Privacy Policy
TrackVerity provides server-side ad tracking for Shopify and WooCommerce merchants. We match ad clicks to orders and send verified purchase events to the ad platforms the merchant has connected. This policy explains what data flows through us, why, how long we keep it and who else touches it. We wrote it to be read, so we kept it short and specific.
1. Who does what with your data
When you visit or buy from a store that runs TrackVerity, the merchant is the data controller and we are their processor. We process the data described below on the merchant's instructions, under a data processing agreement. For our own website and merchant accounts (for example the email you give us when you sign up or join the waitlist), we act as the controller.
2. What we collect on merchant stores
- A first-party visitor cookie,
_tvid.A random identifier we set on the store's own domain so an order can be attributed to an earlier ad click. It is strictly necessary for the order attribution the merchant installed us to perform. It lives for up to 400 days. - Ad click IDs and UTM parameters. Values such as fbclid, ttclid, gclid and utm_source that the ad platforms append to the URL when you click an ad.
- IP address and browser user agent. We store these in raw form for up to 90 days, then delete them automatically. Meta and TikTok require both fields unhashed for server-side event matching; a hashed IP fails their validation and matches nothing, so hashing here would break the service.
- Buyer email and phone number, hashed only. When an order webhook arrives, we hash the email address and phone number with SHA-256 in memory, at receipt. The plain values are never written to our database or logs.
- Order data. Order ID, totals, currency and line items. Buyer names, billing addresses and shipping addresses are never stored.
3. Where we store it
All processing and storage happens in the EU: our database runs on Supabase in eu-central-1 (Frankfurt) and our application runs on Vercel in fra1 (Frankfurt).
4. Where it goes
On the merchant's instruction, we transmit matched purchase events to Meta (Conversions API) and TikTok (Events API). Each event carries the click ID, the hashed email and phone, the raw IP and user agent, and the order value. Meta and TikTok receive this data as independent controllers under their own terms with the merchant; their use of it is governed by their own privacy policies. We sell data to no one.
5. Subprocessors
- Supabase (database hosting, EU)
- Vercel (application hosting, EU)
- Meta (ad event delivery, independent controller)
- TikTok (ad event delivery, independent controller)
A signable data processing agreement covering this list is available on request at support@trackverity.com. A template is published at trackverity.com/dpa.
6. How long we keep it
- Raw IP and user agent: up to 90 days, deleted automatically.
- Click IDs, UTMs and the
_tvididentifier: for the life of the merchant account. - Hashed email and phone, order totals: for the life of the merchant account.
- Merchant account data: until the account closes, then deleted.
7. Your rights
You can request access to or deletion of your data at any time. If you bought from a store that uses TrackVerity, the fastest route is the store itself, since the merchant is the controller; we act on their deletion instructions without delay. You can also write to us directly at support@trackverity.com and we will handle or forward the request. EU residents hold the full set of GDPR rights: access, rectification, erasure, restriction, portability and objection, plus the right to complain to a supervisory authority.
8. Changes
When we change this policy we update the effective date above. For material changes we notify merchants by email before the change takes effect.
9. Contact
Questions about this policy: support@trackverity.com.