Privacy Policy

Last updated: April 4, 2026

The short version

  • We only collect data necessary to deliver your daily email reports.
  • Your analytics data is fetched, processed, and emailed to you. We don't sell it. Ever.
  • We use industry-standard encryption and security practices.
  • You can export or delete your data at any time.
  • When you connect a Shopify store, we request read-only access to orders — nothing else.

Read on for the legally complete version.

Morning Pulse ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and service (the "Service").

This policy applies to all users of Morning Pulse, regardless of location. Where specific regulations apply (such as the GDPR for EU/EEA users or the CCPA for California residents), additional provisions are noted below.

1

Information We Collect

1.1 Information You Provide Directly

  • Account Information: Your name, email address, and password when you create an account.
  • Billing Information: Payment method details (credit card number, billing address) processed securely through our third-party payment processor. We do not store full card numbers on our servers. If you install Morning Pulse via the Shopify App Store, billing is handled entirely by the Shopify Billing API — Shopify charges your account on our behalf, and we never see your payment card data in that flow.
  • Preferences: Your selected metrics, delivery time, timezone, and notification preferences.
  • Communications: Any messages or feedback you send to our support team.

1.2 Information from Third-Party Services

  • Google Analytics 4 Data: When you connect your GA4 account, we request the analytics.readonly OAuth 2.0 scope. This grants read-only access to your GA4 property data — including metrics such as sessions, pageviews, active users, traffic sources, conversions, and revenue data — via the Google Analytics Data API. See Section 14 for our complete Google User Data disclosure.
  • Apple App Store Connect Data: When you provide an App Store Connect API key, we access metrics such as app units, impressions, product page views, in-app purchases, proceeds, crash counts, and ratings via the App Store Connect API.
  • Google Play Console Data: When you provide a service account JSON key, we access metrics such as store listing visitors, installs, uninstalls, revenue, ratings, reviews, and crash reports via the Google Play Developer Reporting API.
  • Stripe Data: When you provide a restricted API key with read-only permissions, we access metrics such as charges, customer counts, active subscriptions, balance transactions, and revenue breakdowns via the Stripe API. We never gain the ability to create charges, issue refunds, or modify any data in your Stripe account.
  • Shopify Merchant Data: When you install the Morning Pulse Shopify app (or connect your store via OAuth), we request the read_orders scope. This grants read-only access to order-level aggregate metrics — order count, gross sales, refunds, and currency — via the Shopify Admin API. We do not access individual customer PII, product catalogs, inventory, shipping addresses, or fulfillment data. We never request any write_* scopes, so we cannot create, modify, refund, or cancel anything in your store. See Section 15 for our complete Shopify Merchant Data disclosure.

We only request the minimum data scopes necessary to generate your reports. We do not access personal data of your end users.

1.3 Information Collected Automatically

  • Usage Data: Pages visited, features used, email open rates, and click-through rates to improve the Service.
  • Device Information: Browser type, operating system, device type, and screen resolution.
  • Log Data: IP address, access timestamps, referring URLs, and error logs for security and diagnostics.
  • Cookies: We use essential cookies for authentication and session management. See Section 8 for details.
2

How We Use Your Information

We use collected information for the following purposes:

Service Delivery

Fetching your analytics data, generating reports, and delivering daily emails.

Account Management

Authentication, billing, subscription management, and customer support.

Service Improvement

Analyzing usage patterns to improve features, performance, and user experience.

Communication

Service announcements, security alerts, billing notifications, and (with consent) product updates.

Security & Fraud Prevention

Detecting unauthorized access, preventing abuse, and maintaining platform integrity.

Legal Compliance

Meeting legal obligations, responding to lawful requests, and enforcing our Terms.

We do not use your analytics data for advertising, profiling, or any purpose other than generating your requested reports.

3

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

  • Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you signed up for.
  • Legitimate Interests (Art. 6(1)(f) GDPR): Improving the Service, ensuring security, and preventing fraud, where these interests do not override your fundamental rights.
  • Consent (Art. 6(1)(a) GDPR): Marketing communications and non-essential cookies, which you may withdraw at any time.
  • Legal Obligation (Art. 6(1)(c) GDPR): Compliance with applicable laws and regulations.
4

Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

  • Service Providers: We engage trusted third-party processors to assist with payment processing (Stripe), cloud hosting (Render, AWS), and analytics (GA4), and Shopify, which acts as the data source and billing processor for merchants who install Morning Pulse from the Shopify App Store. Each processor is bound by data processing agreements and may only use your data as instructed by us.
  • Legal Requirements: We may disclose information if required by law, subpoena, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you of any such change and any choices you may have regarding your data.
  • With Your Consent: We may share data with third parties when you explicitly authorize us to do so.
5

Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this policy:

Data Type Retention Period
Account information Until account deletion + 30 days
Analytics data (reports) 90 days rolling, then permanently deleted
Billing records 7 years (legal/tax requirement)
Server logs 90 days
Support correspondence 2 years after last interaction
OAuth tokens / API keys Until revoked or account deletion
Shopify order aggregates 90 days rolling, then permanently deleted
Shopify OAuth tokens Until uninstall or account deletion (then deleted within 48h via shop/redact)

When data is no longer needed, it is permanently deleted or anonymized so that it can no longer be associated with you.

6

Data Security

We implement robust technical and organizational measures to protect your data:

  • Encryption in Transit: All data transmitted between your browser, our servers, and third-party APIs is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Sensitive data stored on our servers is encrypted using AES-256 encryption.
  • Access Controls: Access to user data is restricted to authorized personnel on a need-to-know basis, protected by multi-factor authentication.
  • Infrastructure: We host on Render, which operates on SOC 2 Type II-compliant AWS infrastructure, with regular security audits and automated vulnerability scanning.
  • OAuth & API Key Security: Google OAuth refresh tokens and App Store Connect API keys are stored encrypted at rest (AES-256) in our database and are never exposed in logs, client-side code, or to support staff.
  • Incident Response: We maintain an incident response plan and will notify affected users within 72 hours of discovering a personal data breach, as required by applicable law.

While we take every reasonable precaution, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the highest commercially reasonable standard.

7

International Data Transfers

Morning Pulse is based in the United States. If you access the Service from outside the U.S., your data may be transferred to and processed in the United States or other countries where our service providers operate.

For transfers from the EEA, UK, or Switzerland, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data processing agreements with all sub-processors that include appropriate safeguards.
  • Additional technical measures (encryption, pseudonymization) to ensure an equivalent level of protection.
8

Cookies and Tracking Technologies

We use a minimal set of cookies:

Cookie Type Purpose Duration
mp_session Essential Authentication and session management Session
mp_csrf Essential Cross-site request forgery protection Session
mp_prefs Functional Remembering your timezone and preferences 1 year

We also use the following cookie to remember your consent preferences:

Cookie Type Purpose Duration
cookieyes-consent Essential Stores your cookie consent preferences (set by CookieYes) 1 year

Cookie Consent Management

We use CookieYes to manage your cookie preferences. When you first visit our website, a consent banner lets you choose which categories of cookies to accept. You can change your preferences at any time by clicking Cookie Settings.

We use Google Analytics 4 for our own first-party website analytics (tracking page visits and feature usage on morningpulse.app). This is separate from the Google Analytics Data API access described in Section 1.2 and Section 14, which accesses your GA4 property data to generate your reports. Website analytics cookies are only loaded after you give consent via the cookie banner.

We do not use advertising cookies, tracking pixels, or social media trackers of any kind.

9

Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

9.1 Rights for All Users

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Data Portability: Request an export of your data in a machine-readable format (JSON or CSV).
  • Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

9.2 Additional Rights for EU/EEA/UK Users (GDPR)

  • Restriction: Request restriction of processing under certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Supervisory Authority: Lodge a complaint with your local data protection authority.

9.3 Additional Rights for California Residents (CCPA/CPRA)

  • Right to Know: Request disclosure of the categories and specific pieces of personal information collected.
  • Right to Delete: Request deletion of personal information collected.
  • Right to Opt-Out of Sale: We do not sell personal information. This right is automatically honored.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA.

To exercise any of these rights, contact us at privacy@morningpulse.app. We will respond within 30 days (or sooner where required by law). We may need to verify your identity before processing your request.

10

Children's Privacy

Morning Pulse is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal data, we will take immediate steps to delete that information.

If you believe a child has provided us with personal data, please contact us at privacy@morningpulse.app.

11

Third-Party Links

The Service may contain links to third-party websites or services that are not owned or controlled by Morning Pulse. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

12

Do Not Track Signals

We honor Do Not Track (DNT) browser signals. When we detect a DNT signal, we disable any non-essential analytics tracking for that session. Since we already use privacy-focused analytics that does not track individual users, the practical effect is minimal — your experience remains unchanged.

13

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes:

  • We will update the "Last updated" date at the top of this page.
  • We will notify you by email at least 15 days before changes take effect.
  • For significant changes, we may require you to re-acknowledge the updated policy.

We encourage you to review this page periodically. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

14

Google User Data

This section specifically addresses how Morning Pulse accesses, uses, stores, and protects data obtained through Google APIs, in accordance with the Google API Services User Data Policy, including the Limited Use requirements.

14.1 What Google User Data We Access

Morning Pulse requests the analytics.readonly OAuth 2.0 scope, which grants read-only access to your Google Analytics 4 property data. Specifically, we access:

  • Sessions, pageviews, and active user counts
  • Traffic sources and acquisition channels
  • Conversion events and goal completions
  • Revenue and e-commerce metrics (if configured in your GA4 property)

We do not access personally identifiable information about your end users, and we do not request write access to your Google Analytics account.

14.2 How We Use Google User Data

Google user data is used exclusively to:

  • Generate your daily and weekly KPI email reports
  • Display metrics on your Morning Pulse dashboard

We do not use Google user data for any other purpose. Specifically, we do not:

  • Use Google user data for advertising, retargeting, or any form of ad targeting
  • Sell, rent, lease, or trade Google user data to any third party
  • Use Google user data to train artificial intelligence or machine learning models
  • Use Google user data for credit-worthiness assessments or lending purposes
  • Use Google user data to build user profiles for purposes unrelated to the Service
  • Transfer Google user data to any third party for purposes unrelated to providing or improving the Service

14.3 How We Store and Protect Google User Data

  • OAuth Refresh Tokens: Stored encrypted at rest (AES-256) in our database. Tokens are never logged, exposed in client-side code, or accessible to support staff.
  • Analytics Data: Fetched metrics are stored for up to 90 days to generate your reports, then permanently deleted.
  • Encryption in Transit: All communication with Google APIs uses TLS 1.2 or higher.
  • Access Controls: Only the automated report generation system accesses your Google data. No human has direct access to your raw analytics data.

14.4 How We Share Google User Data

We do not share, transfer, or disclose your Google user data to any third party, except:

  • Cloud Infrastructure Provider: Our hosting provider (Render, operating on AWS) processes data as a sub-processor solely to run our application. They do not have independent access to or use of your Google data.
  • Legal Requirements: We may disclose data if required by a valid legal process (e.g., court order, subpoena).

We do not share Google user data with advertising networks, data brokers, or information resellers.

14.5 Data Deletion and Revocation

You can revoke Morning Pulse's access to your Google data at any time by:

  • Disconnecting your Google Analytics integration from your Morning Pulse settings page
  • Revoking access via your Google Account permissions page
  • Deleting your Morning Pulse account entirely

Upon revocation or account deletion, we delete your stored OAuth tokens immediately and your cached analytics data within 30 days.

14.6 Limited Use Compliance

Morning Pulse's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

15

Shopify Merchant Data

This section specifically addresses how Morning Pulse accesses, uses, stores, and protects merchant data obtained through the Shopify Admin API, in accordance with the Shopify API Terms of Service and the Shopify Partner Program Agreement.

15.1 What Shopify Data We Access

Morning Pulse requests the read_orders scope, which grants read-only access to your Shopify store's order data via the Shopify Admin API. Specifically, we read order-level aggregate metrics:

  • Order count
  • Gross sales
  • Refunds
  • Currency

We do not access customer PII, products, inventory, shipping addresses, or fulfillment data. We never request any write_* scope, so we cannot create, modify, refund, or cancel anything in your store.

15.2 How We Use Shopify Data

Shopify merchant data is used exclusively to:

  • Generate your daily and weekly KPI email reports
  • Display metrics on your Morning Pulse dashboard

We do not use Shopify merchant data for any other purpose. Specifically, we do not:

  • Use Shopify data for advertising, retargeting, or any form of ad targeting
  • Sell, rent, lease, or trade Shopify data to any third party
  • Use Shopify data to train artificial intelligence or machine learning models
  • Use Shopify data for credit-worthiness assessments or lending purposes
  • Use Shopify data to build merchant or user profiles for purposes unrelated to the Service
  • Transfer Shopify data to any third party for purposes unrelated to providing or improving the Service

15.3 How We Store and Protect Shopify Data

  • OAuth Access Tokens: Stored encrypted at rest (AES-256) in our database. Tokens are never logged, exposed in client-side code, or accessible to support staff.
  • Order Aggregates: Fetched order aggregates are retained for up to 90 days rolling to generate your reports, then permanently deleted.
  • Encryption in Transit: All communication with the Shopify Admin API uses TLS 1.2 or higher.

15.4 How We Share Shopify Data

We do not share, transfer, or disclose your Shopify merchant data to any third party, except:

  • Cloud Infrastructure Provider: Our hosting provider (Render, operating on AWS) processes data as a sub-processor solely to run our application. They do not have independent access to or use of your Shopify data.
  • Legal Requirements: We may disclose data if required by a valid legal process (e.g., court order, subpoena).

We do not share Shopify merchant data with advertising networks, data brokers, or information resellers.

15.5 Data Deletion, Uninstall, and GDPR Webhooks

You can revoke Morning Pulse's access to your Shopify data at any time by:

  • Uninstalling the app from your Shopify Admin (Apps → Morning Pulse → Uninstall)
  • Disconnecting the Shopify integration from your Morning Pulse settings page
  • Deleting your Morning Pulse account entirely

We honor the Shopify GDPR mandatory webhooks as follows:

  • app/uninstalled: On app uninstall, we immediately cancel the subscription and mark the OAuth credential as revoked.
  • shop/redact: Approximately 48 hours after uninstall, Shopify fires this webhook. We then hard-delete all store data, OAuth tokens, and cached order aggregates for that shop. This deletion is permanent and non-recoverable.
  • customers/data_request and customers/redact: These webhooks are received, verified, and acknowledged. Because Morning Pulse stores no Shopify customer PII, there is nothing to return or redact — the response is a logged no-op, recorded for the compliance trail.

If you need immediate deletion before the 48-hour shop/redact window, email privacy@morningpulse.app and we will purge your data on request.

15.6 Compliance with Shopify Policies

Morning Pulse's handling of Shopify merchant data adheres to the Shopify API Terms of Service and the Shopify Partner Program Agreement.

16

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please reach out:

Morning Pulse — Data Protection

Email: privacy@morningpulse.app

Website: morningpulse.app

For GDPR-related inquiries, you may also contact our Data Protection Officer at dpo@morningpulse.app.

We aim to respond to all privacy-related requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.