Skip to main content
Loomaru
Book a Call

Merchant Protocol · v1 · 2026-04-22

The Merchant Control Protocol.

You own the customer relationship. We receive the order events your store sends us and forward them to your ad-platform accounts on your behalf — nothing more. Every credential we need to do this is issued by you, in your own accounts, and can be revoked by you at any moment without asking us.

Applies to
  • Meta
  • Google Ads
  • Pinterest Ads
  • TikTok Ads
  • + similar

The same receipt, boundary, and kill switches apply to each. Every platform is handled independently — revoking one does not affect the others.

01 · The receipt

What you provide, what we do with it, how you take it back.

What you provideWhat we use it forHow you revoke or change it
Ad-platform access tokens
Issued by you in each platform's own admin console (Meta Business Manager, Google Ads account, Pinterest business account, TikTok Ads Manager, and so on).
Authenticates the events we send to each of your ad accounts on your behalf.Revoke the token in the relevant platform's console — event delivery to that platform stops immediately, no action needed on our side. Revoking one platform's token does not affect the others.
Order-event signing secret
The cryptographic secret tied to the order-event subscription you create in Shopify.
Verifies every incoming order event really came from your store and was not forged by a third party.Uninstall or rotate the order-event subscription in your Shopify admin — the old secret becomes invalid and we stop accepting events until you provide the new one.
Pixel / tag identifiers
The public identifiers already tied to each of your ad-platform accounts (Meta pixel ID, Google Ads conversion tag, Pinterest tag, TikTok pixel, and so on).
Included in every event we forward, so each platform credits the correct tag.Change or deprecate them in each platform's console directly.
Small pixel snippet (optional)
Pasted into your Shopify custom pixel settings.
Links a shopper's ad click on the product page to the eventual purchase.Remove the snippet from Shopify custom pixel settings — the browser-side signal stops; server-side purchase events continue.

02 · The boundary

What passes through our system — and what doesn't.

In-flight only.

Your order data. It is read, transformed into the format each ad platform requires, forwarded, discarded. Shopper identifiers (email, phone, name, city, state, postal code, country) are hashed — using the one-way methods each platform mandates — before they leave our system. Raw identifiers are never written to a database, never logged as raw values, and never held after the event is delivered.

Forwarded, never decided.

  • Your shopper's consent signal, from your own consent banner. We forward it unchanged to every destination platform. We never decide whether the shopper consented — your banner decides, we pass along the decision.
  • Any California / CCPA opt-out flag your systems set on the order. Same rule: your decision, our forward — to every platform that receives the event.

Does not pass through.

  • We do not set tracking cookies on shopper browsers from our system.
  • We do not operate a shopper database. There is no stored list of your customers on our side.
  • We do not share data with any third party. Your own ad-platform accounts are the only destinations.

03 · The switches

Five ways to cut us off — any moment, from your own tools.

Each of these is an action you take entirely from your own tools. You do not need our permission, and in most cases you do not need to notify us.

  1. Stop event delivery to one (or every) ad platform instantly.

    What you doRevoke the access token for that platform in its own admin console. Repeat for any other platform you want to cut off.What happensEvery event we attempt to send to that platform is rejected. Nothing lands in that pixel or tag. Other platforms keep flowing unless you revoke those too. You can do this from your own account without contacting us.

  2. Stop new orders from reaching us at all.

    What you doUninstall the order-event subscription from your Shopify admin.What happensYour store stops sending order events to us. No further data enters our system from your store — for any ad platform.

  3. Turn off the browser-side signal, keep server-side working.

    What you doRemove the small snippet from your Shopify custom pixel settings.What happensThe browser-side attribution bridge goes dark. Server-side purchase events continue to flow to every platform whose token is still valid. Useful if you want to reduce your browser-side footprint without losing core purchase attribution.

  4. Opt a shopper out of targeting without blocking attribution.

    What you doYour consent banner's “decline” path, or your California / CCPA opt-out flag, produces a signal on the order.What happensWe forward that signal to every destination platform unchanged. Each platform respects it and treats the event accordingly. We do not override, modify, or second-guess your decision.

  5. Remove your configuration from our systems entirely.

    What you doRequest deletion via our standard support channel.What happensYour stored ad-platform tokens, pixel / tag IDs, order-event signing secret, and click-tracking configuration are removed. Because we do not retain customer data, there is no shopper record to export, migrate, or delete — there never was any.

No “undo hidden from you” state.

Every one of the five switches above is reversible only by you providing the credential again — we cannot re-issue your ad-platform tokens, restore your order-event signing secret, or put back the pixel snippet. That asymmetry is the point of this entire design.

04 · Honest limits

What we can't promise.

Six questions we've been asked where the honest answer is less flattering than the marketing answer. We prefer the honest one.

Can you see our customers' raw emails, phone numbers, or addresses?

Temporarily, in-flight, yes — the order arrives, we read the raw identifiers to hash them, and the hashed values are what leaves our system. We do not store the raw values, do not log them as raw values, and do not hold them after the event is delivered. The data that actually reaches each ad platform is already hashed and cannot be reversed back to raw PII.

Could someone on our team abuse the access tokens to send fake purchases to our ad accounts?

Technically, yes — because we hold your access tokens to send events on your behalf. That risk is inherent to any vendor you grant server-side access to your advertising platforms, not unique to us. Your defenses: (a) every event we send is visible to you in each ad platform's own events or conversion console with a timestamp, (b) you can revoke any platform's token at any moment and our ability to send to that platform stops, (c) each platform's own deduplication and signal-quality scoring flags fabricated patterns. If this risk is unacceptable for your business, you should not grant any vendor server-side access to your ad platforms — including us. We would rather say that than pretend the risk is zero.

What happens to our data if you go out of business or disappear?

Nothing is stranded. We do not hold any shopper data to lose. Your ad-platform access tokens, order-event signing secret, and pixel / tag IDs are all credentials you own inside your own accounts — they remain yours whether we exist or not. If we disappear, your event flow to every platform stops; no customer data goes missing because we never stored any. You continue with another vendor, or without one.

What do you do about GDPR, CCPA, and shopper consent?

We take no position on consent. Your own consent banner and your own GDPR / CCPA posture are yours to operate. We forward the signals your systems capture, unchanged, to every destination platform. We never collect, infer, or second-guess consent. The merchant owns the compliance relationship; we are the infrastructure that forwards the decisions you have already made. If your banner says “decline”, the signal we forward to every platform says “decline”. Full stop.

Can we audit what you actually do with our data?

You can verify three things yourself, without needing our cooperation:

  1. Every event we send is visible in each ad platform's own events or conversion console (Meta Events Manager, Google Ads conversion report, Pinterest tag health, TikTok Events Manager, and so on) — with timestamps, source, and field content.
  2. The order-event log in your own Shopify admin shows every event your store sent us and whether we returned 200 OK.
  3. On request, we will produce our structured event log for your configuration — the list of fields logged per event (never raw PII) for any time range you specify.

Beyond that, we publish our principles on this page; we do not publish the implementation itself, which is our intellectual property.

Are there things you deliberately refuse to do, even when a customer asks?

Yes. Three specific things:

  1. We do not set tracking cookies on shoppers' browsers before consent is obtained — even in a default configuration where it would improve match rates. Your consent banner decides; we do not bypass it.
  2. We do not create fabricated or backdated events to trigger third-party flows (such as abandoned-cart emails). Events we send reflect real shopper actions with real timestamps.
  3. We do not share your data or your shoppers' data with any third party for any purpose. Your own ad-platform accounts are the only destinations. Full stop.