y cookie to correlate with Shopify's visitor identification when available.

10.4 Cookie Consent

Because we use localStorage rather than cookies for visitor tracking, and our tracking is essential for the A/B testing service functionality, separate cookie consent is typically not required. However, merchants are responsible for their store's overall cookie compliance.

11. Your Privacy Rights

11.1 Rights Under GDPR (EU/EEA Residents)

You have the following rights regarding your personal data:

RightDescriptionHow to Exercise
Access (Art. 15)Request a copy of your dataEmail hi@ab.one
Rectification (Art. 16)Correct inaccurate dataEmail hi@ab.one
Erasure (Art. 17)Request deletion of your dataEmail hi@ab.one or uninstall
Restriction (Art. 18)Limit how we process your dataEmail hi@ab.one
Portability (Art. 20)Receive your data in portable formatEmail hi@ab.one
Object (Art. 21)Object to processing based on legitimate interestEmail hi@ab.one
Withdraw ConsentWithdraw previously given consentEmail hi@ab.one

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. In Germany, this is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit.

11.2 Rights Under UK GDPR

UK residents have equivalent rights to those listed above under the UK General Data Protection Regulation.

11.3 Rights Under CCPA/CPRA (California Residents)

California residents have the following rights:

  • Right to Know: What personal information we collect and how it's used
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: We do not sell personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices

Categories of Personal Information Collected (per CCPA definitions):

  • Identifiers (pseudonymous visitor IDs, merchant contact info)
  • Commercial information (plan subscriptions, usage data)
  • Internet activity (page views, test interactions)
  • Geolocation (country-level, from Shopify)

We do NOT sell personal information as defined under CCPA.

To exercise your California privacy rights, contact hi@ab.one.

11.4 Response Timeline

We will respond to verified requests within:

  • GDPR: 30 days (extendable by 60 days for complex requests)
  • CCPA: 45 days (extendable by 45 days with notice)

12. Data Processor Role

12.1 Our Role

For storefront visitor data, ab.one acts as a Data Processor under GDPR. The merchant (Shopify store owner) is the Data Controller and is responsible for:

  • Ensuring lawful basis for processing visitor data
  • Providing privacy notices to their customers
  • Responding to data subject requests from their customers
  • Configuring appropriate consent mechanisms if required

12.2 Data Processing Agreement

Merchants requiring a formal Data Processing Agreement (DPA) for compliance purposes can request one by contacting hi@ab.one.

13. Children's Privacy

ab.one is a business-to-business service intended for Shopify merchants. Our service is not directed at children under 16 years of age.

We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly.

If you believe we have inadvertently collected information from a child, please contact hi@ab.one.

14. Automated Decision-Making

ab.one uses automated processing for:

  • Variant Assignment: Visitors are automatically assigned to A/B test variants using randomized algorithms
  • Statistical Analysis: Bayesian statistical methods calculate test significance

These automated processes:

  • Do not produce legal or similarly significant effects on individuals
  • Use only pseudonymous, aggregated data
  • Are essential for providing the A/B testing service

No profiling or automated decision-making affects individual visitors in a meaningful way.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

  • Minor Changes: Updated policy posted on our website
  • Material Changes: Notification via email to registered merchants and/or in-app notification

The "Last updated" date at the top of this policy indicates when it was last revised.

We encourage you to review this policy periodically. Continued use of ab.one after changes constitutes acceptance of the updated policy.

16. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

Privacy Inquiries
Email: hi@ab.one

General Support
Email: hi@ab.one

Postal Address
kreativkonnekt GmbH
Fuhlsbüttler Straße 421
22309 Hamburg
Germany

We aim to respond to all inquiries within 5 business days.

17. Additional Information

17.1 Third-Party Links

Our service may contain links to third-party websites (e.g., Shopify). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

17.2 Business Transfers

If kreativkonnekt GmbH is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data becomes subject to a different privacy policy.

17.3 Legal Requirements

We may disclose your information if required by law, such as to comply with a subpoena, court order, or similar legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

This Privacy Policy is effective as of January 18, 2026.

© 2026 kreativkonnekt GmbH. All rights reserved.

Questions about our privacy practices?

We're here to help. Contact us anytime with questions about how we handle your data.

Contact privacy teamBack to home