Legal

Privacy, written like we mean it.

Headless Builds exists to measure commerce without surveilling shoppers. This policy explains what we touch, why we touch it, and how little of it we keep.

Last updated — May 2026

The short version

We process attribution events on behalf of our customers, the merchants who run stores on Headless Builds. For those events we are a processor, not the owner. We never sell data, never build cross-site profiles, and never share a shopper's journey between two merchants.

What we collect

For merchants: account email, name, billing details handled by Stripe, and the configuration of your connected stores. For shopperson a customer's store: a first-party identifier scoped to that single domain, the marketing channel of each visit, and the order it eventually converted to. No names, no emails, no fingerprints.

What we never do

We do not set third-party cookies, we do not run device fingerprinting, and we do not enrich shopper records with data bought from anyone. Identity stays inside the store that created it.

Retention

Raw touch events roll off after 25 months by default. Aggregated, non-identifying attribution metrics may be kept longer so your historical reports stay intact. Delete a store and its underlying events are purged within 30 days.

Your rights

Shoppers can exercise access and deletion requests through the merchant they interacted with; we honor those requests as a processor. Merchants can export or delete their entire workspace at any time. Questions go to our privacy desk.