ab.one – A/B Testing for Shopify
This Privacy Policy explains how kreativkonnekt GmbH ("we", "us", "our"), operating the ab.one application, collects, uses, discloses, and protects information when you use our A/B testing and conversion-optimization service for Shopify stores (the "Service").
This policy applies to:
It is written to meet the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and Shopify's App Store privacy and Protected Customer Data requirements. By using ab.one, you agree to the collection and use of information in accordance with this policy.
kreativkonnekt GmbH
Fuhlsbüttler Straße 421
22309 Hamburg, Germany
Managing Directors: Michael Wanjek, Nikolas Schaffmann
Commercial Register: HRB 188943 (Amtsgericht Hamburg)
VAT ID: DE451767536
Tax Number: 43/738/02587
Privacy Contact: [email protected]
Data protection law distinguishes the controller (who decides why and how data is processed) from the processor (who processes data on a controller's behalf). ab.one acts in both roles depending on the data:
When you install and use ab.one, we collect:
| Data Type | Purpose |
|---|---|
| Shop name, URL, email | Account identification and communication |
| Contact name, phone | Support and billing contact |
| Account credentials | Authentication (passwords stored only as Argon2 hashes; many merchants sign in by magic link) |
| Shopify OAuth access tokens | API access to manage A/B tests (stored encrypted) |
| Theme ID | To inject tracking scripts and test variants |
| Plan selection, usage metrics | Billing and service limits |
| Onboarding data (industry, company size, goals) | Product improvement and personalization |
| Timezone, currency, country | Localization and reporting |
Billing is handled by Shopify Billing; we never receive or store your payment card details.
Our tracking pixel records storefront analytics events so we can calculate test results. This data is pseudonymous — it is keyed to a random identifier, not to a visitor's name or email:
| Data Type | Purpose |
|---|---|
| Pseudonymous Visitor ID (UUID) | Track test participation across sessions |
| Device type and viewport | Device-specific test targeting and responsive testing |
| UTM parameters | Traffic source attribution |
| Referrer URL and domain | Traffic source analysis |
| Country/region (from IP, then discarded) | Geographic test targeting |
| Test variant assignments | A/B test logic |
| Behavioral events | Conversion tracking |
Behavioral events collected:
page_viewed – Page URL visitedproduct_added_to_cart – Add-to-cart actioncheckout_started – Checkout initiation with order valuecheckout_completed – Purchase completion with order valueWe use the visitor's IP address only transiently to derive an approximate country; it is not stored as part of the event record. For split-URL tests a short-lived request log may retain the IP for up to 90 days for debugging and abuse prevention, then it is deleted automatically.
To measure conversions and revenue accurately and attribute them to the right test, ab.one accesses order and customer information through Shopify's APIs and customer events. Shopify classifies some of this as Protected Customer Data. Depending on the test and your configuration, this can include:
We access this data as the merchant's processor, apply strict data minimization (Section 6), and use it solely to power your tests and reporting. We never sell it, never use it for advertising or cross-site tracking, and never use it to train AI models.
abone.liquid) injected into your Shopify theme that manages test assignments and emits eventsab.one requests the following Shopify API permissions:
| Scope | Purpose |
|---|---|
read_themes, write_themes | Inject tracking script and test variants |
read_products, read_collections | Display resources for test targeting |
read_orders | Conversion tracking and revenue attribution (Protected Customer Data) |
read_content | Access metafields for test configuration |
write_pixels | Deploy Web Pixel Extension |
Because ab.one processes Shopify Protected Customer Data, we adhere to Shopify's data-protection requirements:
Under GDPR Article 6, we process data based on the following legal grounds:
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Provide A/B testing service | Contract performance | Art. 6(1)(b) |
| Generate test reports and analytics | Legitimate interest | Art. 6(1)(f) |
| Billing and subscription management | Contract performance | Art. 6(1)(b) |
| Product improvement and development | Legitimate interest | Art. 6(1)(f) |
| Customer support and communication | Contract performance | Art. 6(1)(b) |
| Storefront-customer tracking where consent is required | Consent (obtained by the merchant) | Art. 6(1)(a) |
| Fraud prevention and security | Legitimate interest | Art. 6(1)(f) |
ab.one includes an AI assistant and AI-generated test recommendations powered by Anthropic (the Claude API). When you use these features, we send Anthropic a store context (such as your test names, page list, product titles, and audience definitions) together with your questions and conversation history.
We share data with the following service providers who process data on our behalf under data processing agreements. We do not sell data or share it with anyone for their own independent purposes.
| Subprocessor | Purpose | Location |
|---|---|---|
| Shopify Inc. | Platform integration, OAuth, billing | Canada / Global |
| Hetzner Online GmbH | Application, database & analytics hosting, backups | Germany (EU) |
| Anthropic, PBC | AI assistant and recommendations | USA (SCCs) |
| Mailgun (a Sinch company) | Transactional email | EU region |
| ClickUp (Mango Technologies, Inc.) | Support-ticket and feedback management | USA (SCCs) |
| Cloudflare, Inc. | Custom-domain provisioning, DNS, CDN & security | Global / USA (SCCs) |
We do NOT:
Our primary data storage and processing occurs within the European Union, on Hetzner infrastructure in Germany. Transactional email is processed in Mailgun's EU region.
For subprocessors located in the United States (Anthropic, ClickUp, Cloudflare), we ensure appropriate safeguards through:
| Data Category | Retention Period |
|---|---|
| Storefront analytics events | 2 years, then deleted automatically |
| Split-URL request logs (incl. transient IP) | 90 days, then deleted automatically |
| Merchant account, configuration, tests & reports | For the life of the account; deleted within 60 days of uninstall or account closure |
| AI conversation history | For the life of the account, or until you delete it |
| Support tickets and feedback | 24 months after resolution |
| Shopify OAuth access tokens | Deleted on uninstall (immediate) |
| Backups | Rotated and deleted within 30 days |
We implement Shopify's three mandatory compliance webhooks:
customers/data_request – we provide the merchant with any personal data we hold linked to a customer, so they can fulfil a data-access request.customers/redact – we delete or irreversibly anonymize personal data linked to a customer.shop/redact – 48 hours after a merchant uninstalls, we delete the store's personal data from our systems.On uninstall, our tracking script and theme modifications are removed, Shopify metafields are cleared, OAuth tokens are revoked, and merchant and associated event data are deleted within the periods above.
Merchants can request deletion of all their data at any time by using the in-app uninstall feature or by contacting [email protected]. We process deletion requests within 30 days.
We implement appropriate technical and organizational measures to protect your data:
While we take reasonable precautions, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.
For storefront test delivery, ab.one primarily uses browser local storage, and where necessary a cookie, to keep a visitor in a consistent test variant. These store:
In the merchant dashboard we use only strictly necessary cookies for authentication and session management, plus preference cookies (language, theme).
Because these technologies are deployed on the merchant's storefront, the merchant is responsible for surfacing them in their cookie/consent banner and obtaining consent where required, and for configuring Shopify's customer-consent settings appropriately.
You have the following rights regarding your personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of your data | Email [email protected] |
| Rectification (Art. 16) | Correct inaccurate data | Email [email protected] |
| Erasure (Art. 17) | Request deletion of your data | Email [email protected] or uninstall |
| Restriction (Art. 18) | Limit how we process your data | Email [email protected] |
| Portability (Art. 20) | Receive your data in portable format | Email [email protected] |
| Object (Art. 21) | Object to processing based on legitimate interest | Email [email protected] |
| Withdraw Consent | Withdraw previously given consent | Email [email protected] |
Supervisory Authority: You have the right to lodge a complaint with your local data protection authority. For us, this is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (Hamburg, Germany).
UK residents have equivalent rights to those listed above under the UK General Data Protection Regulation.
California residents have the following rights:
Categories of Personal Information Collected (per CCPA definitions):
We do NOT sell personal information as defined under CCPA. To exercise your California privacy rights, contact [email protected].
For store visitors and customers: if you are a customer of a store that uses ab.one and want to exercise your rights, please contact that store (the controller) directly. We will assist the store in fulfilling your request, including through Shopify's data-request and redaction webhooks (Section 11).
ab.one is a business-to-business service intended for Shopify merchants and is not directed at children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact [email protected] and we will delete it.
ab.one uses automated processing for:
These automated processes do not produce legal or similarly significant effects on individuals and are essential for providing the A/B testing service.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify registered merchants by email and/or in-app. Continued use of ab.one after changes constitutes acceptance of the updated policy.
For any questions, concerns, or requests regarding this Privacy Policy or our data practices:
Privacy & Support
Email: [email protected]
Postal Address
kreativkonnekt GmbH
Fuhlsbüttler Straße 421
22309 Hamburg
Germany
We aim to respond to all inquiries within 5 business days.
Our service may contain links to third-party websites (e.g., Shopify). We are not responsible for the privacy practices of these external sites and encourage you to review their privacy policies.
If kreativkonnekt GmbH is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data becomes subject to a different privacy policy.
We may disclose your information if required by law, such as to comply with a subpoena, court order, or similar legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
This Privacy Policy is effective as of June 25, 2026.
© 2026 kreativkonnekt GmbH. All rights reserved.
We're here to help. Contact us anytime with questions about how we handle your data.