Skip to content

Proof App Privacy Policy

Useful attribution. Minimal customer data.

This policy explains what Proof processes, why it is needed, who it is shared with, and how it is protected and deleted.

Last Updated: July 2026

The short versionProof does not store direct customer identifiers such as names, email addresses, phone numbers, postal addresses, or payment-card details. For content attribution, Proof syncs only order totals and the visitor paths needed to connect content journeys to orders. Limited attribution records may still be protected data, and we handle them accordingly.

This Privacy Policy describes how Simlyst (“we”, “us”, or “our”) collects, uses, shares, and protects information in connection with Proof, our Shopify application (the “App”). It applies to merchants who install the App and to store data processed through it.

1. Who we are

Proof is developed and operated by Simlyst in the United Kingdom. For questions about this policy or the App’s handling of data, email us.

The Shopify merchant controls the storefront and decides how the App is used for the store. Simlyst processes store data to provide Proof and separately controls limited information needed to secure, administer, bill, and support the service.

2. Data we process

Proof follows a limited-data approach: we process only the information needed for the feature the merchant chooses to use.

Proof data categories and why each category is processed
Data categoryWhat is processedWhy
Store and accountShop domain, installation access, plan status, and App settings.Authenticate the store, provide the service, and manage the subscription.
Product dataApproved product titles, descriptions, features, links, and related product content.Ground blog drafts in the merchant’s real products.
Content recordsDraft text, content settings, review status, schedule, and published page references.Create and manage the merchant’s content workflow.
AttributionOrder totals and visitor paths needed to link content journeys to orders.Calculate and display attributed revenue.
Search ConsoleConnected property, connection token, and search-performance metrics when the merchant opts in.Show search signals alongside content performance.
Support and securityMerchant support messages, diagnostic events, and limited connection metadata in infrastructure logs.Respond to requests, prevent abuse, and keep the service reliable.

What Proof does not store for attribution

Proof does not store customer names, email addresses, phone numbers, postal addresses, payment-card details, or customer message content in its attribution records. It does not build advertising profiles or sell attribution data.

What a visitor path means

A visitor path is the limited sequence of content pages or internal content references and event times needed to connect a content journey with an order under Proof’s attribution rules. A privacy-respecting session or attribution token may be used for that connection. Standard cloud security logs can temporarily contain technical connection metadata, such as an IP address or user agent, even though those fields are not stored in Proof’s attribution records.

3. How we use data

We use the data described above to:

  • authenticate the store and operate the App;
  • generate blog drafts grounded in product data for merchant review;
  • manage content status, scheduling, and publication records;
  • calculate and display attributed revenue under Proof’s attribution rules;
  • show Search Console performance where the merchant connects it;
  • process subscription status through Shopify;
  • provide support, prevent misuse, troubleshoot, and improve reliability; and
  • comply with legal and platform obligations.

We do not sell store or customer data. We do not use attribution records for third-party advertising.

4. Roles and legal bases

Where data-protection law applies, a merchant is generally the controller of information processed from its storefront, products, and orders, and Simlyst acts as a processor when providing the merchant-directed App functions. Simlyst may act as an independent controller for account administration, security, legal compliance, and support.

Depending on the processing and jurisdiction, our legal bases include performance of the contract to provide Proof, legitimate interests in securing and improving the service, consent where required for optional connections or storefront measurement, and compliance with legal obligations.

Visitor-path attribution is a form of storefront measurement. Proof is designed to respect applicable consent signals and merchant privacy settings. Merchants are responsible for configuring Shopify Customer Privacy settings, cookie or tracking notices, and consent choices for the regions in which they operate.

Where consent is required and has not been provided, visitor-path measurement should not be used for that visitor. Privacy choices can reduce the amount of attributable activity shown in the App.

6. Sharing and subprocessors

We share data only as necessary to provide and protect Proof. The relevant service categories include:

  • Google Cloud Platform for application hosting, storage, networking, monitoring, and security;
  • Shopify for App installation, store APIs, billing, publication actions, and required privacy workflows;
  • Google Search Console when a merchant chooses to connect a verified property; and
  • content-generation service providers that process limited product data and content instructions needed to produce drafts.

Content-generation providers are not given attribution records or direct customer identifiers for draft generation. Providers are required to protect data and use it only to deliver contracted services. We may also disclose limited information where required by law or needed to protect rights, safety, and service integrity.

Google Search Console data

Connecting Search Console is optional. Proof stores the connection credentials needed to maintain access and retrieves the search-performance information displayed in the App. We do not sell Google user data or use it for advertising. Disconnecting Search Console stops future data syncing, and related connection credentials are removed through the App’s disconnection or deletion process.

7. Retention and deletion

We keep active store, product, content, attribution, and connected Search Console data while the App is installed and the information is needed to provide the selected features. Merchants can remove optional connections when they no longer need them.

After uninstall and the applicable Shopify shop-redaction request, Proof deletes or de-identifies store data in active systems under its deletion process. Limited billing, fraud-prevention, security, or legal records may be retained only for the period required for those purposes. Encrypted backups and infrastructure logs expire under restricted provider retention schedules.

8. Shopify privacy requests

Proof implements Shopify’s mandatory privacy webhooks and responds to the following requests:

  • Customer data request: we identify and return any applicable data held for the request. Proof does not keep direct customer identifiers in attribution records, so it will often have no directly identified customer record to return.
  • Customer redaction: we delete applicable data that can be associated with the request under the App’s deletion process.
  • Shop redaction: we delete or de-identify the uninstalled store’s App data, subject only to limited legal and security retention described above.

Store customers should normally direct privacy requests to the Shopify merchant that controls the storefront.

9. Security

Proof uses operational and technical safeguards appropriate to the data it processes. These include encrypted network connections, access restrictions, authenticated Shopify webhook handling, managed Google Cloud infrastructure, monitoring, and separation of merchant-approved functions.

No online service can guarantee absolute security. We review controls and limit the data collected so the impact of a security incident is reduced.

10. International transfers

Providers may process data in countries other than the merchant’s or visitor’s country. Where required, we use appropriate transfer safeguards and contractual protections intended to provide an appropriate level of data protection.

11. Your rights

Depending on location and circumstances, individuals may have rights to access, correct, delete, restrict, object to, or obtain a copy of personal data, and to withdraw consent where processing relies on it. Merchants can email us. Store customers should first contact the merchant whose store they used.

12. Changes and contact

We may update this policy as Proof, platform requirements, or legal obligations change. We will revise the “Last Updated” date and use reasonable means to communicate material changes.

For questions, privacy requests, or complaints, email us.