← TrackVerity

Data Processing Agreement

Template, effective 4 July 2026. Request a signable copy at support@trackverity.com.

This template records how TrackVerity processes personal data on behalf of merchants under Article 28 GDPR. It forms part of our Terms of Service and reflects the practices described in our Privacy Policy.

1. Parties and roles

The merchant (the store operator using TrackVerity) is the data controller. TrackVerityis the data processor. We process personal data only on the merchant's documented instructions, which these terms and the product configuration constitute.

2. Subject matter

Processing of store visitor and order data for the purpose of ad attribution relay: matching ad clicks to orders and delivering verified purchase events to the ad platforms the merchant has connected.

3. Duration

The term of the merchant's subscription, plus the deletion period in section 9.

4. Nature and purpose of processing

Collection of click and visitor identifiers on the merchant's store, receipt of order webhooks from the merchant's platform, server-side matching and deduplication, transmission of matched events to connected ad platforms, and reporting back to the merchant.

5. Categories of personal data

  • Visitor identifier (_tvid cookie value)
  • Ad click IDs and UTM parameters
  • IP address and user agent (raw, retained up to 90 days, then deleted)
  • Buyer email and phone number, SHA-256 hashed at receipt, never stored in plain form
  • Order IDs, totals and currency (no buyer names, no addresses)

6. Categories of data subjects

Visitors to and buyers from the merchant's store.

7. Subprocessors

  • Supabase: database hosting, eu-central-1 (Frankfurt)
  • Vercel: application hosting, fra1 (Frankfurt)
  • Meta*: receipt of purchase events via Conversions API
  • TikTok*: receipt of purchase events via Events API

* Meta and TikTok receive data on the merchant's instruction and act as independent controllers for it under their own terms with the merchant, not as our subprocessors in the strict sense. We list them here for transparency. We notify merchants before adding or replacing a subprocessor; the merchant may object on reasonable data protection grounds.

8. Security measures

  • Platform credentials (API tokens, server keys) encrypted at rest
  • TLS for all data in transit
  • All storage and processing pinned to EU regions
  • Row-level security isolating each merchant organization's data
  • Email and phone hashed in memory at receipt; raw IP auto-deleted after 90 days

9. Deletion on termination

When the subscription ends, we delete the merchant's store data within 30 days, except where law requires longer retention. The merchant can request export before deletion.

10. International transfers

Our own processing stays in the EU. The transmission of events to Meta and TikTok can involve transfers outside the EEA; these transfers rest on the Standard Contractual Clauses and transfer mechanisms in each platform's data terms with the merchant. The merchant, as the account holder with each platform, is party to those terms.

11. Assistance and audits

We assist the merchant with data subject requests, breach notification and records of processing for the data we hold. We answer reasonable audit questions in writing and make available the information needed to demonstrate compliance with this DPA.

To execute this DPA for your organization, write to support@trackverity.com.

TrackVerityG2 awardsCapterra and Software Advice awards
★★★★★4.9/5 from 233 reviews

Product

PricingHow it worksFeaturesIntegrationsBook a demoContact

Company

AffiliatesBlogAboutHelp center

Integrations

ShopifyWooCommerceMeta AdsTikTok AdsKlaviyoSnapchat AdsGoogle AdsPinterest AdsAll Integrations
© 2026 TrackVerity. All rights reserved.Privacy policyTermsDPA