Privacy Policy
Tactical is an agent-traffic intelligence service for e-commerce stores. This page describes what data we collect, why we collect it, where we store it, and how you (or visitors to your store) can exercise data-protection rights.
01What data we collect
Tactical collects behavioural signals only — no personally identifiable information (PII) is stored. From each visitor session on a merchant's storefront we record:
- Page-view patterns (URLs visited, time on page, scroll depth)
- Mouse-movement heuristics (presence/absence only — never cursor coordinates)
- Navigation timing (interval between page loads — used to score "bot-like" cadence)
- User-agent string, hashed before storage
- Referrer domain (domain only, not the full URL)
- IP-derived metadata: country and "is this a datacenter?" flag — the IP itself is discarded after geolookup
- Cart and checkout events (event type only — no product pricing or payment data)
From the merchant operating a Tactical account we additionally store: email address, a salted password hash, store name, store domain, plan tier, and (where applicable) a billing-provider customer ID.
02What we never collect
- Names, phone numbers, addresses, or any visitor identifiers
- Payment information, credit card numbers, or billing addresses (we never see them — checkout runs on Dodo Payments / Stripe / your storefront's processor, not Tactical)
- Visitor login credentials, session tokens, or cookies belonging to third parties
- Form inputs or any text typed by visitors
- Cross-site tracking identifiers, third-party advertising cookies, or fingerprints used for ad attribution
- Raw IP addresses (transient, geolookup only)
03How data is stored
Session analytics and account configuration live in Neon Postgres with these protections:
- Encryption at rest — AES-256 on the database storage layer
- Encryption in transit — TLS 1.3 on every connection between services
- 90-day TTL — agent-session and product-view rows are purged daily by a scheduled job (3am UTC); see the daily purge cron in our public repository
- Tenant isolation — every analytics row is scoped to a
shop_id; row-level access is enforced at the application layer - Access control — only the merchant who owns a store, authenticated via password + JWT (or Shopify OAuth), can view its analytics
04GDPR compliance
Tactical processes visitor session data under the legitimate interest legal basis (GDPR Article 6(1)(f)) for the purposes of bot detection, traffic classification, and competitive intelligence on behalf of the merchant. Because we do not collect PII, the standard data-subject rights (access, rectification, erasure) apply primarily to merchant account data, which the account owner can manage directly from /dashboard/settings.
For Shopify merchants, we honour the GDPR webhooks (customers/data_request, customers/redact, shop/redact): all relevant data is purged within 30 days of a redact request.
A Data Processing Addendum (DPA) is available on request — email [email protected].
05Cookies & tracking
On a merchant's storefront, Tactical's snippet uses one first-party session cookie:
- Contains a random session identifier only (no PII, no merchant identifiers)
- Expires when the browser session ends
- Never shared with third parties or used for cross-site tracking
- Never used for advertising or attribution outside the merchant's own dashboard
On tactical-app.work itself, we set httpOnly authentication cookies for signed-in merchants (access token + refresh token), and a short-lived display cookie to surface a freshly-minted API key during onboarding. None of these are used for tracking; they're scoped to the auth session and operational requirements.
06Data deletion
When a merchant deletes their Tactical account or uninstalls our Shopify/WooCommerce app:
- Account configuration (email, password hash, store metadata) is deleted within 24 hours
- All session-analytics rows tied to the merchant's
shop_idare deleted within 24 hours - OAuth access tokens are revoked immediately
- Active billing subscriptions are cancelled (no future charges)
- API keys are revoked immediately; the snippet stops functioning on receipt of a 401
Deleted data may persist in encrypted database backups for up to 30 days before being purged from the backup retention window. After that, no copy remains.
07Subprocessors
Tactical uses the following infrastructure providers to deliver the service:
- Neon — Postgres database hosting (account + analytics data). SOC 2 Type II.
- Upstash — Redis for the event queue and short-lived session state.
- Cloudflare — Edge ingestion and DDoS protection at the snippet endpoint.
- Railway — Application server hosting.
- Resend — Transactional email delivery (verification, password reset, weekly intelligence briefs, alerts).
- Dodo Payments — Subscription billing and customer portal.
- MaxMind — IP-to-country geolocation (used transiently, no stored linkage to visitor sessions).
No behavioural data is sold to any third party. Tactical does not run advertising, retargeting, or affiliate networks on collected data.
08International transfers
Tactical's primary infrastructure region is the United States. Where data flows from the EU/UK to the US, transfers rely on Standard Contractual Clauses (SCCs) executed with each subprocessor. We minimise the data footprint (no PII in session analytics) to keep the transfer scope narrow.
09Changes to this policy
When we make material changes, we'll post the updated version here with a new "Last updated" date. For changes that meaningfully expand collection or sharing, we'll email account owners at least 14 days before the change takes effect.
10Contact
For privacy questions, deletion requests, or DPA execution: [email protected].