Privacy Policy
Last updated: April 18, 2026
This Privacy Policy explains how VOLBAK LTD ("VOLBAK", "we", "us") collects, uses and protects information in connection with WeProfit, our profit analytics and server-side tracking platform for e-commerce merchants (the "Service"), and this website, weprofit.com. Questions? Contact us at [email protected].
1. Who we are
WeProfit is operated by VOLBAK LTD, a company registered in the United Kingdom. For data protection purposes, VOLBAK LTD is the controller of merchant account data and a processor of the store data merchants connect to the Service.
2. Information we collect
From merchants (our customers)
- Account information — name, email address, password (stored hashed), and billing details when paid plans launch.
- Store data — orders, refunds, products, product costs, sessions and related commerce events from the store platforms a merchant connects (for example Shopify, WooCommerce or Wix), used solely to compute analytics and profit for that merchant.
- Advertising account data — when a merchant connects an advertising account (for example Google Ads, Meta, TikTok or Pinterest), we import read-only reporting data: ad account identifiers, campaign names and daily spend figures. We never read ad creatives, audiences or billing details, and we never create or modify anything in a connected ad account.
- Support communications — messages you send us.
From shoppers (our merchants' customers)
- On behalf of merchants, the Service processes commerce events (page views, carts, checkouts, purchases) and related identifiers needed for attribution — for example ad click identifiers, cart attributes, checkout tokens, hashed email addresses and landing-page URLs.
- Where a merchant has configured server-side event delivery, we transmit those conversion events (with the identifiers each destination requires, such as hashed contact details and click identifiers) to the advertising platforms that merchant has chosen — for example Meta or Google — solely on the merchant's instructions, so the merchant's own ad accounts can measure their campaigns.
- For all shopper data we act as a processor under the merchant's instructions; shoppers should direct privacy requests to the store they purchased from, and we assist merchants in fulfilling them.
From visitors to this website
- This website is static and sets no analytics or advertising cookies.
3. How we use information
- To provide the Service: compute profit, attribution and reporting for each merchant.
- To operate, secure and improve the Service, and to provide support.
- To communicate service updates. We do not send third-party marketing.
We do not sell personal data. Data imported for a merchant is shown only to that merchant and the staff members they invite. It is never aggregated across customers for advertising purposes, shared with other customers, or sold.
Lawful bases. Where the UK or EU GDPR applies, we process personal data on the basis of performance of a contract (providing the Service to merchants), our legitimate interests (securing and improving the Service), consent where required, and compliance with legal obligations. For shopper data processed on a merchant's behalf, the merchant is the controller and determines the lawful basis.
4. Google user data
Where a merchant connects a Google account (for example Google Ads), WeProfit's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only request read-only reporting scopes and only access campaign names and daily spend figures.
- Google user data is used solely to display the connecting merchant's own advertising spend inside their WeProfit reports — no other use, no advertising targeting, no resale, and no human access except with the merchant's explicit consent, for security purposes, or as required by law.
- A merchant can disconnect a Google account at any time in the Service, which immediately stops all access; stored tokens are deleted and imported spend can be removed on request.
5. Other advertising platforms
The same principles apply to every advertising platform a merchant connects (Meta, TikTok, Pinterest and others): spend import uses read-only reporting access, is used only for that merchant's own reports, is revocable at any time, and is never resold. Separately from spend import, server-side event delivery (Section 2) sends the merchant's own conversion events to the platforms that merchant has configured — it never reads anything from, and never modifies campaigns in, those ad accounts.
6. Storage and security
- Service data is stored on infrastructure controlled by VOLBAK LTD in the European Union.
- Data is encrypted in transit (TLS). Access credentials and API tokens are encrypted at rest (AES-256-GCM).
- Access to production systems is restricted to authorized personnel.
- Transfers between the United Kingdom and the EU/EEA rely on the applicable adequacy decisions; any other international transfer uses appropriate safeguards such as standard contractual clauses.
7. Retention
We retain merchant data while the account is active. When a merchant disconnects an integration, related credentials are deleted immediately. When an account is closed, we delete or irreversibly anonymize its data within 90 days, except where retention is required by law.
8. Sharing
We share data only with: (a) service providers strictly necessary to run the Service (for example cloud hosting), under agreements that limit their use of the data; (b) the advertising platforms a merchant has explicitly configured for server-side event delivery, acting on that merchant's instructions as described in Section 2; and (c) authorities where required by law. We never share data with advertisers for our own purposes, and never with data brokers.
9. Your rights
Depending on your location (including under the UK and EU GDPR), you may have the right to access, correct, export, restrict or delete your personal data. Contact [email protected] and we will respond within 30 days. You may also lodge a complaint with your local data protection authority.
10. Children
The Service is a business tool and is not directed to children under 16. We do not knowingly collect personal data from children.
11. Changes
We may update this policy as the Service evolves. Material changes will be announced to account holders by email or in-product notice, and the "Last updated" date above always reflects the current version.
12. Contact
VOLBAK LTD — [email protected] · volbak.com