Data Processing Agreement (DPA)
Last updated: June 2026
This DPA describes how Trackful processes personal data on behalf of merchants using the service, in accordance with Article 28 of the GDPR. It forms part of the Terms of Service. For a signed copy, contact privacy@trackful.io.
1. Roles
For the merchant's customer data, the merchant is the data controller and Trackful (ECOM FR LLC) is the data processor. Trackful processes this data only on the documented instructions of the merchant, which are given through the merchant's configuration in the dashboard (the channels they enable, the consent signals they pass).
2. Scope and purpose
Processing is limited to providing server-side conversion tracking: capturing click identifiers, hashing PII (SHA-256), attributing conversions, and forwarding conversion events to the ad platforms the merchant has enabled.
3. Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Infomaniak Network SA | Hosting and database | Switzerland |
| Stripe | Billing (WooCommerce) | EU / USA (SCCs) |
| Postmark | Transactional + broadcast email | USA (SCCs) |
The ad platforms a merchant enables (Google Ads, Meta, Google Analytics 4, TikTok, Pinterest, Snapchat) receive conversion data as independent controllers/processors per the merchant's own agreements with them; they are recipients, not Trackful sub-processors. We notify merchants of new sub-processors before they take effect.
4. Security measures
- AES-256 encryption of access tokens and sensitive data at rest
- SHA-256 hashing of all PII before storage (never stored in clear text)
- HTTPS/TLS in transit
- Least-privilege access control and regular audits
5. International transfers
Primary hosting is in Switzerland (European Commission adequacy decision). Where a sub-processor is outside the EU/EEA, transfers are covered by Standard Contractual Clauses or an adequacy decision.
6. Data subject rights and deletion
Trackful assists the merchant in responding to data-subject requests. Deletion can be triggered by uninstalling the app (Shopify GDPR webhooks) or via the WordPress privacy tools (WooCommerce), or by emailing privacy@trackful.io. Requests are processed within 30 days.
7. Retention and return
Conversion data is retained for 90 days; on termination, merchant customer data is deleted within 90 days unless a legal obligation requires otherwise.