Back to Home

Privacy Policy

Last updated: March 20, 2026

This Privacy Policy describes how alltrack.app ("Alltrack," "we," "us," or "our") collects, uses, stores, and shares information when you use our website at alltrack.app, our application at app.alltrack.app, and all related services (collectively, the "Service"). This policy covers two categories of individuals: our customers (you, the account holder) and your end users (visitors to your websites whose conversion data is processed through our Service).

1. Information We Collect

1.1 Account Information (Our Customers)

When you create an account and use the Service, we collect:

  • Registration data: email address, username, and password (stored hashed, never in plain text).
  • Profile data: timezone preference, account status, and verification status.
  • Billing data: credit balance and plan information. We do not store credit card numbers or payment instrument details.
  • Usage data: event counts, conversion statistics, error logs, and feature usage patterns.
  • Communication data: emails sent to you (password resets, notifications).

1.2 Connected Platform Data

When you connect advertising accounts, we collect and store:

  • OAuth tokens: access tokens and refresh tokens for Google Ads and Meta (Facebook) Ads, encrypted with AES-256 encryption.
  • Account metadata: advertising account IDs, account names, and platform-specific identifiers (e.g., Google customer IDs, Facebook pixel IDs).
  • Campaign data: campaign names, statuses, budgets, performance metrics (impressions, clicks, conversions, cost, ROAS), ad group data, ad creative details, keyword data, and targeting configurations.

1.3 Conversion Event Data (Your End Users' Data)

When conversion events are sent to your webhook endpoints, we receive and process data that may include personal information about your end users:

  • Identifiers: email address, phone number, first name, last name.
  • Technical data: IP address, browser fingerprint, user agent.
  • Click identifiers: Google click IDs (gclid, wbraid, gbraid), Facebook click IDs (fbclid).
  • Location data: country, city, state, zip code.
  • Transaction data: payout amount, cost, currency.
  • Marketing data: UTM parameters, source, medium, campaign identifiers, custom variables.
  • Event metadata: event name, timestamp, domain, query string.

1.4 AI Analysis Data

If you enable AI-powered analysis features by providing your Anthropic API key:

  • Your API key is stored encrypted (AES-256) on our servers.
  • Campaign performance data and ad metrics are sent to Anthropic's Claude API for analysis.
  • AI analysis results and your actions on recommendations (applied/dismissed) are stored.

1.5 Technical and Automatically Collected Data

  • Authentication tokens: JWT tokens for session management.
  • API logs: request and response data for webhook processing (for debugging and error tracking).
  • Server logs: standard server access logs including IP addresses and timestamps.

2. How We Use Your Information

2.1 Service Operation

  • Process and deliver conversion events to your configured advertising platforms.
  • Authenticate your account and maintain session security.
  • Display analytics, dashboards, and performance metrics.
  • Manage your credit balance and event processing.
  • Send password reset emails and service notifications.

2.2 Third-Party Data Transmission

Conversion event data is transmitted to the advertising platforms you have configured:

  • Google Ads: conversion data is sent via the Google Ads API using your linked account credentials, associated with click IDs (gclid, wbraid, gbraid) for attribution.
  • Meta/Facebook: conversion data is sent via the Meta Conversions API (CAPI) using your linked pixel, with personal data hashed (SHA-256) before transmission as required by Meta.

Data is only sent to platforms you have explicitly connected and configured. We do not send your data to platforms you have not authorized.

2.3 AI Processing

When you use AI features, aggregated campaign performance data is sent to Anthropic's API to generate optimization recommendations. No end-user personal information is included in AI analysis requests — only campaign-level metrics and ad performance data.

2.4 Service Improvement

We use aggregated, anonymized usage data to improve the Service, monitor system performance, and identify and fix errors.

3. Data Storage and Security

3.1 Encryption

  • Passwords are hashed using industry-standard algorithms and never stored in plain text.
  • OAuth tokens (access and refresh tokens) are encrypted with AES-256 encryption at rest.
  • Third-party API keys (e.g., Anthropic) are encrypted with AES-256 encryption at rest.
  • SMTP credentials for email delivery are encrypted at rest.

3.2 Infrastructure Security

  • All data in transit is protected with TLS/SSL encryption.
  • Database access is restricted and authenticated.
  • JWT-based authentication with HMAC signing for API security.
  • OAuth state parameter validation to prevent CSRF attacks.

3.3 Data Retention

  • Account data: retained for as long as your account is active, and for 30 days after account deletion.
  • Conversion event data: retained for as long as your account is active. You may request deletion at any time.
  • OAuth tokens: retained until you disconnect the linked account, at which point they are deleted.
  • AI analysis history: retained for as long as your account is active.
  • Server logs: retained for up to 90 days for debugging and security purposes.
  • Password reset tokens: automatically expire and are deleted after use or expiration.

4. Data Sharing

We do not sell your personal information. We share data only in the following circumstances:

  • Advertising platforms: conversion data is sent to Google Ads and Meta/Facebook as configured by you (see Section 2.2).
  • AI providers: campaign metrics are sent to Anthropic when you use AI features (see Section 2.3).
  • Email delivery: we use SMTP providers to deliver transactional emails (password resets, notifications).
  • Legal requirements: we may disclose data when required by law, court order, or governmental authority.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.

5. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request correction of inaccurate personal data.
  • Deletion: request deletion of your personal data and account.
  • Data portability: request your data in a portable format.
  • Withdraw consent: withdraw consent for optional data processing (e.g., AI features) at any time.
  • Disconnect accounts: revoke access to connected advertising platforms at any time through the Service.
  • Object to processing: object to certain types of data processing.

To exercise any of these rights, contact us at [email protected].

6. Your Responsibilities as a Data Controller

When you use Alltrack to process conversion data from your website visitors, you act as the data controller and Alltrack acts as the data processor. As the data controller, you are responsible for:

  • Having a lawful basis for collecting and processing your end users' personal data.
  • Providing adequate privacy notices to your end users that disclose the use of server-side tracking and data sharing with advertising platforms.
  • Obtaining any necessary consents from your end users as required by applicable data protection laws (e.g., GDPR, CCPA).
  • Responding to data subject requests from your end users regarding their personal data processed through the Service.
  • Ensuring that the data you send to our webhook endpoints is accurate and lawfully collected.

7. Cookies and Local Storage

The Alltrack application (app.alltrack.app) uses:

  • Local storage: to store your authentication token (JWT) for session persistence. This is essential for the Service to function and cannot be disabled while using the application.
  • No third-party tracking cookies: we do not use advertising cookies, analytics trackers, or third-party cookies on our application.

The Alltrack marketing website (alltrack.app) may use minimal analytics to understand visitor behavior. No personal data is collected from website visitors who do not create an account.

8. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence. When conversion data is transmitted to advertising platforms (Google, Meta) and AI providers (Anthropic), it is processed according to their respective privacy policies and data processing agreements. We take reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected data from a minor, please contact us immediately at [email protected].

10. Third-Party Services

The Service integrates with the following third-party services, each governed by their own privacy policies:

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: