How Bamzal collects, uses, shares, and protects your information.
Last updated: June 19, 2026
Bamzal Ltd. ("Bamzal," "we," "us," or "our") operates the Bamzal platform, a Shopify embedded application and the related service available at bamzal.com (the "Service"). This application is registered with Meta (Facebook & Instagram) under our verified business, Vitan Yazmut (Meta Business ID 1407762770230426). This Privacy Policy explains what data we access, process, store, and share, why, and the choices and rights available to you. It is incorporated into our Terms of Service. For deletion of Meta-derived data, see our Data Deletion page.
By using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.
For most data we handle on a merchant's behalf — including store data and the merchant's customer records — the merchant is the data controller and Bamzal acts as a processor following the merchant's instructions and our agreement. For our own account, billing, security, and product-improvement purposes, and for data we collect independently (such as public market and competitor signals), we act as a controller. Merchants are responsible for having a lawful basis for the processing they direct, and for the notices and consents their own customers and any third parties require.
Depending on the features you enable, the Service may process and store personal data of your customers and prospects — for example derived analytics and scores (lifetime value, churn risk, segments), lead-form submissions captured from connected platforms (which can include names, emails, and phone numbers), CRM records you connect, and messages handled through supported channels.
When you connect a platform via its official OAuth flow, we store the connection details and an encrypted token or API credential, plus the relevant account, page, pixel, business, or ad-account identifiers, and the campaign/performance data needed to operate and report on your behalf. Supported networks include Google Ads, Meta (Facebook & Instagram), TikTok, Pinterest, X, LinkedIn, and Microsoft Advertising.
To provide competitive intelligence and market insight, the Service collects publicly available information about competitors, influencers/creators, and public social and search activity (for example public listings, ads in public ad libraries, public social profiles and posts, prices, and reviews). This can include personal data of people who are not your customers. We apply a confidentiality boundary and minimum-cohort safeguards and use this data only to generate insight.
Pages visited, features used, performance and error data, browser type, IP address, device, and operating system, for operating, securing, debugging, and improving the Service.
Legal bases (where GDPR/UK GDPR applies): performance of our contract; our legitimate interests in operating, securing, and improving the Service and providing competitive insight; legal obligations; and consent where required.
We rely on third-party providers ("sub-processors") and share only the data needed for each provider's purpose. The specific providers active for your account depend on your plan, configuration, and connected platforms. Categories include:
We do not sell your personal data. AI providers process inputs to return a result; their retention and use are governed by their own terms and, where applicable, agreements limiting use of your data to providing the service. An up-to-date sub-processor list is available on request.
When you enable conversion tracking, the Service may send server-side conversion events to advertising platforms (Meta, TikTok, Pinterest, LinkedIn, Microsoft, and Google). To match these events, customer identifiers such as email, phone, name, and location are cryptographically hashed (SHA-256) before transmission, and technical signals such as IP address and user agent may be transmitted as the platform requires. As the controller of your customer data, you are responsible for the disclosures and consents this sharing requires under applicable law.
To improve the Service for all merchants, we generate aggregated, statistical, and de-identified insights and model improvements that may draw on data across stores. These pooled insights are designed not to identify any individual or expose any single merchant's confidential data, and we apply minimum-cohort thresholds. Aggregated and de-identified data is not treated as your personal data and may be retained to operate and improve the Service.
We do not sell, rent, or trade your personal information or business data for others' marketing. We share data only with the sub-processors above to provide the Service, with the platforms you connect as you direct, in connection with a merger or acquisition (subject to this policy), and where required by law, subpoena, or legal process, or to protect rights and safety.
When you connect Google services (Google Ads, GA4, Merchant Center, Search Console, PageSpeed, or YouTube), Bamzal's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We use Google user data only to provide and improve the features you enabled, do not sell it, do not use it for advertising unrelated to those features, and do not allow humans to read it except as permitted by that policy.
Where we access Shopify Protected Customer Data, we comply with Shopify's Protected Customer Data requirements: we access and store only the data needed to provide the features you use (data minimization), encrypt it, apply retention limits and the deletion paths below, honor opt-outs and consent signals you configure, maintain this privacy policy and our data-protection practices, and review our use of such data.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security, but we use commercially reasonable measures to protect your data.
Subject to applicable law (including the GDPR/UK GDPR and U.S. state privacy laws such as the CCPA/CPRA), you and, where relevant, your customers may have the right to access, correct, delete, port, restrict, or object to processing of personal data, and to withdraw consent. We do not sell or "share" personal data for cross-context behavioral advertising as defined under U.S. state laws. To exercise rights regarding data we hold as controller, contact us at legal@bamzal.com; we respond within 30 days. Where the merchant is the controller (for example, regarding their own customers), requests should be directed to the merchant, and we assist as their processor. You can also disconnect any platform or uninstall the app at any time to revoke access.
We operate from Israel and use sub-processors in various countries, including the United States and the European Union. Where personal data is transferred across borders, we rely on appropriate safeguards such as adequacy decisions (Israel benefits from an EU adequacy decision) and Standard Contractual Clauses or equivalent mechanisms with our sub-processors. Our Data Processing Addendum governs personal data we process on a merchant's behalf. Where we are required to designate an EU/UK representative under Article 27 GDPR, we will appoint one and identify them here; for any data-protection matter, contact legal@bamzal.com.
The Service is a business tool not directed to individuals under 18, and we do not knowingly collect personal data from children. Merchants must not use the Service to process the data of children in violation of applicable law. We do not intentionally collect special categories of personal data (such as health, biometric, or government-ID data); please do not submit such data through the Service.
Inside the embedded app we use strictly-necessary cookies and session tokens for authentication and security, not advertising or cross-site tracking cookies. The Bamzal website (bamzal.com) may use strictly-necessary cookies plus, where you consent as required, analytics and content-delivery providers (for example, web fonts, product analytics, and session-quality tools). You can control cookies through your browser settings; blocking strictly-necessary cookies may break core functionality. Advertising platforms you connect may set their own cookies or pixels on your storefront under your control and their policies.
The Service uses automated processing and artificial intelligence to analyze data, generate recommendations, and — where you enable it — take actions within the limits you configure. These automated actions operate on your store and advertising and remain subject to your settings, approval controls, and your ability to pause, override, and reverse them. We do not use this automation to make decisions producing legal or similarly significant effects about your individual customers without a lawful basis; you remain responsible, as controller, for any automated processing of your customers' data, and you or an affected individual may request human review or contest an automated decision by contacting legal@bamzal.com.
If you are covered by a U.S. state privacy law (such as the CCPA/CPRA, or the Virginia, Colorado, Connecticut, or Utah acts): the categories of personal information we may process include identifiers (e.g., name, email, phone, IP address), commercial information (orders and transactions), internet or network activity, geolocation, and inferences, collected from you, your Shopify store and connected platforms, and public sources, for the business purposes described above. We do not sell personal information and do not "share" it for cross-context behavioral advertising. Subject to law, you may request to know, access, delete, or correct personal information, and to opt out, without unlawful discrimination for exercising these rights. To make a request, contact legal@bamzal.com; where the merchant is the controller, we route or assist the request as their processor.
We may update this Privacy Policy from time to time. We will post the updated policy here and update the "Last updated" date, and where appropriate request your acknowledgement in the app.