Blufire

Margin OS Privacy Policy

Effective date: 2 July 2026  ·  Last updated: 2 July 2026

1. Who we are

Margin OS ("Margin OS", "the Platform", "we", "us", "our") is a multi-tenant, business-to-business software-as-a-service ecommerce contribution-margin analytics and audience-activation platform operated by Blufire Pty Ltd (ABN 14 665 545 282, ACN 665 545 282), a company based in Victoria, Australia with its registered office at 2/8 Bromham Place, Richmond, VIC 3121.

Margin OS connects to the business systems of our merchant customers ("Merchants", "you", "Controllers") and processes data from those systems to deliver margin analytics, reporting, and audience-activation features. In doing so, Margin OS generally acts as a data processor / service provider on behalf of each Merchant, who is the data controller / business for the personal information of its own end customers. Margin OS acts as a controller only for the limited account, billing, and operational data we collect directly about Merchant users (see Section 3.1).

This policy explains what data we collect, why, how we share it, how long we keep it, how it is protected, and the rights available to Merchants and to the end customers whose data we process.

Contact for privacy matters:

2. Scope of this policy

This policy applies to:

Where a Merchant connects a third-party platform, that platform's own privacy policy and terms also apply to the Merchant's relationship with that platform. We process platform data only on the Merchant's instructions and within the scope authorised at connection time.

3. Data we collect and why

All Merchant-derived and platform-derived data is stored and processed on a strictly per-tenant (per-Merchant) basis. We do not sell personal information, and we do not share, pool, blend, or cross-reference one Merchant's data with another Merchant's data for any purpose.

3.1 Data we collect directly (Margin OS as controller)

DataExamplesPurposeLegal basis (GDPR)
Account & identity dataMerchant user name, work email, role, password hash / SSO identifierCreate and secure accounts, authenticate usersContract; legitimate interests
Billing dataCompany name, ABN/VAT, billing contact, plan, invoices (card data handled by our payment processor, not stored by us)Bill for the service, tax complianceContract; legal obligation
Usage & telemetryPages viewed, features used, log timestamps, IP address, device/browser metadataOperate, secure, debug, and improve the PlatformLegitimate interests
Support communicationsEmails, support tickets, correspondenceProvide support, maintain recordsLegitimate interests; contract

3.2 Data we receive from connected platforms (Margin OS as processor)

When a Merchant authorises a connection via OAuth, we receive only the data within the scopes granted. We request the minimum scopes necessary for the features the Merchant uses.

Shopify

Data received: Orders and order line items; order value, costs, taxes, shipping, discounts and refunds; product and variant data and cost of goods; inventory; customer records (name, email, phone, billing/shipping address, order history); store and shop configuration.
Purpose: Calculate contribution margin, cost of goods sold, net revenue, refunds and profitability; build customer cohorts and lifetime-value analytics; power audience segments for activation.
Shopify Protected Customer Data: We access Protected Customer Data (including customer PII) only to provide the analytics and audience features the Merchant has enabled, and we comply with Shopify's Protected Customer Data requirements, including data minimisation, encryption, access controls, retention limits, and opt-out handling.

Klaviyo

Data received: Profiles (email, phone, name, location), lists and segments, subscription/consent status, campaign and flow performance metrics, events (e.g. placed order, viewed product).
Purpose: Attribute email/SMS-driven revenue, measure channel contribution to margin, and build or sync audience segments for activation. Consent and subscription status are respected at all times.

Google Ads

Data received: Campaign, ad group, ad, and keyword performance metrics (impressions, clicks, cost, conversions, conversion value); account and campaign structure; customer-match audience membership status (hashed identifiers only, where the Merchant uses audience activation).
Purpose: Measure advertising cost and return against contribution margin; compute margin-true ROAS, CAC and LTV:CAC; create and update customer-match audiences using hashed customer identifiers supplied under the Merchant's instruction.

Google Analytics

Data received: Aggregated and event-level traffic, session, and conversion metrics; channel/source/medium attribution; ecommerce events.
Purpose: Attribute sessions and conversions to marketing channels and tie them to margin and customer-value analytics.

Meta (Facebook / Instagram) Ads

Data received: Ad account, campaign, ad set and ad performance metrics (spend, impressions, clicks, conversions, conversion value); audience membership status for Custom Audiences (hashed identifiers only); pixel/conversion event aggregates.
Purpose: Measure Meta advertising cost and return against contribution margin; create and update Custom Audiences using hashed customer identifiers on the Merchant's instruction. We use Meta data solely to provide these features to the Merchant and in accordance with Meta's Platform Terms and Developer Policies.

TikTok

Data received: Ad account, campaign and ad performance metrics; audience membership status (hashed identifiers only); conversion event aggregates.
Purpose: Measure TikTok advertising cost and return against contribution margin; create and update audiences using hashed customer identifiers on the Merchant's instruction, in accordance with TikTok's developer and advertising policies.

Audience / hashed data handling (all ad platforms)

Where a Merchant uses audience activation, customer identifiers (such as email or phone) are hashed (e.g. SHA-256) before transmission to the ad platform, consistent with each platform's customer-match requirements. Hashed audience data is processed only to create or update audiences the Merchant has requested, is never used to enrich any other Merchant's data, and is never sold.

3.3 Google API Limited Use disclosure

Margin OS's use and transfer of information received from Google APIs (Google Ads, Google Analytics, and any other Google API) adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data only to provide and improve the user-facing features the Merchant has connected; we do not transfer or sell this data except as necessary to provide the service, comply with law, or as part of a merger/acquisition with appropriate notice; we do not use it for advertising of our own; and we do not allow humans to read the data except with the Merchant's consent, for security/abuse/legal reasons, or where the data is aggregated and anonymised.

4. How we use data (purposes summary)

We process data to: provide the Margin OS analytics, reporting, and audience-activation features; compute contribution margin, profitability, CAC, LTV, ROAS and related metrics; build, sync, and update advertising/ESP audiences on the Merchant's instruction (using hashed identifiers for ad platforms); authenticate users, secure the Platform, and prevent fraud and abuse; provide support and communicate about the service; bill for the service and meet legal/accounting obligations; and monitor, debug, and improve the Platform (using aggregated/operational data).

We do not use Merchant or end-customer personal data to train third-party generative AI models, and we do not permit our sub-processors to use it for their own purposes.

5. We never sell or share data across Merchants

6. Sub-processors

We use the following sub-processors to deliver the service. Each is bound by a data processing agreement requiring confidentiality, security, and processing limited to providing their service to us.

Sub-processorRole / purposeData location
SupabasePrimary application database, authentication, storageAWS ap-southeast-2 (Sydney, Australia)
Fly.ioApplication/compute hosting and executionSydney, Australia
AnthropicAI-assisted analytics/summarisation features (data sent only as needed; not used to train models)United States
ResendTransactional and notification email deliveryUnited States
StripeSubscription billing and payment processingUnited States
Shopify / Klaviyo / Google / Meta / TikTokSource / destination platforms connected by the MerchantPer each platform

An up-to-date list of sub-processors is available on request to info@blufire.com.au. We will provide notice of material changes to our sub-processors as described in our Data Processing Agreement.

7. Data retention

Data categoryRetention period
Connected-platform data (orders, customers, ad metrics, audiences)For the duration of the Merchant's active subscription, then deleted or anonymised within 30 days of account termination, unless a shorter period is required by the source platform (e.g. Shopify Protected Customer Data)
Hashed audience identifiersRetained only as long as needed to maintain the requested audience; refreshed/expired per the ad platform's customer-match requirements
Merchant account & user dataFor the life of the account, then deleted within 90 days of termination
Billing & tax records7 years, to meet Australian tax/accounting obligations
Logs & security telemetry12 months
BackupsEncrypted backups retained on a rolling ~35-day basis, after which deleted data is purged

On termination, a Merchant may request export and/or deletion of its data as described in Section 8. We honour deletion/redaction requests forwarded from source platforms (including Shopify's customers/redact and shop/redact webhooks) within the required timeframes.

8. Access, correction, and deletion (right to be forgotten)

Merchants can access, export, correct, or delete data through the Platform's settings or by contacting info@blufire.com.au. Disconnecting a platform stops further data collection from it; requesting account deletion triggers deletion of the Merchant's tenant data per Section 7.

End customers of a Merchant: because Margin OS processes end-customer data on behalf of the Merchant (the controller), end customers should generally direct access/deletion requests to the Merchant they purchased from. If an end customer contacts us directly at info@blufire.com.au, we will, where required by law, either action the request or promptly forward it to the relevant Merchant and assist them in responding.

To make a request, contact info@blufire.com.au. We will verify your identity (or the requester's authority) before acting and will respond within the timeframe required by applicable law (generally within 30 days under GDPR/CCPA; reasonable timeframes under the Australian Privacy Act). We do not discriminate against anyone for exercising their privacy rights.

9. Security

We implement technical and organisational measures appropriate to the risk, including:

If we become aware of a data breach affecting personal information, we will notify affected Merchants and, where required, regulators and individuals, in accordance with the Australian Notifiable Data Breaches scheme, the GDPR, and other applicable laws.

10. Your rights and our legal bases

10.1 Australia (Privacy Act 1988 / Australian Privacy Principles)

We handle personal information in accordance with the Australian Privacy Principles (APPs). You may request access to and correction of your personal information, and may complain about our handling of it. We will respond within a reasonable period. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10.2 European Union / UK (GDPR / UK GDPR)

Where the GDPR applies, our legal bases are contract, legitimate interests, consent (where required), and legal obligation, as noted in Section 3. You have the rights to: access; rectification; erasure; restriction of processing; data portability; objection; and to withdraw consent at any time. You may lodge a complaint with your local supervisory authority. For data we process as a processor, please contact the relevant Merchant (controller); we will assist them as required.

10.3 California (CCPA / CPRA)

California residents have the rights to know/access, delete, and correct personal information, and to opt out of "sale" or "sharing". We do not sell or share personal information as those terms are defined under the CPRA, and we do not use or disclose sensitive personal information beyond the permitted business purposes. We do not discriminate against you for exercising these rights. To exercise rights, contact info@blufire.com.au.

10.4 Other jurisdictions

We will honour data-protection rights granted by other applicable laws in the jurisdictions where we operate or where our Merchants and their customers are located.

11. Cookies and tracking

Our website and application use cookies and similar technologies for strictly necessary purposes (authentication, security, session management), functional purposes (remembering preferences), and analytics purposes (understanding usage to improve the Platform). We do not use third-party advertising cookies to track you for our own advertising. Where required (e.g. EU/UK), we obtain consent for non-essential cookies, and you can manage preferences via your browser settings.

12. Children's data

Margin OS is a B2B product not directed to children. We do not knowingly collect personal information from children under 16 (or the applicable age of digital consent in your jurisdiction). Any end-customer data processed on a Merchant's behalf is collected by the Merchant under its own terms; if we become aware that we hold a child's data without a lawful basis, we will delete it.

13. International data transfers

Margin OS is operated from Australia, with primary data residency in Australia (Sydney), and data may also be processed in other countries where our sub-processors operate (which may include the United States and the EU). Where we transfer personal data internationally, we rely on appropriate safeguards, including the EU Standard Contractual Clauses (and UK Addendum) and equivalent mechanisms, and we take steps consistent with the Australian Privacy Principles (APP 8) to ensure transferred data is protected. Details of safeguards are available on request at info@blufire.com.au.

14. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date and notify Merchants by email and/or an in-app notice before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy, except where additional consent is required by law.

15. Contact us

For any privacy question, request, or complaint:

If you are in Australia and are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC), oaic.gov.au. If you are in the EU/UK, you may contact your local data protection supervisory authority.