Your Shopify analytics data should belong to you

The hidden cost of free

When a tool is free, you are not the customer. This is an old observation and it is mostly correct. With Microsoft Clarity, the trade is more specific than the cliché suggests, but the structure is the same.

Clarity's terms of use grant Microsoft a broad license to use anonymized session data — heatmaps, click positions, scroll behavior, page sequences — for product development, analytics, and improvement of Microsoft's services. Microsoft is not selling your data to third parties; it is using it internally, including potentially for AI training and for Microsoft's own competing analytics products.

This is not a scandal. It is a fair trade if you understand what you are agreeing to. The problem is that most merchants don't read the terms, install Clarity because it is free and good, and discover the trade-off only when they want to migrate elsewhere or when their lawyer asks questions.

The same applies to every "free" tool in your stack. Read the terms once, decide if the trade is acceptable, then stop worrying. The mistake is agreeing to the trade without ever looking at it.

What happens when an analytics SaaS gets acquired

Hotjar's acquisition by Contentsquare — announced in September 2021, with the full legal merger completing in July 2025 — is the cleanest recent example, but it is not unique. Mixpanel, Heap, and several smaller analytics tools have changed ownership in the last five years. The playbook is consistent.

1. The acquirer runs the legacy product mostly unchanged for 12-24 months.
2. Plans get repackaged. Long-tenure customers get migration emails. The old free tier shrinks or disappears.
3. Pricing aligns with the acquirer's posture. If the acquirer is enterprise, your $39/mo plan is now $90/mo with seat math.
4. Data export options become harder to find. Sometimes raw exports never existed; sometimes they get gated behind higher tiers.
5. In a few cases, terms of service are updated — usually with a 30-day opt-out window most users miss.

None of this is malicious. It is just what acquisitions do. But if your store's behavioral history lives inside that vendor, you are along for the ride. The optionality you thought you had — to migrate, to negotiate, to take your data elsewhere — is structurally smaller than it felt when you signed up.

Why this matters more in an AI-first world

For most of the 2010s, behavioral data was something you looked at in a dashboard. The vendor's job was to render charts. If their charts were fine, the question of "who owns this" was abstract.

That has changed. Behavioral data is now the input to AI assistants that answer operational questions. When you ask Claude "why is our conversion rate dropping," the value is in the AI being able to read your behavioral data through an MCP server and reason over it. That requires the data to be addressable on terms you control.

Clarity does not expose an MCP server. Hotjar/Contentsquare does not expose an MCP server. Your visitors' behavior on your store is, today, inaccessible to the AI tools you actually use to operate. You can copy- paste exports, but you have lost the structure that makes the answer useful.

The merchants who own their behavioral data — meaning, it lives in a place where they decide which assistants can read it — are about to have a meaningful advantage. The merchants who rented their behavioral data to Microsoft or Contentsquare have to wait until those vendors decide to ship MCP. Maybe they will. Probably they will. But the timing isn't yours.

What merchant-owned data actually means

"We own your data" is in every analytics vendor's marketing. The phrase is meaningless without specifics. Three concrete tests:

1. Can you export it cleanly, on demand?

Not "request an export and wait three business days." Not "available on the enterprise tier only." Can you, today, download your raw event data in a structured format you can load somewhere else? If the answer is no, you do not own it.

2. Can you delete it — including individual customer data — within a meaningful window?

Under GDPR, an individual customer can ask for their data to be deleted. If your analytics vendor cannot honor that request within 30 days, the obligation falls on you and the answer is "we cannot." The right vendor handles GDPR redact webhooks automatically.

3. Are downstream uses — including AI access — opt-in by you, not opt-out?

"We may use anonymized data to improve our services" is opt-out. "We will only expose your data to systems you explicitly connect, and only when you ask us to" is opt-in. The first is the SaaS default. The second is what merchant ownership looks like in practice.

How Shopify's Customer Privacy API changes the math

Shopify rolled out the Customer Privacy API as the standard way for storefronts to manage visitor consent. Apps that integrate with it can be told, at the event level, whether the visitor has granted analytics or marketing consent. Apps that don't integrate either over-collect (illegally in the EU) or under-collect (missing data on consenting visitors).

For a merchant, the practical effect is:

• In regions that require consent, your analytics tool should emit zero events until the visitor has explicitly granted analytics consent.
• When the visitor changes their mind, your tool should pause or resume tracking immediately — within the same session.
• You should not have to wire any of this manually with a third-party consent management platform unless you choose to.

Click Context uses Shopify's Customer Privacy API by default. Clarity and Hotjar can be configured to respect it, but the default install does not. If you are running either, double-check your consent integration this week.

Practical steps for merchants in 2026

Five concrete moves, in order of impact:

1. Read the data clauses in your current analytics tools' ToS. Once. Not all of it — search for "license," "data use," "third parties," "improvements." Decide if the trade is acceptable.
2. Verify your Customer Privacy API integration. Open your store in incognito from an EU IP. Decline analytics. Confirm zero tracking events fire. If they fire, your consent integration is wrong.
3. Pick one tool whose data is structurally yours. Even if you keep Clarity for free heatmaps, layer one tool — Click Context, Matomo, anything — where the contract puts you in the driver's seat.
4. Test the export. If your vendor claims data export, try it. Today. Not when you are deciding to migrate.
5. Plan AI access deliberately. Decide which assistants should be able to read your behavioral data, and connect them through MCP servers you control. Do not let the choice be made for you when an acquirer ships their own AI feature.

Where Click Context stands

We make a behavioral analytics product. We are not neutral. But we built it the way we did because we were the merchants getting frustrated by this stuff, before we were the vendors trying to fix it.

• EU-hosted. Data lives in PostgreSQL on Neon in the EU region. HTTPS/TLS in transit, restricted access at rest.
• No sale, no sharing, no model training. Your data is not used to train anything. Not ours, not Anthropic's, not anyone's.
• Customer Privacy API integrated by default. Tracking respects visitor consent automatically.
• Full deletion on uninstall. Within 48 hours of uninstalling the app, all associated data is permanently deleted via the Shopify shop/redact webhook.
• AI access on your terms. MCP access is opt-in, token-scoped, and revocable from the dashboard at any time.

Read our privacy policy if you want the long version. The short version: the data is yours, the AI access is yours to grant, the kill switch is yours to pull.