Privacy Policy
Effective Date: April 1, 2026
Last Updated: April 1, 2026
ABSplitLab ("we", "us", "our") operates the ABSplitLab application for Shopify merchants. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
1. Data We Collect
ABSplitLab is designed with privacy at its core. We collect the minimum data necessary to run A/B tests and deliver results to merchants. Specifically:
- Anonymous Session IDs: A randomly generated identifier stored in a first-party cookie. This ID cannot be used to identify any individual person.
- Device Type: Whether the visitor is on desktop, tablet, or mobile. Used for analytics breakdowns only.
- UTM Parameters: Campaign source, medium, and name from URL parameters, if present. Used to help merchants understand traffic sources.
- Aggregate Revenue Data: Total revenue attributed to each experiment variant. This is aggregated and cannot be traced to individual customers.
- Page View and Conversion Events: Anonymous counts of page views, add-to-cart actions, and completed checkouts per variant.
Data We Do NOT Collect
ABSplitLab does not collect any customer personally identifiable information (PII), including but not limited to:
- Names
- Email addresses
- Mailing addresses
- Phone numbers
- Payment or credit card information
- IP addresses (not stored or logged)
2. Cookies Used
ABSplitLab uses first-party cookies only. We do not use any third-party tracking cookies.
| Cookie Name |
Purpose |
Duration |
_sl_sid |
Anonymous session identifier used to track a visitor's session across pages and prevent duplicate event counting. |
30 days |
_sl_[experiment_id] |
Stores the variant assignment for a specific experiment, ensuring the visitor always sees the same variant. |
90 days |
These cookies are strictly functional and are required for the A/B testing service to operate. They do not track users across websites and contain no personal information.
3. Third-Party Services
We use the following third-party services to operate ABSplitLab:
- PostgreSQL hosted by Supabase: Used to store experiment configurations, variant assignments, and aggregated results. Supabase processes data in accordance with their privacy policy and GDPR obligations. Data is stored in EU or US regions depending on configuration.
- Redis hosted by Upstash: Used as an in-memory data store for real-time event aggregation via BullMQ. Event data is temporarily buffered in Redis before being flushed to PostgreSQL. No personal data is stored in Redis.
- AI Provider (for suggestions feature): On the Scale plan, merchants may opt in to AI-powered test suggestions. When enabled, anonymized and aggregated experiment history is sent to the AI provider to generate recommendations. No customer data or PII is ever shared with the AI provider.
4. GDPR Compliance
ABSplitLab is committed to compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
- Lawful Basis: Our data processing is based on legitimate interest (providing the A/B testing service) and, where required, consent obtained through the Shopify Customer Privacy API.
- Data Minimization: We only collect anonymous, aggregated data. No personal data is collected from store visitors.
- Cookie Consent: ABSplitLab respects the Shopify Customer Privacy API. If a store visitor declines analytics cookies, ABSplitLab will not set any cookies or track any events.
- Data Processing Agreement: We maintain DPAs with our sub-processors (Supabase, Upstash) to ensure GDPR-compliant data handling.
- Right to Access: Since we do not collect personal data from store visitors, there is no personal data to access or export.
- Right to Erasure: Merchants can request deletion of all their experiment data by contacting us at support@absplitlab.com.
5. Data Retention
- Active accounts: Experiment data is retained for as long as the merchant's account is active.
- Completed experiments: Results are retained for 12 months after an experiment is completed, after which they may be automatically archived.
- Uninstalled apps: When a merchant uninstalls ABSplitLab, all associated data (experiments, variants, results) is permanently deleted within 30 days.
- Event data in Redis: Raw event data is buffered for a maximum of 60 seconds before being aggregated and flushed to PostgreSQL. No raw event data is retained long-term.
6. Merchant's Rights
As a merchant using ABSplitLab, you have the following rights:
- Access: You can view all your experiment data, configurations, and results at any time through the ABSplitLab dashboard.
- Export: You can export your experiment results in CSV format from the dashboard.
- Deletion: You can delete individual experiments or request full account data deletion by contacting us.
- Portability: Upon request, we will provide your data in a machine-readable format.
- Objection: You can pause or stop any experiment at any time, immediately ceasing data collection for that test.
7. Security
We implement industry-standard security measures to protect your data:
- All data in transit is encrypted via TLS 1.3.
- All data at rest is encrypted in our database.
- Authentication is handled through Shopify OAuth. We never store Shopify access tokens in plaintext.
- Access to production systems is restricted and logged.
8. Children's Privacy
ABSplitLab is a business-to-business service for Shopify merchants. We do not knowingly collect data from children under the age of 13.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For significant changes, we will notify merchants via email or an in-app notification.
10. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us: