Privacy Policy

Last updated: May 15, 2026

Mi LLC ("we", "us", or "our") operates the SaaS service TrueSource (the "Service"). This Privacy Policy explains how we collect, use, and protect personal information in connection with the Service.

1. Operator

  • Operator: Mi LLC (合同会社ミィ), Japan
  • Contact: team@truesource.jp
  • Service URL: https://truesource.jp / https://app.truesource.jp

2. Information We Collect

2.1 From Customers (merchants who contract for the Service)

  • Account information: email address, store domain
  • Authentication tokens: Shopify Admin API tokens, Google Analytics 4 OAuth refresh tokens, and OAuth tokens for advertising platforms (future). All such tokens are stored encrypted (AES-GCM) at rest.

2.2 From End Users (visitors of the Customer's online store)

Through our tracking tag, we collect:

  • Anonymous visitor ID stored in a cookie (no personally identifying information)
  • URL viewed, referrer, user agent string
  • UTM parameters and ad click IDs (gclid, fbclid, etc.)
  • SHA-256-hashed email address at the moment of purchase

2.3 Order Information via Shopify Webhook

  • Order number, product details, amount, shipping information (name, address, phone), and email address
  • This information is transmitted by the Customer's Shopify account to us. The Customer is responsible for obtaining any necessary consent from their End Users.

2.4 From Connected SaaS Platforms

  • Google Analytics 4: session counts, channel-level traffic, and other aggregated reporting data (no personal information)
  • Google Ads, Meta Ads (future): campaign-level cost, impressions, clicks, and conversions (no personal information)

3. Purposes of Use

We use collected information solely for providing the Service and for:

  • Attribution (traffic source) analysis and visualization
  • Calculation and display of advertising performance metrics such as ROAS and CPA
  • Customer support and technical incident response
  • Service improvement

4. Disclosure to Third Parties and Sub-processors

4.1 Third-Party Disclosure

We do not disclose collected information to third parties other than the Customer, except as required by law.

4.2 Sub-processors

We use the following cloud services to provide the Service:

  • Cloudflare, Inc. (USA): application infrastructure, database (D1), key-value store
  • Google LLC (USA): Google Analytics 4 API, Google Ads API (future)
  • Meta Platforms, Inc. (USA): Meta Marketing API (future)
  • Shopify Inc. (Canada): the e-commerce platform used by Customers

Where transfer outside Japan occurs, we implement appropriate safeguards.

5. Retention

  • Event data and order data: 13 months
  • Authentication tokens: until the Customer disconnects (deleted promptly thereafter)
  • Aggregated, non-identifying statistics: indefinite

6. User Rights

Customers and End Users may request access, correction, or deletion of information we hold about them. Contact: team@truesource.jp

7. Cookies

The Service sets the following cookie on End Users' browsers:

  • _ts_vid (visitor identification, on the track.truesource.jp domain, 13-month expiry)

End Users may disable cookies via their browser settings.

8. Security

  • All communications are encrypted via HTTPS
  • Authentication tokens (including OAuth refresh tokens) are stored encrypted with AES-GCM
  • Access is restricted to authorized system administrators and the Service API

9. Use of Google API Services

The Service uses Google API Services and complies with the Google API Services User Data Policy, including the Limited Use requirements. Information obtained from Google is used only for the purposes disclosed in this Privacy Policy. We do not use such data for advertising targeting, transfer it to third parties, or allow humans to read it except as needed for support, security, or compliance.

10. Handling of Google Ads API Data

When the Service connects to the Google Ads API, it does so based on the Customer's explicit authorization (OAuth) and retrieves aggregated data from that Customer's own advertising account (such as campaign- and ad-group-level cost, impressions, clicks, and conversions). We handle this data as follows:

  • Collection: We retrieve data only from advertising accounts the Customer has authorized via OAuth. We do not collect names, contact details, or other personal information.
  • Use: We use it solely to calculate and display advertising performance metrics (such as ROAS, CPA, and ad-cost ratio) in that Customer's dashboard.
  • Storage: OAuth tokens are stored encrypted with AES-GCM, and retrieved aggregate data follows the retention periods in Section 5. Tokens are deleted promptly once the Customer disconnects.
  • No third-party disclosure: We never provide, sell, or transfer Google Ads data to any third party other than the relevant Customer. We do not reuse it for advertising targeting or to train machine-learning models.

This handling complies with the Google API Services User Data Policy (including the Limited Use requirements) referenced in Section 9.

11. Updates to This Policy

This Privacy Policy may be updated from time to time. Material changes will be communicated through the Service.

Contact

Questions or requests: team@truesource.jp


Related: Terms of Service