Privacy Policy

Last updated: June 2026

At Trackful, protecting your personal data is a priority. This policy explains how we collect, use and protect your information.

1. Data controller

The data controller is ECOM FR LLC, registered office at 28 Geary St STE 650 #303, San Francisco, CA 94108, USA.

For any question about data protection, contact us at: privacy@trackful.io

2. Data we collect

2.1 Merchant data (app users)

  • Store account information (store name, email)
  • OAuth access tokens (AES-256 encrypted)
  • Ad-platform integration config (Google Ads, Meta, GA4, TikTok, Pinterest, Snapchat)
  • Billing data

2.2 Merchants' customer data

Trackful processes the following on behalf of merchants:

  • Conversion data (amount, currency, products)
  • Click and session identifiers (gclid, gbraid, wbraid, fbclid, ttclid, epik, sccid, _fbc, _fbp, _ga) for attribution
  • Hashed data (SHA-256): email, phone - never stored in clear text
  • IP address (anonymized after processing)

Important: Trackful never stores personal data in clear text. All PII is irreversibly hashed (SHA-256) before storage.

3. Purposes

  • Providing the server-side tracking service
  • Attributing conversions to ad campaigns
  • Reporting and analytics
  • Improving our services
  • Customer support
  • Legal compliance

4. Legal basis

  • Performance of contract: to provide the service
  • Legitimate interest: to improve our services
  • Consent: for marketing communications
  • Legal obligation: for tax and legal compliance

5. Data recipients

Depending on the channels the merchant enables in their dashboard, conversion data (click identifiers and SHA-256 hashed PII, never in clear text) may be sent to the following ad platforms, on behalf of and on the instruction of the merchant:

  • Google Ads (Enhanced Conversions)
  • Meta / Facebook (Conversions API)
  • Google Analytics 4 (Measurement Protocol)
  • TikTok (Events API)
  • Pinterest (Conversions API)
  • Snapchat (Conversions API)

Data is also processed by our technical sub-processors (see section 6) and may be disclosed to competent authorities where legally required.

Trackful's role: for merchants' customer data, Trackful acts as a processor under the GDPR, on behalf of the merchant who remains the controller.

Limited Use (Google APIs): Trackful's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. This data is used solely to provide the conversion-tracking service; it is never used for advertising, sold, or transferred to third parties for other purposes.

6. Sub-processors and transfers

Our data is hosted by Infomaniak, in Switzerland (Europe). Our main sub-processors:

  • Infomaniak (hosting and database) - Switzerland
  • The ad platforms listed in section 5 - per the merchant's configuration

Where transfers outside the European Union occur, they are covered by appropriate safeguards (Standard Contractual Clauses, adequacy decisions - Switzerland benefits from a European Commission adequacy decision).

7. Retention

  • Account data: duration of the relationship + 3 years
  • Conversion data: 90 days (for attribution)
  • Technical logs: 30 days
  • Billing data: 10 years (legal obligation)

8. Your rights

Under the GDPR you have the following rights:

  • Access: obtain a copy of your data
  • Rectification: correct your data
  • Erasure: request deletion of your data
  • Portability: receive your data in a structured format
  • Objection: object to certain processing
  • Restriction: restrict the processing of your data

To exercise these rights, contact us at: privacy@trackful.io

Data deletion: you may request deletion of your data at any time by emailing privacy@trackful.io. Shopify merchants can also trigger deletion by uninstalling the app (GDPR webhooks), and WooCommerce merchants via the WordPress privacy tools (Tools > Erase Personal Data). Requests are processed within 30 days.

9. Security

We implement appropriate technical and organizational measures:

  • AES-256 encryption for tokens and sensitive data
  • SHA-256 hashing for PII
  • Secure communications (HTTPS/TLS)
  • Least-privilege access control
  • Regular security audits

10. Cookies

Our website uses technical cookies necessary for operation, and the tracking service sets first-party cookies (_tp_ prefix) server-side. For details, see our cookie policy.

11. Complaints

If you believe your rights are not respected, you may lodge a complaint with your local data protection authority (in France, the CNIL: www.cnil.fr).

12. Changes

This policy may change at any time. Changes take effect upon publication on the site. We encourage you to review this page regularly.