Privacy Policy

1. Introduction

Exceedity A/B ("we", "our", or "the Service") is an A/B testing platform operated by Exceedity Ltd. This Privacy Policy explains how we collect, use, store, and protect data when you use our Service at ab.exceedity.com, and when the A/B testing code runs on stores that use our platform.

This policy covers two categories of people:

• Platform Users — Partners and team members who log in to ab.exceedity.com to manage experiments
• Store Visitors — Shoppers who visit stores running A/B tests powered by our platform

2. Data We Collect from Platform Users

2.1 Account Information

Authentication is handled via Exceedity SSO (shared with bi.exceedity.com). We access:

• Email address (for authentication and email alerts)
• Organization membership (which orgs you belong to)

2.2 How We Use Platform User Data

• Authenticate your access to the Service
• Send experiment alerts (significance reached, traffic imbalance, daily digests)
• Log actions for audit purposes (who started, paused, or decided an experiment)

2.3 Cookies on ab.exceedity.com

We use only essential cookies required for authentication and session management. We do not use advertising cookies, analytics trackers, or cross-site tracking technologies on the platform itself.

3. Data We Collect from Store Visitors

When a Shopify store runs an A/B test using our platform, a JavaScript snippet runs on the storefront. This snippet collects data from visitors to measure experiment results. The store owner (not Exceedity) is the data controller for this data. Exceedity acts as a data processor on their behalf.

3.1 Visitor Identification

• Visitor ID — A randomly generated unique identifier stored as a first-party cookie (_ab_vid, 365-day expiry, SameSite=Lax) with localStorage fallback. This is not linked to any personal identity (name, email, etc.).

3.2 Bot Detection Signals

To filter out non-human traffic (which can exceed 40% of ecommerce traffic), we collect the following behavioural signals on the first page load:

• Whether mouse, scroll, touch, or keyboard events occurred
• Page load time (milliseconds)
• Screen resolution, timezone, and browser language preferences
• Whether the browser is automated (WebDriver flag)
• Browser plugin count
• User-Agent string

These signals are used solely to compute a bot probability score (0–1). They are not used for advertising, profiling, or tracking visitors across websites.

3.3 Experiment Events

The following events are recorded to measure experiment outcomes:

• Impression — Which experiment variant a visitor was shown
• Add to Cart — Product added to cart (with product price)
• Checkout Started — Cart total and line item count
• Purchase — Order ID, purchase amount, currency, line item count
• Click — Clicks on tracked elements (if configured)

Each event includes the visitor ID, experiment ID, variant ID, page URL, and timestamp.

3.4 Assignment Data

We record which experiment variant each visitor was assigned to. Assignment is deterministic (based on a hash of the visitor ID and experiment seed) and does not require a server call.

3.5 What We Do NOT Collect from Store Visitors

• Names, email addresses, or phone numbers
• IP addresses (not stored in our database)
• Payment card details (handled entirely by Shopify)
• Social media identifiers
• Precise geographic location

4. Legal Basis for Processing

For platform users, we process data based on contractual necessity (providing the Service you signed up for) and legitimate interest (audit logging, security).

For store visitor data, the legal basis is determined by the store owner (data controller). Typically this is legitimate interest (improving the user experience through A/B testing) or consent (via cookie consent banners). Store owners are responsible for ensuring an appropriate legal basis exists.

5. How We Use Store Visitor Data

We use store visitor data solely to provide A/B testing services:

• Assign visitors to experiment variants consistently across sessions
• Track conversion events (purchases, add-to-carts, etc.) per variant
• Compute statistical significance (mSPRT, Bayesian analysis)
• Filter bot traffic from experiment results
• Detect traffic imbalances (Sample Ratio Mismatch)

5.1 What We Do NOT Do With Store Visitor Data

We explicitly do not:

• Sell, rent, or transfer visitor data to third parties
• Use visitor data for advertising, retargeting, or profiling
• Share data between different stores or organizations
• Use visitor data for AI training or machine learning (beyond bot score calculation)
• Track visitors across different websites
• Attempt to identify individual visitors by name or contact details

6. Data Storage and Security

6.1 Where We Store Data

Data is stored securely using Supabase (PostgreSQL database) with infrastructure hosted in the European Union. The application server is hosted by Gandi in France.

6.2 Security Measures

• Encryption in transit (HTTPS/TLS) for all data transfers
• Row-level security (RLS) ensuring organizations can only access their own data
• Service role keys stored as environment variables, never exposed to browsers
• Bot detection signals processed server-side via Supabase Edge Functions
• Audit logging of all experiment actions

7. Data Retention and Deletion

7.1 Experiment Data

Visitor data (assignments, events, bot signals, statistical results) is retained for as long as the experiment exists. When an experiment is deleted or restarted, all associated visitor data is permanently removed.

7.2 Visitor ID Cookie

The _ab_vid cookie expires after 365 days. Visitors can delete it at any time by clearing their browser cookies.

7.3 Account Deletion

You may request complete deletion of your account and all associated data by contacting us. Upon receiving a deletion request, we will delete all organization data, experiments, and visitor data within 30 days.

8. Data Sharing

We do not share data with third parties except in the following limited circumstances:

• Service Providers: We use Supabase for database hosting and Gandi for application hosting. These providers process data on our behalf under strict contractual obligations.
• Email Notifications: Experiment alerts are sent via our own mail server. No third-party email services are used.
• Legal Requirements: We may disclose data if required by law, court order, or governmental authority.

9. Your Rights

Under applicable data protection laws (including UK GDPR), you have the right to:

• Access: Request a copy of the data we hold about you
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data
• Portability: Request your data in a machine-readable format
• Withdraw Consent: Close your account at any time
• Object: Object to certain processing of your data

To exercise these rights, contact us.

Store visitors who wish to exercise their rights should contact the store owner (data controller) directly. Store owners can delete experiment data via the platform or contact us for assistance.

10. Store Owner Responsibilities

If you are a store owner using Exceedity A/B on your Shopify store, you are the data controller for the visitor data collected by our snippet. You are responsible for:

• Updating your store's privacy policy to disclose the use of A/B testing
• Ensuring your cookie consent mechanism covers the A/B testing cookie (_ab_vid)
• Responding to data subject access requests from your customers
• Ensuring an appropriate legal basis for processing (typically legitimate interest or consent)

10.1 Sample Privacy Policy Text for Your Store

You may adapt the following text for your store's privacy policy:

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes to how we handle data, we will notify platform users via email before the changes take effect.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us.

• Company: Exceedity Ltd (Company No. 14683104)
• Registered Address: