The Visionary GroupData Platform
Privacy Policy

How your data is handled.

Last updated April 22, 2026.

This Privacy Policy describes how The Visionary Group ("TVG", "we", "us") collects, uses, and protects data received through the TVG Data Platform Shopify app and its associated integrations with Google Ads, Meta Ads, and Klaviyo.

Who this applies to

This policy applies to e-commerce merchants who have installed the TVG Data Platform app on their Shopify store as part of a service engagement with TVG. It does not apply to end customers of those merchants directly; end-customer data is handled by the merchant under their own privacy policy and this document describes only how TVG, acting as the merchant's data processor, receives and stores that data.

What data we collect

Through the Shopify Admin API (read-only), we ingest:

  • Orders: order number, date, financial and fulfillment status, line items, subtotal, taxes, discounts, shipping, refunds, customer attribution (UTM fields), and shipping address at the country, state, and city level only. We do not store street addresses or postal codes.
  • Customers: Shopify customer ID, hashed email and name (SHA-256 one-way hashes; plaintext never stored), marketing consent state, order history aggregates.
  • Products: catalog metadata, variants, inventory items (including unit cost used for gross-margin analysis).
  • Analytics: aggregated session-level metrics from ShopifyQL including add-to-carts, checkouts, and conversions.

We also ingest, when the merchant authorizes the relevant integrations:

  • Google Ads performance data at campaign, ad group, ad, and keyword level
  • Meta Ads performance data at campaign, ad set, ad, and creative level
  • Klaviyo email and SMS performance, flow metadata, and event data

How we use it

Data is used exclusively to produce internal TVG analysis and client-facing reports for the specific merchant whose store it originated from. Core use cases include:

  • Per-client performance dashboards
  • Cohort lifetime value and retention analytics
  • Marketing mix and creative performance reports
  • Profit & loss analysis and pacing projections
  • Bi-weekly client strategy reviews

We do not sell any data to third parties. We do not share any data between merchant accounts. We do not use any merchant's data to train machine learning models or to benchmark against other merchants without the data-owning merchant's explicit written authorization.

How we store it

All data resides in a private Supabase (PostgreSQL) database TVG operates on shared but logically-isolated infrastructure. Specific safeguards:

  • Encryption at rest (Supabase-provided, AES-256)
  • TLS 1.2+ for all data in transit
  • Row-level security (RLS) policies enforce strict per-merchant data isolation; no merchant can read another merchant's data
  • API credentials stored in Supabase Vault (encrypted secrets)
  • Access limited to TVG personnel scoped to specific client engagements
  • Audit logging on sensitive operations

How long we keep it

Data is retained for the duration of the merchant's engagement with TVG plus 90 days after engagement end (to support wind-down reporting and any outstanding reconciliation). At day 91 post-engagement, all merchant-specific data is permanently deleted from our primary database and any backups expire within 30 additional days on their natural rotation schedule.

Merchants may request earlier deletion at any time via a GDPR data erasure request through their Shopify admin, or by contacting us directly (see Support).

GDPR / CCPA compliance

We process the following Shopify-mandated GDPR webhooks:

  • customers/data_request: an end customer of a merchant has requested a copy of the data held about them. We respond with any Klaviyo events, hashed profile records, or aggregated metrics we hold that match the request within 30 days.
  • customers/redact: an end customer has requested deletion. We permanently remove all records tied to the customer within 30 days.
  • shop/redact: a merchant has uninstalled the app and 48 hours have passed. We permanently delete all data received from the shop within 90 days.

Third-party processors

  • Supabase, Inc. — managed PostgreSQL hosting. Operates under its own SOC 2 Type II attested practices.
  • Vercel Inc. — hosts this application's web layer. No merchant data is stored by Vercel; only request routing.

We do not engage any analytics provider, advertising network, or customer-data platform on merchants' behalf without explicit authorization.

Contact

Questions, complaints, or deletion requests: zach@thevisionarygrouptx.com