Version 2026-07-17 · operated by Wisepops
Privacy Policy
This policy explains how Wisepops, operating the Evarist product, handles personal data. It covers two groups: Evarist account holders, and visitors to the websites of our customers.
A. Evarist account holders
When you create an Evarist account we process your email address and your account and site records. Sign-in links are sent by email through our provider Postmark; connection (OAuth) tokens are stored only in hashed form. Our legal basis is the performance of our contract with you. We keep this data for the life of your account and delete it when you delete your account.
B. Visitors of our customers' websites (we act as processor)
When one of our customers (the site owner) deploys the Evarist tracker, we process the following on their behalf and on their instructions:
- a first-party visitor identifier and a session identifier — random values stored in first-party cookies. There are no third-party cookies and no device fingerprinting. If the site owner enables cross-domain linking, this first-party identifier may be carried — in the navigation URL — between the site owner's own declared domains, so a visit spanning those domains is counted as one visitor; this is limited to the site owner's own domains and is never third-party or cross-publisher tracking;
- per page view: the page URL and title, the referrer, the session landing URL and referrer, the browser timezone, scroll depth and visible time on the page;
- derived on our servers when we receive the event: an approximate country, obtained from the visitor's IP address — the IP address is masked before storage and is not retained — and the browser, operating system, and device family from the User-Agent.
We do not collect form inputs, email addresses, phone numbers, or any other content typed into or displayed on the page. The tracker never reads input fields.
Retention. Identifiable visitor event and session data is deleted or anonymised after 25 months. The visitor identifier cookie expires after 13 months; the session cookie expires after 30 minutes of inactivity (4-hour maximum).
C. Shopify stores: order data (we act as processor)
If the site owner installs our Shopify app, we additionally process, on their behalf and on their instructions, a limited set of order facts read from the Shopify Admin API, so that we can attribute revenue to the traffic sources that produced it:
- the order's identifier and order number, its timestamps, currency, test flag, cancellation status and financial status;
- monetary totals only: net payment, total price, total refunded and total discounts;
- the cart attributes the site owner's storefront carries, which we use to reconnect an order to the visit that produced it;
- product and inventory records (titles, types, prices, stock levels) — information about the shop's catalogue, not about any person.
We do not request or receive customer names, email addresses, phone numbers or shipping and billing addresses. We never ask Shopify for them: our app holds no customer-data permissions, and the queries we send contain no customer fields. An order total can still relate to a person, which is why we treat this data as personal data and describe it here.
Our Shopify checkout pixel records the same conversion and funnel signals as the tracker described above (order identifier, order value, product identifiers) and reads the shopper's privacy choice from Shopify: where the shopper has declined analytics, the pixel does not run.
Retention. Individual order records are deleted after 65 days. Beyond that we keep only daily totals per traffic source, which do not identify anyone.
D. Consent and legal basis
The site owner (the controller) is responsible for establishing a legal basis and for obtaining any consent required before the tracker runs. Evarist uses privacy-preserving techniques — first-party only, no third-party cookies, no device fingerprinting, the visitor's IP masked before storage, and retention capped at 25 months. Because Evarist also enables individual-level analysis of visitor behaviour (not solely anonymous aggregate statistics), controllers should not assume it qualifies for narrow "audience-measurement" consent exemptions; obtaining any consent required under ePrivacy or cookie rules remains the controller's responsibility. We do not currently act on Do Not Track signals. Under the California CCPA/CPRA, Evarist provides first-party analytics and does not "sell" or "share" personal information, so Global Privacy Control opt-out-of-sale signals do not apply to it.
E. Your rights
Subject to applicable law you may request access, rectification, erasure, restriction, portability, and may object to processing (GDPR / UK GDPR), and you have the CCPA rights to know, delete, and correct, and to non-discrimination for exercising them. Account holders can exercise these rights by contacting us or by deleting their account. If you are a visitor to a customer's website, please contact that site owner (the controller); we assist controllers in fulfilling such requests.
F. International transfers & contact
Personal data may be processed in the United States by our infrastructure provider under appropriate safeguards (see the DPA and the sub-processor list). To exercise a right or ask a question, contact us at the address published on our website.
Terms · Privacy · DPA · Sub-processors