Privacy Policy
Effective date: April 24, 2026 Last updated: April 24, 2026
Ballfield ("Ballfield," "we," "us," or "our") operates ballfield.io and related services that help ecommerce teams analyze and act on data from platforms like Shopify, Meta Ads, and Gorgias. This Privacy Policy explains what we collect, how we use it, and the choices you have.
If you have questions, email privacy@ballfield.io.
1. Who this policy covers
This policy applies to:
- Visitors to ballfield.io
- Users who sign up for a Ballfield account
- Customers who connect third-party platforms (Shopify, Meta Ads, Gorgias, etc.) to Ballfield
It does not cover third-party sites or services you reach through links from Ballfield.
2. Information we collect
2.1 Information you give us
- Account information: name, email address, password (hashed), and company name when you sign up.
- Billing information: handled by our payment processor, Stripe. We don't store full card numbers on our servers.
- Support and communications: messages you send us by email or in-app.
2.2 Information from platforms you connect
When you connect a third-party platform, we access data through that platform's official API using the permissions you grant during OAuth. Specifically:
- Shopify: store profile, orders, products, customers, and related metadata needed to generate insights and reports.
- Meta Ads (Facebook/Instagram): ad accounts, campaigns, ad sets, ads, creative, performance metrics, and Pages you manage (see the Meta-specific section below for detail).
- Gorgias: tickets, conversations, customer records, tags, and related metadata.
We only request the scopes needed to deliver the features you use.
2.3 Information we collect automatically
- Usage data: pages viewed, features used, timestamps, and basic device/browser information.
- Log data: IP address, request metadata, and error logs for security and debugging.
- Cookies and similar technologies: see the Cookies section below.
We do not sell your personal information, and we do not use your connected platform data to train public or third-party AI models.
3. How we use information
We use the information above to:
- Provide, operate, and improve Ballfield's features
- Authenticate you and secure your account
- Generate the analytics, summaries, and recommendations you request
- Communicate with you about your account, product updates, and support
- Process payments and manage your subscription
- Detect, prevent, and investigate abuse, fraud, and security issues
- Comply with legal obligations
3.1 AI processing
Ballfield uses large language models to produce summaries, insights, and recommendations. When generating these outputs, relevant portions of your data may be sent to our AI providers (OpenAI, Anthropic, OpenRouter) under contracts that prohibit those providers from using your data to train their general-purpose models. We only send the data needed for the task, and we don't use your data to train our own models without your explicit consent.
4. Third-party processors (subprocessors)
We use the following service providers to operate Ballfield. Each is contractually bound to protect your data and only use it to provide services to us.
| Provider | Purpose |
|---|---|
| Vercel | Application hosting and edge delivery |
| Neon | Managed Postgres database |
| Clerk | Authentication and session management |
| Resend | Transactional email delivery |
| Stripe | Payment processing and billing |
| OpenAI | AI model inference |
| Anthropic | AI model inference |
| OpenRouter | AI model routing and inference |
We'll update this list as our vendor stack evolves. Material changes will be reflected in the "Last updated" date above.
5. Meta (Facebook/Instagram) data
This section describes how Ballfield handles data accessed through Meta's Graph API and Marketing API. It applies in addition to the rest of this policy.
5.1 Permissions we request
Depending on the features you enable, Ballfield may request the following Meta permissions:
ads_read— read ad account performance dataads_management— read and, where you explicitly direct, manage ad objects (campaigns, ad sets, ads, budgets)business_management— read Business Manager assets you've granted us access topages_show_list,pages_read_engagement,pages_manage_metadata,pages_manage_ads— access Pages you manage for reporting and, where you direct, ads-related management
We request the minimum scopes needed for the features you use. You can revoke access at any time from your Meta Business settings.
5.2 What we do — and don't — do with Meta data
- We read ad performance and Page data to generate reports, insights, and recommendations inside Ballfield.
- We do not post, publish, comment, or send messages from your Meta accounts or Pages.
- We do not create, pause, or modify campaigns, ad sets, or ads without an explicit action you take in Ballfield (for example, clicking "apply recommendation" or "pause ad").
- We do not share Meta data with advertisers, data brokers, or unrelated third parties.
- We do not use Meta data to build profiles for purposes unrelated to the services you've signed up for.
5.3 Meta User IDs and identifiers
If Meta provides user-level identifiers (such as Meta User IDs) as part of API responses, we store them only where needed to link data to your account and to honor deletion requests. We do not attempt to re-identify end users from hashed or obfuscated Meta identifiers.
5.4 Data deletion and deauthorization
You can disconnect Meta from Ballfield at any time from your Ballfield account settings, or by removing Ballfield from your Meta Business Integrations. When you disconnect or deauthorize Ballfield:
- We stop accessing your Meta data.
- We delete Meta-sourced data associated with your account within 30 days, except where we're required to retain records for legal, tax, or security reasons.
Meta sends deauthorization and data deletion callbacks to our endpoint:
https://ballfield.io/meta/data-deletion
This endpoint handles Meta's Data Deletion Request Callback and returns a confirmation code and status URL you can use to track the deletion, per Meta Platform Terms. You can also request deletion directly by emailing privacy@ballfield.io.
6. Data retention
- Account data: retained while your account is active, and for up to 90 days after account closure to handle billing, disputes, and legal obligations.
- Connected platform data (Shopify, Meta, Gorgias, etc.): retained while the integration is connected. Deleted within 30 days after you disconnect the integration or close your account, except where longer retention is required by law.
- Logs and security data: typically retained for up to 12 months.
- Backups: data in backups is overwritten on a rolling basis and deleted according to our backup retention schedule.
If you request deletion, we'll honor it on the timelines above and confirm when it's complete.
7. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data
- Port your data to another service
- Object to or restrict certain processing
- Withdraw consent where processing is based on consent
- Lodge a complaint with your local data protection authority
To exercise any of these rights, email privacy@ballfield.io. We'll respond within the timeframes required by applicable law (typically 30–45 days).
7.1 GDPR (EEA/UK users)
If you're in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:
- Contract: to provide the services you've signed up for
- Legitimate interests: to secure, improve, and operate Ballfield, where those interests are not overridden by your rights
- Consent: where required (for example, certain cookies)
- Legal obligation: to comply with applicable law
Ballfield is the data controller for account data. For data you connect from third-party platforms, we act as a data processor on your behalf. International transfers of personal data from the EEA/UK to the United States are covered by Standard Contractual Clauses or equivalent safeguards.
7.2 CCPA/CPRA (California users)
California residents have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under the CCPA/CPRA. To exercise your rights, email privacy@ballfield.io. We will not discriminate against you for exercising them.
8. Cookies and similar technologies
We use a small number of cookies and similar technologies for:
- Strictly necessary: authentication, session management, and security (set by Clerk and our own app).
- Functional: remembering preferences (e.g., timezone, UI state).
- Analytics: understanding aggregate product usage so we can improve Ballfield.
We do not use advertising cookies or cross-site tracking pixels on ballfield.io. You can control cookies through your browser settings; blocking strictly necessary cookies may break core functionality.
9. Security
We take reasonable and appropriate measures to protect your data, including encryption in transit (TLS), encryption at rest for our primary database, scoped access controls, audit logging, and regular review of our vendors. No system is perfectly secure — if you believe your account has been compromised, email privacy@ballfield.io immediately.
10. Children's privacy
Ballfield is not directed to children under 16, and we don't knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we'll delete it.
11. Changes to this policy
We may update this policy as our product and legal obligations evolve. When we make material changes, we'll update the "Effective date" above and, where appropriate, notify you by email or in-app notice. Continued use of Ballfield after changes take effect constitutes acceptance of the revised policy.
12. Contact
Ballfield Privacy contact: privacy@ballfield.io
For Meta-related data requests, including deauthorization and deletion, you can also use our endpoint at https://ballfield.io/meta/data-deletion or email us directly.