Data Processing Agreement
This template records how TrackVerity processes personal data on behalf of merchants under Article 28 GDPR. It forms part of our Terms of Service and reflects the practices described in our Privacy Policy.
1. Parties and roles
The merchant (the store operator using TrackVerity) is the data controller. TrackVerityis the data processor. We process personal data only on the merchant's documented instructions, which these terms and the product configuration constitute.
2. Subject matter
Processing of store visitor and order data for the purpose of ad attribution relay: matching ad clicks to orders and delivering verified purchase events to the ad platforms the merchant has connected.
3. Duration
The term of the merchant's subscription, plus the deletion period in section 9.
4. Nature and purpose of processing
Collection of click and visitor identifiers on the merchant's store, receipt of order webhooks from the merchant's platform, server-side matching and deduplication, transmission of matched events to connected ad platforms, and reporting back to the merchant.
5. Categories of personal data
- Visitor identifier (
_tvidcookie value) - Ad click IDs and UTM parameters
- IP address and user agent (raw, retained up to 90 days, then deleted)
- Buyer email and phone number, SHA-256 hashed at receipt, never stored in plain form
- Order IDs, totals and currency (no buyer names, no addresses)
6. Categories of data subjects
Visitors to and buyers from the merchant's store.
7. Subprocessors
- Supabase: database hosting, eu-central-1 (Frankfurt)
- Vercel: application hosting, fra1 (Frankfurt)
- Meta*: receipt of purchase events via Conversions API
- TikTok*: receipt of purchase events via Events API
* Meta and TikTok receive data on the merchant's instruction and act as independent controllers for it under their own terms with the merchant, not as our subprocessors in the strict sense. We list them here for transparency. We notify merchants before adding or replacing a subprocessor; the merchant may object on reasonable data protection grounds.
8. Security measures
- Platform credentials (API tokens, server keys) encrypted at rest
- TLS for all data in transit
- All storage and processing pinned to EU regions
- Row-level security isolating each merchant organization's data
- Email and phone hashed in memory at receipt; raw IP auto-deleted after 90 days
9. Deletion on termination
When the subscription ends, we delete the merchant's store data within 30 days, except where law requires longer retention. The merchant can request export before deletion.
10. International transfers
Our own processing stays in the EU. The transmission of events to Meta and TikTok can involve transfers outside the EEA; these transfers rest on the Standard Contractual Clauses and transfer mechanisms in each platform's data terms with the merchant. The merchant, as the account holder with each platform, is party to those terms.
11. Assistance and audits
We assist the merchant with data subject requests, breach notification and records of processing for the data we hold. We answer reasonable audit questions in writing and make available the information needed to demonstrate compliance with this DPA.
To execute this DPA for your organization, write to support@trackverity.com.