Privacy Policy

Last Updated: March 28, 2026

This Privacy Policy describes how Leannoku ("we", "us", or "our") collects, uses, and shares information when you use the Leannoku application or visit leannoku.com.

What Data We Collect

Account Data

When you create an account, we collect:

• Email address
• Name (optional)
• Password hash (we never store plaintext passwords)
• Google account ID if you sign in with Google OAuth

E-commerce Data (via OAuth)

When you connect integrations, we access and store:

• Shopify: order information, product data, customer data, store settings
• Meta Ads: campaign spend, impressions, clicks, conversions, ROAS
• Google Ads: campaign spend, impressions, clicks, conversions, ROAS
• Google Analytics: website traffic, sessions, page views, user demographics (read-only)
• Google Search Console: search performance, queries, click-through rates (read-only)
• Klaviyo: email campaign metrics, subscriber data
• TikTok Ads: campaign spend and performance data

Usage Data

• API request logs (endpoint, timestamp, no request bodies)
• Feature usage statistics
• Error logs

How We Use Data

• Provide the Service: sync data, compute metrics, generate reports, serve API responses
• Deliver scheduled reports via Slack and email
• Compute cross-channel metrics (blended ROAS, CAC, LTV)
• Detect events and anomalies (low stock, high-value orders, refund spikes)
• Improve and maintain the Service

Third-Party Services

We share data with the following third-party services to operate the platform:

• Shopify: store data access via OAuth
• Meta (Facebook): ad platform data via OAuth
• Google: ad platform data, analytics data, search console data, and OAuth authentication
• Klaviyo: email marketing data via OAuth
• Railway: application hosting and database
• Cloudflare: CDN and website hosting (Cloudflare Pages)
• Mailgun: transactional email delivery
• PostHog: anonymized product analytics
• Sentry: error tracking

We do not sell, rent, or share your data with third parties for marketing purposes.

Data Retention

• Account data: retained while your account is active
• Store and order data: retained while integrations are connected
• Daily metrics and events: retained for 24 months
• Usage analytics: retained for 12 months
• Error logs: retained for 90 days

When you delete your account or uninstall the App, we delete your data within 30 days.

Security

• All data is encrypted in transit (HTTPS/TLS)
• All data is encrypted at rest
• API keys are stored as SHA-256 hashes
• Passwords are hashed with bcrypt
• OAuth tokens are encrypted before storage
• Access to production systems is restricted to essential personnel

Your Rights

You have the right to:

• Access the data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Export your data via our API
• Disconnect any third-party integration at any time

To exercise these rights, contact us at [email protected].

Cookies

We use session tokens for authentication. We do not use tracking cookies. Our analytics (PostHog) uses first-party cookies for anonymized product usage data. No third-party advertising cookies are used.

GDPR Compliance

For users in the European Economic Area:

• Legal basis for processing: contract performance (providing the Service) and legitimate interest (improving the Service)
• You may request data access, rectification, erasure, or portability at any time
• We respond to mandatory GDPR webhooks (customer data requests, customer redaction, shop redaction)
• Data is processed in the United States (Railway hosting) and European Union (Cloudflare)
• You may lodge a complaint with your local data protection authority

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of changes by updating the "Last Updated" date.

Contact

Leannoku
Email: [email protected]
Website: leannoku.com