Privacy Policy

Simple Split Testing

Effective date: May 16, 2026

This Privacy Policy applies to the Simple Split Testing app ("the App") published by HELTRA LLC ("we", "us", "our"). It covers data collected by this specific app. Shared commitments that apply across every Culsin app - sub-processors, international transfers, DPA availability, CCPA, security incidents, change notification - are described on the Culsin Privacy index.

This Privacy Policy describes how the App handles data. Your use of Shopify is governed by Shopify's own legal documents; this policy only applies to the App.

Who we are

HELTRA LLC
254 Chapman Rd, Ste 208 #17026
Newark, Delaware 19702, United States

Privacy inquiries: privacy@culsin.com

What the App does

The App is an A/B testing platform for Shopify storefronts. When a merchant has an active test, the App assigns each visitor to one variant of that test, keeps them in that variant on subsequent page loads, and records conversions (orders, cart adds, custom events) so the merchant can see which variant performs better.

The App does not collect or store any name, email address, postal address, or other information that directly identifies a shopper. It uses a pseudonymous random identifier to keep variant assignments stable across page loads. Variant assignment is automated, but it produces no legal or similarly significant effects on the visitor within the meaning of GDPR Article 22.

Cookies

The App sets the following first-party cookies on the storefront when at least one test is active or a preview link is being used:

  • splt_usr_id - 90-day expiry. A pseudonymous random identifier that keeps the visitor in the same variant across sessions and links order webhooks back to a variant for revenue attribution. Not linked to any name, email, or Shopify customer record.
  • splt_assignments - 5-minute expiry. Short-lived cache of the current page's variant assignments to avoid a re-fetch and visible flicker on every page navigation.
  • splt_preview - 5-minute expiry. Set only when a merchant or reviewer is using a signed preview link from the admin. Not set for ordinary shoppers.

All cookies are first-party (set on the merchant's domain), restricted to same-site requests, and transmitted only over HTTPS.

Cart attribute attribution

When a visitor with an active assignment interacts with the cart, the App stamps the cart with a cart attribute containing the visitor's pseudonymous identifier. This attribute rides through the checkout and lets order webhooks attribute the resulting order back to the variant the visitor saw.

No customer name, email, address, or payment information is read or stored by the App at any point. The attribution is between a pseudonymous visitor identifier and a variant - nothing more.

Web pixel events

The App registers a Shopify web pixel that forwards storefront analytics events for conversion tracking. The events forwarded are: page views, product views, cart adds, cart views, checkout steps, completed orders, and any custom events the merchant has defined in the admin.

Each event payload contains:

  • The event name and a timestamp
  • The pseudonymous visitor identifier (splt_usr_id)
  • The Shopify cart ID, if a cart exists
  • The Shopify customer ID, only if the visitor is logged in
  • The Shopify session and visitor cookies (set by Shopify, not by the App)
  • The page URL and referrer

The Shopify customer ID is a pseudonymous numeric reference and constitutes personal data under GDPR. The App does not resolve it to a name, email, or address; it is used solely to deduplicate sessions for the same logged-in customer. IP addresses are visible to our edge infrastructure in transit but are not stored alongside event records.

Consent gating

The App checks Shopify's Customer Privacy API on every page load. If the visitor has not granted analytics consent, or has opted out of sale or sharing of data (relevant for CCPA-region visitors), the App does not bucket the visitor, does not set any cookies, and does not forward any events.

When the visitor later grants consent, the App resumes operation on the next page load. The App requires no separate consent banner of its own - it inherits whatever consent UI the merchant has configured.

Global Privacy Control (GPC) signals are honoured via Shopify's Customer Privacy API, which surfaces them to the App as a request to opt out of sale or sharing of personal information.

Geolocation

When a test is restricted to specific countries, the App determines the visitor's country from edge-network geolocation provided by our hosting infrastructure. Only the two-letter country code is used. The visitor's IP address is not stored.

How we use this data

The data is used solely to operate the App: bucketing visitors into variants, counting conversions per variant, computing statistical significance, and attributing orders back to variants. We do not use the data for marketing, advertising, or any purpose beyond providing the App's functionality.

Legal basis under GDPR Article 6:

  • Storefront cookies and forwarded events - consent of the visitor, captured via the merchant's consent banner and surfaced to the App through Shopify's Customer Privacy API (Art. 6(1)(a)).
  • Variant assignment and aggregated test analytics - legitimate interest of the merchant in measuring the performance of their own storefront (Art. 6(1)(f)).
  • Merchant admin data (OAuth identity, billing) - contract performance with the merchant (Art. 6(1)(b)).

Roles. For visitor data collected from the merchant's storefront, the merchant is the controller and HELTRA LLC acts as a processor under the merchant's instructions. For merchant account data (admin login, billing), HELTRA LLC is the controller.

Data storage

Test configuration, assignments, and event aggregates are stored in a Turso database (LibSQL) on AWS infrastructure. Data is stored per-shop and is not shared between merchants. Data in transit is encrypted via TLS; data at rest is encrypted by the database provider.

Data retention

Data is retained for as long as the App is installed. When the App is uninstalled, all shop data is permanently deleted within 48 hours, in line with Shopify's GDPR requirements.

Aggregated or de-identified analytics that cannot reasonably be linked to any individual visitor may be retained beyond uninstall for product improvement and benchmarking.

Your rights

The App honours Shopify's mandatory GDPR webhooks:

  • customers/redact - event rows keyed to the supplied Shopify customer ID are deleted within 30 days of a merchant-initiated erasure request. Where the merchant can supply the visitor's splt_usr_id cookie value, the App will also redact the pseudonymous event rows for that visitor. Otherwise, those rows age out on the App's retention schedule.
  • shop/redact - all shop data is permanently deleted within 48 hours of uninstall.
  • customers/data_request - the merchant can retrieve any event rows tied to a specific Shopify customer ID, or - if supplied - to a specific splt_usr_id cookie value. Rows that cannot be tied to either identifier cannot be linked to a customer identity on request.

If you are a store visitor and want to request access to or deletion of your data, contact the merchant whose store you visited. If you cannot reach them, contact us at privacy@culsin.com. We will respond within 30 days.

EEA, UK, and Swiss visitors have the right to lodge a complaint with the data protection supervisory authority in their country of residence.

California residents may designate an authorised agent to submit access or deletion requests on their behalf; we will verify the agent's authority before fulfilling the request.

Sub-processors

The App uses the following sub-processors:

  • Turso (ChiselStrike, Inc.) - database hosting. Stores test configuration, assignments, and event aggregates on AWS infrastructure.
  • Cloudflare, Inc. - hosts the App backend. Provides edge networking, country geolocation, and (for scheduled jobs) Workers KV.
  • Mantle (Charged Commerce, Inc.) - billing and subscription management. Does not have access to test or event data.
  • Axiom, Inc. - application logging for debugging. Receives shop domains and request metadata; does not receive event payload content.

See the Culsin Privacy index for our sub-processor change notification commitment.

DPA, transfers, CCPA, security

Data processing addendum availability, international transfer mechanisms (SCCs), California (CCPA/CPRA) rights, and security incident notification are covered on the Culsin Privacy index - they apply to this app the same way they apply to every Culsin app.

App-specific California disclosures:

  • We do not sell or share personal information for cross-context behavioural advertising.
  • We do not collect sensitive personal information as defined under the CPRA.
  • The categories of personal information processed by the App are limited to: pseudonymous online identifiers (cookie values, Shopify customer ID), commerce activity (cart, checkout, order events), and approximate location (country code).

Children

The App is not directed to children and we do not knowingly collect personal data from individuals under 16. Merchants are responsible for ensuring their own storefront complies with applicable rules on minors.

Contact

privacy@culsin.com