How your data is handled.

This Privacy Policy describes how The Visionary Group ("TVG", "we", "us") collects, uses, and protects data received through the Maverick by TVG Shopify app (“Maverick”) and its associated integrations with Google Ads, Meta Ads, and Klaviyo.

This policy applies to e-commerce merchants who have installed Maverick as part of a service engagement with TVG. TVG acts as the merchant's data processor; end-customer data is handled by each merchant under their own privacy policy.

What we collect

Through the Shopify Admin API (read-only):

• Orders — order numbers, dates, financial and fulfillment status, line items, totals, discounts, refunds, UTM attribution fields, and shipping geography at the country, state, and city level only.
• Customers — Shopify customer IDs, hashed email and name (SHA-256 one-way; plaintext never stored), marketing consent state, and order aggregates.
• Products — catalog metadata, variants, and inventory cost.
• Analytics — aggregated session-level metrics from ShopifyQL.

When the merchant authorizes the relevant integrations, we also ingest Google Ads, Meta Ads, and Klaviyo performance data.

How we use it

Data is used to produce TVG's per-client analysis and reporting: performance dashboards, cohort and retention analytics, marketing-mix and creative reports, profit & loss analysis, and the strategy reviews your TVG growth strategist runs with you.

We may also use the data, in anonymized and aggregated form (with all merchant and customer identifiers removed), to build cross-client models that inform forecasting, benchmarking, and creative-strategy recommendations across the TVG client portfolio. Where your service agreement with TVG specifies opt-in to extended use of your data, the terms of that agreement apply.

We do not sell merchant data to any third party. We do not share identifiable data between merchant accounts.

How we store it

All data resides in a private Supabase (PostgreSQL) database TVG operates on shared but logically-isolated infrastructure.

• Encryption at rest (AES-256, Supabase-provided)
• TLS 1.2+ for all data in transit
• Row-level isolation enforced at the database layer
• API credentials stored encrypted in Supabase Vault
• Access scoped to TVG personnel assigned to your engagement
• Audit logging on sensitive operations

How long we keep it

Identifiable merchant data is retained for the duration of your engagement with TVG plus a wind-down period of 30 days, or as otherwise specified in your service agreement.

After the wind-down period (or immediately upon receipt of a shop/redact request from Shopify), identifiable merchant data is permanently deleted from our primary database. Backups expire within 30 additional days on their natural rotation.

Anonymized and aggregated data — with all merchant and customer identifiers removed and re-identification rendered infeasible — may be retained indefinitely as part of the TVG analytical corpus and used for cross-client modeling and benchmarking. This data does not contain personal information.

Merchants may request early deletion at any time. End customers of merchants may exercise their GDPR/CCPA rights through Shopify's standard data-request and redaction flows; we honor these within 30 days as described below.

GDPR / CCPA compliance

We implement the three Shopify-mandated GDPR webhooks:

• customers/data_request — we respond within 30 days with any records matching the request.
• customers/redact — we permanently remove all records tied to the customer within 30 days.
• shop/redact — fired 48 hours after a merchant uninstalls the app; we permanently delete identifiable shop data within 30 days.

Third-party processors

• Supabase, Inc. — managed PostgreSQL hosting, SOC 2 Type II.
• Vercel Inc. — web application hosting (no merchant data stored; request routing only).

We do not engage analytics providers, advertising networks, or customer-data platforms on merchants' behalf without explicit authorization.

Contact

Questions, complaints, or data requests: zach@thevisionarygrouptx.com