Privacy Policy
Last updated: May 31, 2026
1. Who We Are
ConversionQuest ("ConversionQuest," "we," "us," "our") is a conversion rate optimization (CRO) intelligence platform for e-commerce businesses. We are incorporated in Ontario, Canada, and operate the website at conversionquest.ai. We provide our platform as a service to the businesses ("merchants," "you") that use it.
2. Scope of This Policy
This policy explains how we handle personal information when you:
— visit conversionquest.ai;
— use our interactive product demo;
— join our pilot waitlist; or
— participate in our pilot program by providing your e-commerce data for analysis.
We are based in Canada and comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Because our merchants and their customers may be located elsewhere, we also honor the data-subject rights described in Section 9 where other applicable laws (such as the EU/UK GDPR or California privacy laws) apply.
Our role. For information about our website visitors and waitlist subscribers, we are the data controller. For the e-commerce data a merchant provides for analysis, the merchant is the controller and we act as a processor/service provider on the merchant's behalf, under the terms of our Data Processing Agreement.
— visit conversionquest.ai;
— use our interactive product demo;
— join our pilot waitlist; or
— participate in our pilot program by providing your e-commerce data for analysis.
We are based in Canada and comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Because our merchants and their customers may be located elsewhere, we also honor the data-subject rights described in Section 9 where other applicable laws (such as the EU/UK GDPR or California privacy laws) apply.
Our role. For information about our website visitors and waitlist subscribers, we are the data controller. For the e-commerce data a merchant provides for analysis, the merchant is the controller and we act as a processor/service provider on the merchant's behalf, under the terms of our Data Processing Agreement.
3. Information We Collect
Website visitors. We use Google Analytics to collect standard, aggregated usage data (pages viewed, device type, browser, referral source) about visits to conversionquest.ai. We use this only to understand and improve the site. We do not use it for advertising or retargeting.
Pilot waitlist. If you submit the waitlist form, we collect your email address and the date of submission, solely to contact you about pilot availability.
Demo users. The interactive demo runs entirely on pre-generated sample data. It does not collect, upload, or process any information about you or any real business.
Pilot participants — your e-commerce data. To generate your analysis, you provide e-commerce data exports (for example, orders, sessions, and analytics data). Raw exports — particularly order exports — can contain personal information about your customers, such as names, email addresses, phone numbers, and billing and shipping addresses.
How we handle this data:
— Your file is transmitted to our processing environment over an encrypted (HTTPS) connection.
— On receipt, and before the data enters our analysis pipeline, our system automatically detects and removes direct personal identifiers — including customer names, email addresses, phone numbers, and billing and shipping addresses — from the data. This removal happens on our servers.
— Only the resulting de-identified dataset is used to produce your analysis.
— We do not need or want your customers' personal identifiers. You should not include sensitive personal information beyond what is necessary in a standard data export.
If we later offer the option to connect a data source directly (instead of uploading a file), the same server-side removal of personal identifiers will apply before any data enters the analysis pipeline, and we will update this policy to describe any access credentials we store to provide that feature.
Pilot waitlist. If you submit the waitlist form, we collect your email address and the date of submission, solely to contact you about pilot availability.
Demo users. The interactive demo runs entirely on pre-generated sample data. It does not collect, upload, or process any information about you or any real business.
Pilot participants — your e-commerce data. To generate your analysis, you provide e-commerce data exports (for example, orders, sessions, and analytics data). Raw exports — particularly order exports — can contain personal information about your customers, such as names, email addresses, phone numbers, and billing and shipping addresses.
How we handle this data:
— Your file is transmitted to our processing environment over an encrypted (HTTPS) connection.
— On receipt, and before the data enters our analysis pipeline, our system automatically detects and removes direct personal identifiers — including customer names, email addresses, phone numbers, and billing and shipping addresses — from the data. This removal happens on our servers.
— Only the resulting de-identified dataset is used to produce your analysis.
— We do not need or want your customers' personal identifiers. You should not include sensitive personal information beyond what is necessary in a standard data export.
If we later offer the option to connect a data source directly (instead of uploading a file), the same server-side removal of personal identifiers will apply before any data enters the analysis pipeline, and we will update this policy to describe any access credentials we store to provide that feature.
4. How We Use Information
— To provide, operate, secure, and improve the analysis service;
— To remove personal identifiers from provided data and produce de-identified CRO analysis;
— To communicate with you about your waitlist status or pilot participation;
— To maintain the reliability and security of our platform.
We do not sell, rent, or trade personal information. We do not use your data for advertising. We do not share one merchant's data with any other merchant, and we do not share it with any third party except the service providers listed in Section 5.
— To remove personal identifiers from provided data and produce de-identified CRO analysis;
— To communicate with you about your waitlist status or pilot participation;
— To maintain the reliability and security of our platform.
We do not sell, rent, or trade personal information. We do not use your data for advertising. We do not share one merchant's data with any other merchant, and we do not share it with any third party except the service providers listed in Section 5.
5. Service Providers (Sub-processors)
We rely on the following providers to operate. Each receives only the data necessary for its function:
— Vercel — hosts and delivers our website (website delivery only).
— Railway — hosts our backend processing and storage (United States). De-identified analysis inputs and results are processed and stored here.
— Anthropic (Claude API) — we send de-identified analytical data to Anthropic's Claude API to generate the narrative portion of your analysis. Under Anthropic's commercial API terms, this data is not used to train Anthropic's models and is deleted by Anthropic within 30 days.
— Google Analytics — collects aggregated usage data about our website only (see Section 3).
We maintain a current list of sub-processors and describe any additions through our Data Processing Agreement.
— Vercel — hosts and delivers our website (website delivery only).
— Railway — hosts our backend processing and storage (United States). De-identified analysis inputs and results are processed and stored here.
— Anthropic (Claude API) — we send de-identified analytical data to Anthropic's Claude API to generate the narrative portion of your analysis. Under Anthropic's commercial API terms, this data is not used to train Anthropic's models and is deleted by Anthropic within 30 days.
— Google Analytics — collects aggregated usage data about our website only (see Section 3).
We maintain a current list of sub-processors and describe any additions through our Data Processing Agreement.
6. Cookies
Our website uses:
— Analytics cookies (Google Analytics) to understand aggregated site usage; and
— Functional cookies to remember your session and preferences.
We do not use advertising or retargeting cookies. You can control cookies through your browser settings; disabling them may affect some site features.
— Analytics cookies (Google Analytics) to understand aggregated site usage; and
— Functional cookies to remember your session and preferences.
We do not use advertising or retargeting cookies. You can control cookies through your browser settings; disabling them may affect some site features.
7. Data Storage, Retention, and Security
Raw provided files. We remove personal identifiers from your provided data on receipt and before analysis. We retain the original file only as long as necessary to perform that removal and generate your analysis, after which it is deleted.
De-identified analysis data and results. So that you can revisit your results through your private dashboard link, we store your de-identified analysis inputs and the generated results on our infrastructure (Railway). We retain these for up to 12 months, or until you ask us to delete them, whichever comes first.
Waitlist emails. Retained until you ask us to remove them or the pilot program ends.
Aggregated, non-identifying statistics. We may retain aggregated statistics that do not identify you or your business (for example, distributions used to calibrate our analytical thresholds). These contain no merchant- or customer-identifying information.
Security. We protect information using encryption in transit (HTTPS), access controls on our infrastructure, and prompt server-side removal of personal identifiers from provided data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
De-identified analysis data and results. So that you can revisit your results through your private dashboard link, we store your de-identified analysis inputs and the generated results on our infrastructure (Railway). We retain these for up to 12 months, or until you ask us to delete them, whichever comes first.
Waitlist emails. Retained until you ask us to remove them or the pilot program ends.
Aggregated, non-identifying statistics. We may retain aggregated statistics that do not identify you or your business (for example, distributions used to calibrate our analytical thresholds). These contain no merchant- or customer-identifying information.
Security. We protect information using encryption in transit (HTTPS), access controls on our infrastructure, and prompt server-side removal of personal identifiers from provided data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
8. International Transfers
We are based in Canada and use service providers located in Canada and the United States (see Section 5). If you provide data from outside these countries, it will be transferred to and processed in Canada and the United States. Where required by applicable law, we rely on appropriate safeguards for these transfers and address them in our Data Processing Agreement.
9. Your Rights
Depending on your location, you may have the right to access, correct, delete, or restrict the use of your personal information, to withdraw consent, and to request a copy of your information. To exercise any of these rights, contact us at datafirstca@gmail.com. We will respond within 30 days, or sooner where a shorter period is required by law.
For e-commerce data that a merchant provided for analysis, requests from that merchant's own customers should be directed to the merchant (the controller of that data); we will assist the merchant in its capacity as a processor.
For e-commerce data that a merchant provided for analysis, requests from that merchant's own customers should be directed to the merchant (the controller of that data); we will assist the merchant in its capacity as a processor.
10. Children
ConversionQuest is a business-to-business service and is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it.
11. Changes to This Policy
We may update this policy. Material changes will be posted here with an updated "Last updated" date and, where appropriate, communicated to active pilot participants.
12. Contact
Questions about this policy? Contact us at datafirstca@gmail.com