Privacy Policy
Last updated June 2026
This policy explains how Blufire collects, uses, holds, discloses and protects personal information. We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It applies to our website (www.blufire.com.au), our analytics platform, and the services we provide.
1. Who we are
Blufire Pty Ltd (ACN 665 545 282, ABN 14 665 545 282) ("Blufire", "we", "us", "our") provides profit analytics and paid-media services to ecommerce and service businesses, including our subscription analytics and audience-activation platform, Margin OS. Our registered office is in Glen Iris, VIC 3146, and our principal place of business is Unit 2, 8 Bromham Place, Richmond, VIC 3121. We are based in Victoria, Australia, and store the data we hold in Australia.
2. The two kinds of data we handle
It is important to distinguish two categories, because we treat them differently:
- Personal information you give us as a website visitor, prospect or customer (for example, when you book a demo, contact us, or subscribe). We are the controller of this information and this policy governs it.
- Client Datathat an existing customer connects to the platform from their own systems (for example, Shopify, Google Ads or analytics accounts). We access this on the customer's instructions and on their behalf, as a processor. Our handling of Client Data is governed by our customer agreement and Data Processing terms, not this website policy. See section 6.
3. Personal information we collect
From website visitors, prospects and customers we may collect:
- Contact information: name, business email address, phone number, and the company you represent.
- Business information: company name, size, industry, role, and the goals you describe to us.
- Account and billing information where you become a customer (managed through our payment provider; we do not store full card numbers ourselves).
- Usage and device information: IP address, browser type, pages visited, referring and exit pages, and similar analytics data, collected through cookies and similar technologies (see section 9).
We collect personal information directly from you wherever practicable. Providing it is voluntary, but if you choose not to, we may be unable to respond to you or provide a service.
4. How we use personal information
We use personal information to:
- respond to enquiries, demos, and support requests;
- provide, operate, secure and improve our services;
- manage your account and process billing;
- send service communications and, where permitted, relevant marketing (you can opt out at any time, see section 11);
- understand how our website and services are used; and
- meet our legal, regulatory and contractual obligations.
5. Client Data: how the platform connects to your systems
When you are a customer, you connect your own third-party accounts to the platform by authorising access via OAuth or by installing a Blufire-provided application. We process Client Data only to deliver the services you have engaged us for, on your instructions and within the scope you authorise at connection time. We do not sell Client Data, we do not combine one customer's data with another's, and we do not use Client Data to train general-purpose AI models.
Reading and writing. For reporting and analytics, our access is read-only: we ingest the data needed to produce your numbers and do not alter it. Where you enable activation features, the platform also writes on your instruction — for example creating or updating advertising audiences in Google or Meta, or lists, templates or campaigns in Klaviyo. We never send a message, publish, or change a connected account except as you direct through the platform.
5.1 Data we receive from each connected platform
When you authorise a connection we receive only the data within the scopes you grant. We request the minimum scopes needed for the features you use.
| Platform | Data we receive | Why |
|---|---|---|
| Shopify | Orders and line items; revenue, costs, taxes, shipping, discounts and refunds; products, variants and cost of goods; inventory; customer records (name, email, phone, billing/shipping address, order history); shop configuration. | Calculate contribution margin, cost of goods, net revenue and profitability; build customer cohorts and lifetime-value analytics; power audience segments. |
| Klaviyo | Profiles (email, phone, name, location), lists and segments, subscription/consent status, campaign and flow performance, events (e.g. placed order, viewed product). | Attribute email/SMS revenue, measure channel contribution to margin, and build or sync audience segments you activate. Consent and subscription status are always respected. |
| Google Ads | Campaign, ad-group, ad and keyword performance (impressions, clicks, cost, conversions, conversion value); account structure; customer-match audience membership status (hashed identifiers only, where you use activation). | Measure ad cost and return against margin; compute margin-true ROAS, CAC and LTV:CAC; create and update customer-match audiences from hashed identifiers on your instruction. |
| Google Analytics | Aggregated and event-level traffic, session and conversion metrics; channel/source/medium attribution; ecommerce events. | Attribute sessions and conversions to marketing channels and tie them to margin and customer-value analytics. |
| Meta (Facebook / Instagram) | Ad account, campaign, ad-set and ad performance (spend, impressions, clicks, conversions, conversion value); Custom Audience membership status (hashed identifiers only); pixel/event aggregates. | Measure Meta ad cost and return against margin; create and update Custom Audiences from hashed identifiers on your instruction, in line with Meta's Platform Terms. |
| TikTok | Ad account, campaign and ad performance (spend, impressions, clicks, conversions, conversion value); audience membership status (hashed identifiers only); conversion event aggregates. | Measure TikTok ad cost and return against margin; create and update audiences from hashed identifiers on your instruction, in line with TikTok's developer and advertising policies. |
5.2 Shopify Protected Customer Data
Where you connect Shopify, we access Protected Customer Data (including customer personal information) only to provide the analytics and audience features you have enabled. We comply with Shopify's Protected Customer Data requirements, including data minimisation, encryption, access controls, retention limits, and processing customer data only for approved use cases. We action Shopify's data-request and redaction webhooks (see section 10).
5.3 Audience and hashed-identifier handling
Where you use audience activation, customer identifiers such as email or phone are hashed (e.g. SHA-256) before transmissionto the ad platform, consistent with each platform's customer-match requirements. Hashed audience data is used only to create or update the audiences you request, is never used to enrich any other customer's data, and is never sold.
5.4 Google API Limited Use
Margin OS's use and transfer of information received from Google APIs (Google Ads, Google Analytics and any other Google API) adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data only to provide and improve the features you have connected; we do not transfer or sell it except as needed to provide the service, comply with law, or in a merger/acquisition with notice; we do not use it for our own advertising; and we do not allow humans to read it except with your consent, for security/abuse/legal reasons, or where it is aggregated and anonymised.
6. How we hold and protect information
Security is a precondition of our product, not an add-on. Our measures include:
- Data residency in Australia. The data we hold is stored in Australia.
- Per-tenant isolation.Customer data is kept logically separated so it is not co-mingled with other customers' data.
- Encryption of data in transit and at rest, access controls, and least-privilege access for our team.
- Read-only ingestion from connected sources, and no large-language models in the path that computes your reported numbers.
- A program of independent assurance: our controls are aligned with the SOC 2 Type 2 framework, and our underlying infrastructure providers are independently certified to recognised standards (including SOC 2 and ISO 27001).
No method of electronic transmission or storage is completely secure, so while we work hard to protect your information we cannot guarantee absolute security. Full detail of our controls and sub-processors is available in our Trust Center.
7. Disclosure and sub-processors
We do not sell your personal information. We disclose it only as set out in this policy:
- to service providers and sub-processors who help us run our business (for example, hosting, infrastructure, email and payment providers), who may only use it to provide services to us under obligations of confidentiality and security. Our current sub-processors are listed in the Trust Center;
- where required or authorised by law (for example, a subpoena or lawful government request);
- to protect our rights, your safety, or the safety of others, or to investigate fraud;
- in connection with a merger, acquisition or sale of assets, in which case we will notify you of any change in who controls your information; and
- with your consent.
Our current sub-processors are listed below and kept up to date in the Trust Center. Each is bound by an agreement requiring confidentiality, security, and processing limited to providing their service to us. Connected platforms you choose to link act as independent controllers or processors under their own terms.
| Sub-processor | Role | Location |
|---|---|---|
| Supabase | Application database, authentication, storage | AWS ap-southeast-2 (Sydney, Australia) |
| Fly.io | Application and compute hosting | Sydney, Australia |
| Anthropic | AI-assisted analytics features (data sent only as needed; not used to train models) | United States |
| Resend | Transactional and notification email delivery | United States |
| Stripe | Subscription billing and payment processing | United States / Australia |
8. Overseas disclosure
Some of our sub-processors may store or process limited information outside Australia. Before disclosing personal information overseas we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles. The countries involved, and the purpose, are reflected in our sub-processor list in the Trust Center.
9. Cookies and analytics
We use cookies and similar technologies to remember your preferences, keep you signed in, and understand aggregate website usage. Most of this data does not identify you personally. You can control cookies through your browser settings; disabling them may affect how the site works. Our website may contain links to, or embedded content from, third-party sites that have their own privacy practices, which we encourage you to review.
10. How long we keep information
We keep personal information only as long as needed for the purposes in this policy or as required by law. When information is no longer needed, we take reasonable steps to securely delete or de-identify it.
| Data | Retention |
|---|---|
| Connected-platform data (orders, customers, ad metrics, audiences) | For your active subscription, then deleted or anonymised within 30 days of account termination, unless a shorter period is required by the source platform |
| Hashed audience identifiers | Only while needed to maintain the requested audience |
| Account and user data | For the life of the account, then deleted within 90 days of termination |
| Billing and tax records | 7 years, to meet Australian tax and accounting obligations |
| Logs and security telemetry | 12 months |
Disconnecting a platform stops further collection from it. On termination you may request export and/or deletion of your data. We honour deletion and redaction requests forwarded from source platforms, including Shopify's customers/redact and shop/redact webhooks, within the required timeframes.
11. Your choices and rights
Under the Australian Privacy Principles, you may:
- Access the personal information we hold about you, and correct it if it is inaccurate, out of date or incomplete;
- Opt out of marketing at any time, using the unsubscribe link in our emails or by contacting us; and
- Ask us to delete your information or close your account, subject to any records we are required to retain.
To make any of these requests, email us at info@blufire.com.au. We will respond within a reasonable time and may need to verify your identity first.
Where we process end-customer data on a customer's behalf (as a processor), end customers should generally direct access and deletion requests to the business they purchased from; if they contact us directly we will, where required, action the request or promptly forward it to that business and assist them in responding.
11.1 European Union / United Kingdom (GDPR)
Where the GDPR or UK GDPR applies, our legal bases are contract, legitimate interests, consent (where required), and legal obligation. You have the rights to access, rectification, erasure, restriction, portability, objection, and to withdraw consent at any time, and may lodge a complaint with your local supervisory authority. For data we process as a processor, please contact the relevant business (controller); we will assist them as required. International transfers rely on appropriate safeguards, including the EU Standard Contractual Clauses and the UK Addendum.
11.2 California (CCPA / CPRA)
California residents have the rights to know/access, delete, and correct personal information, and to opt out of its "sale" or "sharing". We do not sell or share personal information as those terms are defined under the CPRA, and we do not use sensitive personal information beyond permitted business purposes. We do not discriminate against you for exercising these rights. To exercise them, contact info@blufire.com.au; authorised agents may submit requests with proof of authorisation.
12. Complaints
If you have a concern about how we have handled your personal information, please contact us first at info@blufire.com.au so we can try to resolve it. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
13. Changes to this policy
We may update this policy to reflect changes in our practices or the law. If we make a material change, we will update the date above and, where appropriate, notify you by email or a notice on our website. We encourage you to review this page periodically.
Blufire Pty Ltd (ACN 665 545 282, ABN 14 665 545 282)
Registered office: Glen Iris, VIC 3146
Place of business: Unit 2, 8 Bromham Place, Richmond, VIC 3121
info@blufire.com.au · 1300 075 655