Privacy Policy
Last updated: June 2026
At Trackful, protecting your personal data is a priority. This policy explains how we collect, use and protect your information.
1. Data controller
The data controller is ECOM FR LLC, registered office at 28 Geary St STE 650 #303, San Francisco, CA 94108, USA.
For any question about data protection, contact us at: privacy@trackful.io
2. Data we collect
2.1 Merchant data (app users)
- Store account information (store name, email)
- OAuth access tokens (AES-256 encrypted)
- Ad-platform integration config (Google Ads, Meta, GA4, TikTok, Pinterest, Snapchat)
- Billing data
2.2 Merchants' customer data
Trackful processes the following on behalf of merchants:
- Conversion data (amount, currency, products)
- Click and session identifiers (gclid, gbraid, wbraid, fbclid, ttclid, epik, sccid, _fbc, _fbp, _ga) for attribution
- Hashed data (SHA-256): email, phone - never stored in clear text
- IP address (anonymized after processing)
Important: Trackful never stores personal data in clear text. All PII is irreversibly hashed (SHA-256) before storage.
3. Purposes
- Providing the server-side tracking service
- Attributing conversions to ad campaigns
- Reporting and analytics
- Improving our services
- Customer support
- Legal compliance
4. Legal basis
- Performance of contract: to provide the service
- Legitimate interest: to improve our services
- Consent: for marketing communications
- Legal obligation: for tax and legal compliance
5. Data recipients
Depending on the channels the merchant enables in their dashboard, conversion data (click identifiers and SHA-256 hashed PII, never in clear text) may be sent to the following ad platforms, on behalf of and on the instruction of the merchant:
- Google Ads (Enhanced Conversions)
- Meta / Facebook (Conversions API)
- Google Analytics 4 (Measurement Protocol)
- TikTok (Events API)
- Pinterest (Conversions API)
- Snapchat (Conversions API)
Data is also processed by our technical sub-processors (see section 6) and may be disclosed to competent authorities where legally required.
Trackful's role: for merchants' customer data, Trackful acts as a processor under the GDPR, on behalf of the merchant who remains the controller.
Limited Use (Google APIs): Trackful's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. This data is used solely to provide the conversion-tracking service; it is never used for advertising, sold, or transferred to third parties for other purposes.
6. Sub-processors and transfers
Our data is hosted by Infomaniak, in Switzerland (Europe). Our main sub-processors:
- Infomaniak (hosting and database) - Switzerland
- The ad platforms listed in section 5 - per the merchant's configuration
Where transfers outside the European Union occur, they are covered by appropriate safeguards (Standard Contractual Clauses, adequacy decisions - Switzerland benefits from a European Commission adequacy decision).
7. Retention
- Account data: duration of the relationship + 3 years
- Conversion data: 90 days (for attribution)
- Technical logs: 30 days
- Billing data: 10 years (legal obligation)
8. Your rights
Under the GDPR you have the following rights:
- Access: obtain a copy of your data
- Rectification: correct your data
- Erasure: request deletion of your data
- Portability: receive your data in a structured format
- Objection: object to certain processing
- Restriction: restrict the processing of your data
To exercise these rights, contact us at: privacy@trackful.io
Data deletion: you may request deletion of your data at any time by emailing privacy@trackful.io. Shopify merchants can also trigger deletion by uninstalling the app (GDPR webhooks), and WooCommerce merchants via the WordPress privacy tools (Tools > Erase Personal Data). Requests are processed within 30 days.
9. Security
We implement appropriate technical and organizational measures:
- AES-256 encryption for tokens and sensitive data
- SHA-256 hashing for PII
- Secure communications (HTTPS/TLS)
- Least-privilege access control
- Regular security audits
10. Cookies
Our website uses technical cookies necessary for operation, and the tracking service sets first-party cookies (_tp_ prefix) server-side. For details, see our cookie policy.
11. Complaints
If you believe your rights are not respected, you may lodge a complaint with your local data protection authority (in France, the CNIL: www.cnil.fr).
12. Changes
This policy may change at any time. Changes take effect upon publication on the site. We encourage you to review this page regularly.