NewWeather Demand Modelling is live. Forecast demand before it arrivesWeather Demand Modelling is live
Legal

Privacy Policy

Last updated June 2026

This policy explains how Blufire collects, uses, holds, discloses and protects personal information. We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It applies to our website (www.blufire.com.au), our analytics platform, and the services we provide.

1. Who we are

Blufire Pty Ltd (ACN 665 545 282, ABN 14 665 545 282) ("Blufire", "we", "us", "our") provides profit analytics and paid-media services to ecommerce and service businesses, including our subscription analytics and audience-activation platform, Margin OS. Our registered office is in Glen Iris, VIC 3146, and our principal place of business is Unit 2, 8 Bromham Place, Richmond, VIC 3121. We are based in Victoria, Australia, and store the data we hold in Australia.

2. The two kinds of data we handle

It is important to distinguish two categories, because we treat them differently:

3. Personal information we collect

From website visitors, prospects and customers we may collect:

We collect personal information directly from you wherever practicable. Providing it is voluntary, but if you choose not to, we may be unable to respond to you or provide a service.

4. How we use personal information

We use personal information to:

5. Client Data: how the platform connects to your systems

When you are a customer, you connect your own third-party accounts to the platform by authorising access via OAuth or by installing a Blufire-provided application. We process Client Data only to deliver the services you have engaged us for, on your instructions and within the scope you authorise at connection time. We do not sell Client Data, we do not combine one customer's data with another's, and we do not use Client Data to train general-purpose AI models.

Reading and writing. For reporting and analytics, our access is read-only: we ingest the data needed to produce your numbers and do not alter it. Where you enable activation features, the platform also writes on your instruction — for example creating or updating advertising audiences in Google or Meta, or lists, templates or campaigns in Klaviyo. We never send a message, publish, or change a connected account except as you direct through the platform.

5.1 Data we receive from each connected platform

When you authorise a connection we receive only the data within the scopes you grant. We request the minimum scopes needed for the features you use.

PlatformData we receiveWhy
ShopifyOrders and line items; revenue, costs, taxes, shipping, discounts and refunds; products, variants and cost of goods; inventory; customer records (name, email, phone, billing/shipping address, order history); shop configuration.Calculate contribution margin, cost of goods, net revenue and profitability; build customer cohorts and lifetime-value analytics; power audience segments.
KlaviyoProfiles (email, phone, name, location), lists and segments, subscription/consent status, campaign and flow performance, events (e.g. placed order, viewed product).Attribute email/SMS revenue, measure channel contribution to margin, and build or sync audience segments you activate. Consent and subscription status are always respected.
Google AdsCampaign, ad-group, ad and keyword performance (impressions, clicks, cost, conversions, conversion value); account structure; customer-match audience membership status (hashed identifiers only, where you use activation).Measure ad cost and return against margin; compute margin-true ROAS, CAC and LTV:CAC; create and update customer-match audiences from hashed identifiers on your instruction.
Google AnalyticsAggregated and event-level traffic, session and conversion metrics; channel/source/medium attribution; ecommerce events.Attribute sessions and conversions to marketing channels and tie them to margin and customer-value analytics.
Meta (Facebook / Instagram)Ad account, campaign, ad-set and ad performance (spend, impressions, clicks, conversions, conversion value); Custom Audience membership status (hashed identifiers only); pixel/event aggregates.Measure Meta ad cost and return against margin; create and update Custom Audiences from hashed identifiers on your instruction, in line with Meta's Platform Terms.
TikTokAd account, campaign and ad performance (spend, impressions, clicks, conversions, conversion value); audience membership status (hashed identifiers only); conversion event aggregates.Measure TikTok ad cost and return against margin; create and update audiences from hashed identifiers on your instruction, in line with TikTok's developer and advertising policies.

5.2 Shopify Protected Customer Data

Where you connect Shopify, we access Protected Customer Data (including customer personal information) only to provide the analytics and audience features you have enabled. We comply with Shopify's Protected Customer Data requirements, including data minimisation, encryption, access controls, retention limits, and processing customer data only for approved use cases. We action Shopify's data-request and redaction webhooks (see section 10).

5.3 Audience and hashed-identifier handling

Where you use audience activation, customer identifiers such as email or phone are hashed (e.g. SHA-256) before transmissionto the ad platform, consistent with each platform's customer-match requirements. Hashed audience data is used only to create or update the audiences you request, is never used to enrich any other customer's data, and is never sold.

5.4 Google API Limited Use

Margin OS's use and transfer of information received from Google APIs (Google Ads, Google Analytics and any other Google API) adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data only to provide and improve the features you have connected; we do not transfer or sell it except as needed to provide the service, comply with law, or in a merger/acquisition with notice; we do not use it for our own advertising; and we do not allow humans to read it except with your consent, for security/abuse/legal reasons, or where it is aggregated and anonymised.

6. How we hold and protect information

Security is a precondition of our product, not an add-on. Our measures include:

No method of electronic transmission or storage is completely secure, so while we work hard to protect your information we cannot guarantee absolute security. Full detail of our controls and sub-processors is available in our Trust Center.

7. Disclosure and sub-processors

We do not sell your personal information. We disclose it only as set out in this policy:

Our current sub-processors are listed below and kept up to date in the Trust Center. Each is bound by an agreement requiring confidentiality, security, and processing limited to providing their service to us. Connected platforms you choose to link act as independent controllers or processors under their own terms.

Sub-processorRoleLocation
SupabaseApplication database, authentication, storageAWS ap-southeast-2 (Sydney, Australia)
Fly.ioApplication and compute hostingSydney, Australia
AnthropicAI-assisted analytics features (data sent only as needed; not used to train models)United States
ResendTransactional and notification email deliveryUnited States
StripeSubscription billing and payment processingUnited States / Australia

8. Overseas disclosure

Some of our sub-processors may store or process limited information outside Australia. Before disclosing personal information overseas we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles. The countries involved, and the purpose, are reflected in our sub-processor list in the Trust Center.

9. Cookies and analytics

We use cookies and similar technologies to remember your preferences, keep you signed in, and understand aggregate website usage. Most of this data does not identify you personally. You can control cookies through your browser settings; disabling them may affect how the site works. Our website may contain links to, or embedded content from, third-party sites that have their own privacy practices, which we encourage you to review.

10. How long we keep information

We keep personal information only as long as needed for the purposes in this policy or as required by law. When information is no longer needed, we take reasonable steps to securely delete or de-identify it.

DataRetention
Connected-platform data (orders, customers, ad metrics, audiences)For your active subscription, then deleted or anonymised within 30 days of account termination, unless a shorter period is required by the source platform
Hashed audience identifiersOnly while needed to maintain the requested audience
Account and user dataFor the life of the account, then deleted within 90 days of termination
Billing and tax records7 years, to meet Australian tax and accounting obligations
Logs and security telemetry12 months

Disconnecting a platform stops further collection from it. On termination you may request export and/or deletion of your data. We honour deletion and redaction requests forwarded from source platforms, including Shopify's customers/redact and shop/redact webhooks, within the required timeframes.

11. Your choices and rights

Under the Australian Privacy Principles, you may:

To make any of these requests, email us at info@blufire.com.au. We will respond within a reasonable time and may need to verify your identity first.

Where we process end-customer data on a customer's behalf (as a processor), end customers should generally direct access and deletion requests to the business they purchased from; if they contact us directly we will, where required, action the request or promptly forward it to that business and assist them in responding.

11.1 European Union / United Kingdom (GDPR)

Where the GDPR or UK GDPR applies, our legal bases are contract, legitimate interests, consent (where required), and legal obligation. You have the rights to access, rectification, erasure, restriction, portability, objection, and to withdraw consent at any time, and may lodge a complaint with your local supervisory authority. For data we process as a processor, please contact the relevant business (controller); we will assist them as required. International transfers rely on appropriate safeguards, including the EU Standard Contractual Clauses and the UK Addendum.

11.2 California (CCPA / CPRA)

California residents have the rights to know/access, delete, and correct personal information, and to opt out of its "sale" or "sharing". We do not sell or share personal information as those terms are defined under the CPRA, and we do not use sensitive personal information beyond permitted business purposes. We do not discriminate against you for exercising these rights. To exercise them, contact info@blufire.com.au; authorised agents may submit requests with proof of authorisation.

12. Complaints

If you have a concern about how we have handled your personal information, please contact us first at info@blufire.com.au so we can try to resolve it. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

13. Changes to this policy

We may update this policy to reflect changes in our practices or the law. If we make a material change, we will update the date above and, where appropriate, notify you by email or a notice on our website. We encourage you to review this page periodically.

Contact

Blufire Pty Ltd (ACN 665 545 282, ABN 14 665 545 282)

Registered office: Glen Iris, VIC 3146

Place of business: Unit 2, 8 Bromham Place, Richmond, VIC 3121

info@blufire.com.au · 1300 075 655