Skip to main content
Loomaru
Book a Call
ARCHITECTUREv1

How the recovery layer works.

Your storefront stays untouched. Every purchase reaches every ad platform you run — no gaps, no dashboards to maintain, no decisions made on your behalf.

System map — how the recovery layer sits between your store and your ad platforms.System map. Your store sends a signed purchase event to the recovery layer. The recovery layer acknowledges in under one hundred milliseconds, then forwards one enriched event to your ad platforms while streaming safe log lines to your operations.YOUR STOREYOUR AD PLATFORMSYOUR OPERATIONS
Every purchase that lands on your store flows through one short, managed path — and nothing else is kept.
  1. signed purchase event Your storeThe recovery layer
  2. 200 ok (under 100 ms) The recovery layerYour store
  3. forward enriched event The recovery layerYour ad platforms
  4. accepted / error Your ad platformsThe recovery layer
  5. on failure only The recovery layerYour operations
  6. streams safe log lines The recovery layerYour operations
01Edge guard
Drops obvious junk before anything else runs.
02Validate + ack
Verifies the request is signed, then returns 200 ok in under 100 ms.
03Enrich + forward
In the background: normalises, hashes, and forwards one event.
04Per-store config
One long-lived entry per store; read on every request.
05Click bridge
A seven-day short-lived record that stitches the ad click to the purchase.
  • Solid line — authenticated connection over the public internet
  • Dashed line — internal binding inside the same account
  • Shield — edge guard applies here
  • Timer — the record carries an auto-expiry

The lifecycle

From click to confirmation, in four phases.

From the moment a shopper clicks Buy to the moment your ad platform sees the event — every step we run.

  1. 01

    Capture

    Your store fires the purchase. A signed message arrives at our edge. We read the raw bytes so the signature can be verified exactly as your store sent it.

  2. 02

    Validate + ack

    We verify the signature, check the event type and the store domain, and reply 200 ok inside 100 ms — so your store never retries or unsubscribes.

  3. 03

    Enrich

    In the background we normalise names, emails, phones and addresses, hash every personal field so it cannot be read, and pair the order with the stored click signal.

  4. 04

    Forward

    We post one enriched event to your ad platform, log the outcome, and alert your channel only if forwarding fails. Nothing is kept afterwards.

What we hold

What we hold, and for how long.

Data either lives for a single request, for seven days, for as long as your store stays with us, or is hashed before it leaves. That is the full list.

  • In request memory only

    ~300 ms

    Order details, shopper email and phone, full name, raw address.

    Never logged. Never persisted. Released when the request ends.

  • Click bridge

    7 days (auto-expiry)

    A small record that stitches the ad click to the purchase.

    Auto-expires. Also deleted as soon as the event forwards successfully.

  • Per-store configuration

    While you stay

    Your store settings and forwarding flags.

    Encrypted at rest. Never logged. Updated by our team on your instruction.

  • Egress — what leaves us

    Per request only

    One enriched event to your ad platform; one status line to your log drain; one alert on failure.

    Every personal field is hashed so it cannot be reversed. No full payloads in logs.

Who owns what

You own the decision. We own the pipe.

A short version of the vendor / merchant split that sits at the centre of every contract we sign.

You own

  • Deciding when GDPR or CCPA applies to a shopper.
  • Getting consent at the storefront and configuring your cookie banner.
  • Translating that consent into the flags your ad platforms expect.
  • Signing the data processing agreements with each ad platform.
  • Maintaining a privacy policy that names our team as a processor.
  • Honouring shopper data-access and deletion requests on your side.

We own

  • Running the recovery layer and keeping it fast, auditable, and honest.
  • Never logging personal data; never storing personal data beyond the click bridge.
  • Forwarding your signals unchanged — never deciding on your behalf.
  • Honouring the de-duplication contract with your ad platforms.
  • Rotating secrets, patching quickly, alerting the moment anything breaks.
  • Keeping this architecture public and honest.

Ready to see it running on your store?

Thirty minutes on a call — we walk you through the layer, the numbers you can expect, and the thirty-day money-back guarantee.

Book a Call