Mazz Growth OSMazzGrowth OS
Sign in

Privacy Policy

Last updated: April 29, 2026

Mazz Growth OS ("we," "us," "our," or "the Service") is operated by Mazz Industries Inc. ("the Company"), a corporation registered in British Columbia, Canada, with its registered address at 990 Ironwood Court, Langford, BC, Canada V9B 0G8. This Privacy Policy explains how we collect, use, store, and protect information when you use Mazz Growth OS, a multi-brand marketing analytics and recommendation platform for ecommerce businesses.

By using the Service, you agree to the practices described in this policy.

1. Who This Policy Applies To

Mazz Growth OS is a business-to-business tool. Our users are ecommerce business operators who connect their own marketing and sales accounts (Shopify stores, Meta ad accounts, Google Analytics properties, Klaviyo accounts, and similar) to receive analytics and AI-generated recommendations.

This policy covers:

  • Information about you, the authorized user of the Service.
  • Information we receive from third-party platforms you connect via OAuth or API key.

This policy does not directly cover the end customers of your ecommerce business. Data about your customers (such as Shopify order data) is processed by us only on your behalf and under your control as the data controller.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials (managed by Supabase Auth). We may also collect organization or brand names you assign within the Service.

2.2 Data from Connected Platforms

When you connect a third-party platform, we receive data through that platform's official API. Specifically:

Meta (Facebook and Instagram Ads) — via the Meta Marketing API:

  • Ad account identifiers, campaign names, ad set and ad performance metrics
  • Ad spend, impressions, clicks, conversions, return on ad spend
  • Page-level engagement metrics where authorized
  • We request the following permissions: ads_read, ads_management, business_management, and pages_read_engagement

Shopify — via the Shopify Admin API:

  • Store domain and shop-level configuration
  • Order totals, order counts, average order value, conversion rate
  • Product and inventory metadata
  • Aggregated customer counts (we do not retain individual customer personal information beyond what is necessary for analytics)
  • We request the following scopes: read_products, read_orders, read_customers, read_analytics, and read_inventory

Google (Google Analytics 4) — via the Google Analytics Data API and Admin API:

  • GA4 property identifiers and configuration
  • Aggregated traffic, session, conversion, and revenue metrics
  • We request the following scope: https://www.googleapis.com/auth/analytics.readonly

Klaviyo — via API key:

  • Email campaign performance, open rates, click rates, attributed revenue
  • List-level subscriber counts (no individual subscriber personal information)

2.3 OAuth Tokens and API Credentials

We securely store the access tokens, refresh tokens, and API keys required to maintain your connections to these platforms. All credentials are encrypted at rest using industry-standard encryption.

2.4 Usage and Diagnostic Data

We automatically collect limited technical information when you use the Service, including IP address, browser type, pages visited, and timestamps. This is used for security monitoring and service improvement only.

3. How We Use Information

We use the data we collect to:

  • Provide the core analytics, dashboards, and AI-generated recommendations that are the function of the Service.
  • Run scheduled data syncs to keep your metrics current.
  • Generate insights using the Anthropic Claude API. Aggregated and anonymized metrics may be sent to Anthropic for inference; raw individual customer records are not.
  • Authenticate you and protect your account.
  • Communicate with you about the Service (account notices, security alerts).
  • Diagnose and fix technical issues.
  • Comply with legal obligations.

We do not:

  • Sell your data to third parties.
  • Combine data across customers' brands for any purpose other than improving the Service for the customer who owns the data.

4. Sharing Your Information

We share data only in the following limited circumstances:

  • Subprocessors and infrastructure providers that help us operate the Service: Supabase (database and authentication), Vercel (application hosting), and Anthropic (AI inference). Each is bound by their own privacy and security commitments.
  • Connected platforms that you have authorized (Meta, Shopify, Google, Klaviyo) — only data flows you initiated.
  • Legal compliance — when required by law, court order, or to protect rights, property, or safety.
  • Business transfers — if Mazz Industries Inc. is acquired or merged, your data may transfer to the successor entity, subject to this policy.

We do not sell, rent, or trade personal information.

5. Data Storage and Security

Data is stored in Supabase (PostgreSQL) infrastructure. We use the following safeguards:

  • All connections are encrypted in transit using TLS.
  • OAuth tokens, API keys, and other credentials are encrypted at rest.
  • Access to production data is limited to authorized Mazz Industries Inc. personnel.
  • Authentication is handled by Supabase Auth with row-level security policies enforcing tenant isolation between brands.

No system is completely secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security.

6. Data Retention

  • Connected platform metrics are retained for as long as your account is active. You may request earlier deletion at any time.
  • OAuth tokens and API credentials are retained until you disconnect the platform or delete your account.
  • Account information is retained for as long as your account is active and for a reasonable period afterward to comply with legal and accounting obligations.
  • Diagnostic logs are retained for up to 90 days.

7. Your Rights and Choices

7.1 Disconnecting Platforms

You can disconnect any third-party platform at any time from the Service's credentials panel. When you disconnect:

  • The associated OAuth tokens are immediately revoked and deleted from our systems.
  • Historical metrics from that platform are retained unless you also request their deletion.

7.2 Account Deletion and Data Removal

To delete your account or request removal of specific data, follow the instructions on our Data Deletion page at https://www.mazzos.ca/data-deletion or email us at privacy@mazzmarketing.ca. We will:

  • Confirm receipt within 5 business days.
  • Complete the deletion within 30 days, except where retention is legally required.
  • Notify upstream subprocessors as required.

7.3 Access, Correction, and Portability

You may request a copy of your data, correction of inaccurate data, or export in a portable format by contacting privacy@mazzmarketing.ca.

7.4 Privacy Rights Under Canadian and Other Laws

If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA). If you are located in the European Economic Area, the United Kingdom, or California, you may have additional rights under the GDPR, UK GDPR, or CCPA respectively, including rights of access, rectification, erasure, restriction, portability, and objection. To exercise these rights, contact privacy@mazzmarketing.ca.

8. Meta Platform Compliance

In compliance with Meta's Platform Terms and Developer Policies:

  • We use Meta data only for the purposes you authorized when you connected your account.
  • We do not place Meta data into a search engine or directory.
  • We do not sell, license, or purchase Meta data.
  • We delete Meta data when you disconnect your account, when you request deletion, or when Meta directs us to.

For data deletion specific to Meta, see https://www.mazzos.ca/data-deletion.

9. Shopify Platform Compliance

We comply with Shopify's API License and Terms of Use, including the Protected Customer Data requirements. We:

  • Access only the data permitted by the scopes you grant.
  • Do not retain Shopify customer personal information beyond what is necessary for the analytics functions you have requested.
  • Honor customers/redact, shop/redact, and customers/data_request webhooks within the timeframes Shopify requires.

10. Google API Services Compliance

Use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not transfer it to third parties except as necessary to provide the Service, and do not allow humans to read it except as required for security, legal compliance, or with your explicit consent.

11. Children's Privacy

Mazz Growth OS is a business tool not directed at children. We do not knowingly collect information from anyone under the age of 16. If you believe we have collected such information, contact us and we will delete it.

12. International Data Transfers

Mazz Industries Inc. operates from Canada. Your data may be processed in Canada, the United States (where Supabase, Vercel, and Anthropic operate infrastructure), and other jurisdictions where our subprocessors operate. By using the Service, you consent to the transfer of data to these jurisdictions.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance.

14. Contact

For privacy questions, requests, or concerns:

Mazz Industries Inc. 990 Ironwood Court Langford, BC, Canada V9B 0G8 Email: privacy@mazzmarketing.ca

For data deletion requests specifically, see https://www.mazzos.ca/data-deletion.