Privacy Policy

1. Who We Are

Nexstage is an ecommerce analytics platform that helps merchants understand their store performance, profitability, and customer behaviour across multiple sales channels. The service is developed and operated by:

UWEB d.o.o.
Slamnikarska cesta 1D, 1230 Domžale, Slovenia
Website: nexstage.io
Email: [email protected]

For the purposes of GDPR, UWEB d.o.o. acts as a data processor on behalf of merchants (data controllers) with respect to their end-customers' personal data, and as a data controller with respect to merchant account data and platform usage data.

2. Information We Collect

2.1 Account and Billing Information

When you register for Nexstage, we collect:

• Name and email address
• Organisation name
• Billing information processed by Stripe (we do not store full card details)
• IP address and browser/device information for security purposes

2.2 Store and Ecommerce Data

When you connect a store integration, we import and store:

• Orders: order ID, amount, currency, date, status, line items, shipping and discount amounts, payment gateway used, fulfilment status
• Customers: email address, name, order count, total spend, location (country/city), first and last order dates
• Products: product ID, title, SKU, variant information, price, inventory levels
• Refunds: refund amounts, reasons, and dates

We do not collect or store payment card numbers, full billing addresses beyond country/city, or platform account passwords.

2.3 Marketing and Advertising Data

When you connect ad platforms, we import aggregated performance data including:

• Campaign names, spend, impressions, clicks, and conversions (Google Ads, Meta Ads)
• Email campaign send, open, click, and revenue metrics (Klaviyo)
• Organic search query performance data (Google Search Console)
• Aggregated website traffic metrics (Google Analytics 4)

We access only the minimum data necessary to provide analytics. We do not access the personal data of your end-customers through advertising platforms — only aggregated campaign-level metrics.

2.4 Usage Data

We collect information about how you use Nexstage (pages visited, features used, session duration) solely to operate and improve the platform.

3. How We Use Your Information

We use the information we collect to:

• Provide and operate the Nexstage platform and its analytics features
• Calculate profit, margin, marketing attribution, and other analytics on your behalf
• Generate customer segments, cohorts, and predictive analytics
• Detect anomalies and surface alerts within the platform
• Process billing and communicate about your account and subscription
• Respond to support requests
• Improve and develop new platform features
• Comply with legal obligations

We do not sell your data or your customers' data to any third party. We do not use your store data or your customers' data for advertising, cross-merchant profiling, credit assessment, or any purpose other than providing the analytics service to you.

Data obtained through Google APIs is used solely to provide features visible and prominent within the Nexstage application. It is not used for any secondary purpose, including serving advertisements or building profiles unrelated to the analytics service.

4. Shopify Integration

Nexstage uses the Shopify API to synchronise your store data. The following applies specifically to our Shopify application:

4.1 Data Access Scopes

Our Shopify application requests the following API scopes, each required to provide the analytics service:

• read_orders — to import order history and revenue metrics
• read_products — to import product and variant data
• read_customers — to build customer analytics and segments
• read_inventory — to track stock levels and calculate stockout losses
• read_analytics — to access aggregated store analytics
• read_shipping — to account for shipping costs in profit calculations

We request only the scopes necessary for the analytics service. We do not request write access to your Shopify store.

Where Shopify requires explicit approval for scopes accessing customer personally identifiable information (such as read_customer_email and read_customer_name), we access this data solely to provide the customer analytics features visible in the Nexstage application.

4.2 Webhooks and Real-Time Sync

We register Shopify webhooks to receive real-time updates for orders, products, customers, and refunds. All webhook payloads are verified using HMAC-SHA256 signatures before processing. Invalid or unverified requests are rejected.

4.3 Mandatory Compliance Webhooks

In accordance with Shopify's requirements, Nexstage implements all three mandatory privacy compliance webhooks:

• customers/data_request — when a merchant requests the stored data we hold for a specific customer, we return that data to the requesting store owner
• customers/redact — when a customer requests deletion of their data, we permanently delete or redact the specified customer and order data from our systems within 30 days
• shop/redact — when you uninstall the Nexstage app, Shopify sends this webhook 48 hours after uninstallation and we permanently delete all data associated with your store

4.4 Data Deletion

When you uninstall the Nexstage app from Shopify, all store data, customer records, and order data associated with your shop are permanently deleted within 30 days. To request immediate deletion, contact [email protected].

4.5 Your Customers' Data

We process personal data of your Shopify customers (email addresses, names, purchase history) strictly on your behalf and only to provide the analytics service described in this policy. We do not use your customers' data for any purpose other than generating analytics for you as the merchant.

5. Google Integration

When you connect Google services (Google Ads, Google Analytics 4, or Google Search Console), Nexstage accesses data through the respective Google APIs using OAuth 2.0.

5.1 Data Accessed

• Google Ads API: campaign names, spend, impressions, clicks, and conversion data for your ad accounts
• Google Analytics 4: aggregated session, traffic source, and conversion metrics for your properties
• Google Search Console API: search query performance, impressions, clicks, and position data for your verified properties

5.2 How Google Data Is Used

Data obtained from Google APIs is used exclusively to provide the marketing analytics and attribution features visible within your Nexstage dashboard. It is not used for any other purpose, including but not limited to:

• Advertising or retargeting of any kind
• Selling or transferring data to third parties
• Credit assessment or lending decisions
• Building user profiles unrelated to the analytics service

5.3 Limited Use Compliance

Our use of data obtained via Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. We access and use Google data only as permitted by that policy and only for the purposes described in this Privacy Policy.

5.4 Revoking Access

You can disconnect your Google accounts from Nexstage at any time via Settings. You can also revoke access directly through your Google Account permissions page. Upon disconnection, we stop importing new data and delete existing Google data on request.

6. Meta (Facebook) Integration

When you connect Meta Ads, Nexstage accesses your advertising account data through the Meta Marketing API using OAuth 2.0.

6.1 Data Accessed

• Ad account names and identifiers
• Campaign, ad set, and ad names
• Spend, impressions, clicks, reach, and conversion event counts
• Attribution data (clicks, views) at the campaign level

We do not access personal data of your customers or Facebook users through the Meta API. We access only aggregated campaign performance metrics.

6.2 How Meta Data Is Used

Meta advertising data is used solely to populate the marketing analytics features in your Nexstage dashboard, including spend tracking, ROAS calculation, and channel attribution. It is not used for any secondary purpose.

6.3 Requesting Deletion of Your Meta Data

You can request deletion of any Meta-sourced data we hold at any time by contacting [email protected]. We will delete the data within 30 days. You may also disconnect the Meta integration from Nexstage Settings, after which no new data will be imported.

This right to request deletion applies to all users of the application, without restriction.

6.4 Revoking Access

You can revoke Nexstage's access to your Meta ad accounts at any time via Settings, or directly through your Facebook Business Integrations settings.

7. Klaviyo Integration

When you connect Klaviyo, Nexstage accesses your account's email campaign and flow performance data via the Klaviyo API.

7.1 Data Accessed

• Campaign and flow names and identifiers
• Aggregate send, open, click, bounce, and unsubscribe counts per campaign or flow
• Revenue attributed to campaigns and flows
• Metric identifiers used to link Klaviyo revenue to order data

We do not access your Klaviyo subscriber list, individual profile data, or any special category personal data.

7.2 Independent Data Controllers

For the purposes of GDPR, UWEB d.o.o. (operating Nexstage) and Klaviyo operate as independent data controllers with respect to any personal data exchanged in connection with the Klaviyo integration. Each party is independently responsible for its own data processing activities and compliance obligations. Klaviyo's privacy practices are governed by the Klaviyo Privacy Notice.

7.3 International Data Transfers

Klaviyo is a US-based company. If you connect your Klaviyo account, performance data may be transferred from Klaviyo's systems to ours, which are hosted within the European Union or EEA. We process this data in accordance with GDPR. By connecting your Klaviyo account, you consent to this transfer of data for the purpose of providing the analytics service.

7.4 Revoking Access

You can disconnect Klaviyo from Nexstage Settings at any time. To request deletion of Klaviyo-sourced data, contact [email protected].

8. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data or your customers' personal data. We may share information only in the following limited circumstances:

• Infrastructure providers: Hosting, database, and email delivery providers who process data on our behalf under data processing agreements (DPAs). All primary infrastructure is located within the EU or EEA.
• Stripe: Payment processing for subscription billing. Stripe is the data controller for payment card data. See the Stripe Privacy Policy.
• Legal obligations: When required by applicable law, court order, or regulatory authority
• Business transfer: In the event of a merger, acquisition, or sale of assets, affected users will be notified and data will remain subject to this policy or an equivalent standard of protection
• With your consent: For any other purpose, with your explicit prior consent

9. Data Retention

We retain your data for as long as your account is active or as needed to provide the service. Specifically:

• Account data: Retained for the duration of your subscription plus 90 days after account closure to allow for reactivation, then permanently deleted
• Store, order, and customer data: Retained while the store integration is active. Deleted within 30 days of disconnecting the integration, receiving a Shopify shop/redact webhook, or closing your account
• Marketing platform data: Retained while the integration is active. Deleted within 30 days of disconnecting the integration or account closure
• Billing records: Retained for 7 years to comply with EU accounting and tax regulations
• Security and access logs: Retained for 90 days

Upon account deletion, all personal data is permanently deleted from active systems. Anonymised, aggregated statistics that cannot identify any individual may be retained for product improvement purposes.

10. Security

We implement technical and organisational measures to protect your data, including:

• All data transmitted over HTTPS/TLS 1.2 or higher
• Webhook signatures verified using HMAC-SHA256 before any payload is processed
• OAuth access tokens stored encrypted at rest
• Role-based access controls within the platform
• Regular security reviews and dependency updates
• Primary infrastructure hosted within the European Union or EEA

In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities within 72 hours as required by GDPR Article 33.

To report a security issue, contact [email protected] with the subject line "Security Issue".

11. Your Rights (GDPR)

If you are located in the European Union or European Economic Area, you have the following rights under GDPR:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data
• Right to restriction: Request that we restrict processing of your data in certain circumstances
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact [email protected] with the subject line "Data Subject Request". We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

For Your End-Customers

As a merchant using Nexstage, you are the data controller for your customers' personal data. You are responsible for responding to your customers' data subject requests. If a customer exercises a right that requires us to delete or provide data from our systems, contact [email protected] with the relevant details and we will fulfil the request within 30 days.

12. Cookies and Tracking

The Nexstage application uses only the following cookies and browser storage:

• Session cookie: Required for authentication and security. Expires when you close your browser or after a period of inactivity.
• UI preference storage: Browser local storage to remember interface preferences (e.g. selected date range, dismissed banners). Contains no personal data.

We do not use third-party advertising cookies, tracking pixels, or analytics services that profile individual users. The Nexstage application does not serve targeted advertisements.

13. Children's Privacy

Nexstage is a business-to-business service intended for use by merchants and businesses. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, contact [email protected] and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send an email notification to registered account holders
• Display an in-app notice for a reasonable period

Your continued use of Nexstage after the effective date constitutes your acceptance of the changes. If you do not agree, you may close your account before the effective date.

15. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or how we handle your data:

UWEB d.o.o.
Slamnikarska cesta 1D, 1230 Domžale, Slovenia
Email: [email protected]

For data subject requests, use the subject line "Data Subject Request" and include your account email address. We will acknowledge receipt within 5 business days and respond fully within 30 days.

For security issues, use the subject line "Security Issue".

For Shopify customer data deletion requests, use the subject line "Customer Data Deletion".