Privacy Policy

1. Who This Policy Applies To

This policy applies to two categories of people: (a) merchants who create Track Clear accounts and use our dashboard to configure event forwarding, and (b) end customers of those merchants whose behavioral data (such as page views and purchase events) is transmitted through our infrastructure.

If you are an end customer of a merchant using Track Clear, you should also review that merchant's own privacy policy, as they determine the purposes for which your data is collected.

2. Data We Collect

2.1 Account Data (Merchants)

• Name and email address provided during registration
• Hashed password (bcrypt) or Google OAuth identifier
• Billing information managed by Stripe (we do not store raw card data)
• Display currency and language preferences
• Alert notification preferences

2.2 Workspace Configuration Data

• API keys and access tokens for advertising platforms (Meta, Google Ads, TikTok, GA4, Klaviyo)
• All credentials are encrypted at rest using AES-256-GCM before storage in our database
• Pixel IDs and measurement IDs for destination platforms

2.3 Event Data (End Customers)

When a merchant's store visitor triggers an ecommerce event (such as viewing a product, adding to cart, or completing a purchase), our JavaScript snippet transmits the following data to our servers:

• Event name and timestamp
• Page URL and referrer URL
• Browser cookies: _fbp (Meta browser pixel cookie) and _fbc (Meta click ID cookie)
• TikTok click ID (ttclid) and Google click ID (gclid) from URL parameters
• UTM attribution parameters (source, medium, campaign, content, term)
• Customer user data: email address, phone number, first name, last name, city, state, postal code, and country code — when provided by the merchant's store
• Order data: value, currency, number of items, order ID
• Consent signals passed by the merchant's consent management platform

2.4 Technical and Usage Data

• IP address of incoming requests (stored temporarily in event logs for debugging and fraud prevention; automatically anonymized after 48 hours)
• User agent strings (stored temporarily in event logs for bot detection; automatically anonymized after 48 hours)
• API request logs for security monitoring

3. How We Process Personal Data

3.1 PII Hashing Before Forwarding

Before forwarding event data to advertising platforms, we apply SHA-256 hashing to all personally identifiable information (PII) fields, including email address, phone number, first name, last name, city, state, postal code, and country code. This is consistent with the requirements and recommendations of Meta Conversions API, Google Ads Enhanced Conversions, and TikTok Events API.

Exception: Klaviyo requires unhashed email addresses for customer profile matching. When a merchant has Klaviyo enabled, the raw email address is transmitted to Klaviyo's servers.

3.2 Phone Number Normalization

Phone numbers are normalized to E.164 international format (e.g., +15551234567) using the customer's billing country to infer the correct country code, before SHA-256 hashing and transmission to advertising platforms.

3.3 Server-Side Event Forwarding

Our primary purpose is server-to-server event forwarding. We receive event data from the merchant's store, perform any necessary normalization and hashing, and transmit it to the advertising or analytics platforms that the merchant has configured. We act as a data processor on behalf of the merchant for this purpose.

3.4 Consent Enforcement

Merchants can configure our service to operate in either STRICT or LAX consent mode. In STRICT mode, we only forward events to advertising platforms when the end customer has affirmatively consented to marketing tracking. Merchants are responsible for implementing a compliant consent management solution on their storefront.

4. Sub-Processors

We share data with the following third-party service providers to operate the Service. Merchants who enable a given destination platform authorize us to transmit data to that platform on their behalf.

5. Data Retention

Event logs (records of individual forwarding operations) are retained according to the merchant's subscription plan:

• Free and Starter plans: 7 days
• Growth and Scale plans: 30 days

IP addresses and browser information collected during event processing are automatically anonymized after 48 hours and permanently deleted according to your plan's retention period (7-30 days).

Merchant account data (profile, workspace configuration) is retained for the duration of the account. Following account deletion or termination, we will delete or anonymize all associated data within 30 days, except where we are required to retain records for legal or regulatory compliance purposes (such as billing records, which may be retained for up to 7 years).

6. Cookies

Our JavaScript snippet reads the following cookies from the end customer's browser to support advertising platform attribution. The snippet does not set any cookies itself.

• _fbp — Set by Meta's browser pixel. Used to identify browsers for Meta Conversions API deduplication.
• _fbc — Set by Meta's browser pixel when a visitor arrives via a Facebook ad. Used for attribution.

Our web application (trackclear.io dashboard) uses a locale cookie to remember your preferred display language. This cookie does not track any personal data and expires with your browser session.

Session management for authenticated merchants uses HTTP-only cookies containing a signed JWT token. These are essential for the operation of the Service and cannot be disabled.

7. International Data Transfers

Our infrastructure is hosted in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for such transfers where applicable.

Merchants who enable advertising platform integrations authorize the transfer of hashed end-customer data to those platforms, which may be located in various jurisdictions. Each platform operates under its own data transfer mechanisms.

8. Your Rights (GDPR and Similar Laws)

If you are a merchant located in the EEA, UK, or another jurisdiction with applicable data protection law, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate personal data.
• Right to erasure: Request deletion of your personal data, subject to legal retention obligations.
• Right to data portability: Receive your personal data in a structured, machine-readable format.
• Right to object: Object to processing of your personal data for direct marketing purposes.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time.

For end customers of merchants using Track Clear, you should exercise these rights directly with the merchant. As a data processor, we will assist merchants in responding to such requests.

To exercise any of the above rights as a merchant, contact us at support@trackclear.io. We will respond within 30 days.

9. Data Deletion Requests

To request deletion of your account and all associated data, you may either use the "Delete Workspace" and account deletion options in the dashboard settings, or send an email to support@trackclear.io with the subject line "Data Deletion Request". We will complete the deletion within 30 days and confirm via email.

Note that deleting your account does not automatically remove data that has already been forwarded to advertising platforms (Meta, Google, TikTok, GA4, Klaviyo). To request deletion of data from those platforms, you must contact them directly under their respective privacy policies.

10. Security

We implement industry-standard technical and organizational measures to protect your data:

• All credentials and API tokens are encrypted at rest using AES-256-GCM
• All data in transit is protected by TLS 1.2 or higher
• Passwords are hashed using bcrypt with an appropriate cost factor
• Access to production systems is restricted and logged
• Rate limiting is applied to all public API endpoints

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to support@trackclear.io.

11. Children's Privacy

The Service is intended for use by businesses and individuals aged 18 and over. We do not knowingly collect personal data from children under the age of 18. If you believe we have inadvertently collected such data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify merchants by email at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions, requests, or concerns, please contact: