Growth Layer — privacy notice
Growth Layer is a Shopify app that detects anomalies in your Klaviyo and Shopify metrics, diagnoses likely causes, and lets you take one-click corrective action. The merchant is the data controller; sico is the data processor.
1. Shopify scopes we request
read_ordersread_customersread_productsread_analytics
2. What we read
| Source | Examples | Where it goes |
|---|---|---|
| Shopify orders and refunds | line items, totals, channel, customer email (hashed) | metrics_timeseries (revenue, AOV, refund rate) |
| Klaviyo metrics | open rate, click rate, revenue-per-recipient, send time | metrics_timeseries; baselines for anomaly detection |
| Klaviyo flows and segments | name, status, schedule, predicate (no shopper PII) | used by the diagnosis library |
3. What we write
Only when you explicitly approve a suggested action. Actions are limited to: pause flow, resume flow, update a flow's send time, and create a Klaviyo segment from a predicate. We capture the pre-state so you can roll back within 24 hours.
4. Visitor identification (W15 onward — opt-in module)
If you enable the visitor-ID module, we install a small first-party pixel on your storefront that records visit events to a domain we control. We then call a third-party identity-graph provider (RB2B; an Opensend adapter is on the roadmap) to resolve anonymous visits to professional contact records. Resolved contacts are de-duplicated against your existing Klaviyo profiles before being added.
This module is off by default. The pixel is only active if you turn it on, and only on stores you have authority to instrument.
5. Third-party processors used by this app
| Processor | Why | What flows out |
|---|---|---|
| Klaviyo | read metrics; execute approved actions | flow + segment writes you approved |
| Meta Marketing API | custom-audience push (visitor-ID module only) | SHA-256-hashed email or phone |
| Google Ads API | customer-match push (visitor-ID module only) | SHA-256-hashed email |
| RB2B (or successor) | identity resolution (visitor-ID module only) | session signals; PII flows back to us |
| Anthropic | diagnosis fallback when rule-based diagnosis returns nothing | metric names + values, no PII |
| Resend | daily digest emails to ops staff | your team's email addresses |
6. Customer-level rights
Shopify's GDPR webhooks (customers/data_request, customers/redact, shop/redact) are honoured. Klaviyo profiles we wrote are deleted via Klaviyo's profile-delete API on customers/redact. Hashed entries in Meta Custom Audiences and Google Customer Match lists are removed.
7. Uninstall
Same two-phase deletion as the other Shopify apps — see main notice §7.