Privacy Policy

Account Data: Email address, brand name, and password hash when you sign up.

Click Data: When someone clicks a tracking link, we collect: hashed IP address (SHA-256, never plain text), user agent string, referer URL, browser fingerprint (derived from HTTP headers), and timestamp.

Conversion Data: Order IDs, revenue amounts, coupon codes, and click IDs as sent by you via webhooks or tracking snippets.

Usage Data: Pages visited within the dashboard, feature usage patterns.

We do not collect: plain-text IP addresses, names or emails of end consumers, payment card details, social security numbers, or any sensitive personal data.

We process personal data under the following legal bases:

• Performance of a contract — Processing necessary to provide you the Service as agreed in our Terms of Service
• Legitimate interests — Fraud prevention, security monitoring, service improvement, and analytics (Article 6(1)(f))
• Consent — Where you have given explicit consent, such as subscribing to optional communications
• Legal obligation — Processing required to comply with applicable laws, regulations, or court orders

You may withdraw consent at any time by contacting us at support@attriq.io. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.

• Provide click tracking, conversion attribution, and analytics
• Detect and prevent click fraud and bot traffic
• Scan destination URLs for scams and phishing (AI-powered)
• Improve the Service and develop new features
• Send transactional emails (account verification, password reset)
• Comply with legal obligations

We do not sell, rent, or share your personal data with third parties for marketing purposes. We have never sold personal data and have no plans to do so.

• IP addresses are hashed with SHA-256 immediately upon receipt — we never store plain-text IPs
• All data is transmitted over HTTPS/TLS 1.2+
• Database access is protected by Row Level Security (RLS) — users can only access their own workspace data
• API keys are UUID v4 and unique per workspace
• Supabase Auth handles password hashing with bcrypt
• Service role keys are server-side only and never exposed to the browser
• Regular security audits and vulnerability assessments are conducted
• Access to production systems is restricted to authorized personnel only with multi-factor authentication

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will notify affected users within 72 hours of discovering any data breach, in accordance with GDPR Article 33.

We use the following third-party services, each bound by data processing agreements:

• Supabase — Database hosting and authentication (EU/US data centers)
• Google Cloud Run — Redirect engine hosting
• Vercel — Dashboard hosting
• Google Gemini AI — URL safety scanning and fraud analysis (data sent: URLs and aggregated click statistics only, no personal data)

Your data may be transferred to and processed in countries outside your country of residence, including the United States. Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the service provider's adequacy certifications (e.g., EU-US Data Privacy Framework).

Depending on your jurisdiction, you have the right to:

• Access your personal data and obtain a copy
• Correct inaccurate or incomplete data
• Delete your account and associated data ("Right to be Forgotten")
• Export your data in a portable, machine-readable format (data portability)
• Object to processing of your data, including profiling
• Restrict processing in certain circumstances
• Withdraw consent at any time without affecting prior processing
• Lodge a complaint with your local data protection authority
• Non-discrimination — We will not discriminate against you for exercising your privacy rights (CCPA)
• Opt out of sale — We do not sell personal data; however, you may submit a "Do Not Sell My Personal Information" request at any time

California Residents: Under the California Consumer Privacy Act (CCPA) and CalOPPA, you have additional rights including the right to know what personal information is collected, disclosed, or sold, and the right to opt out. We honor Do Not Track (DNT) signals.

To exercise any of these rights, contact us at support@attriq.io. We will respond to verified requests within 30 days (or 45 days for complex requests, with notice).

• Click data: Retained for 12 months, then automatically deleted
• Conversion data: Retained for the duration of your account
• Account data: Retained until you delete your account
• After account deletion: All data is permanently deleted within 30 days
• Backup systems: Residual copies in encrypted backups are purged within 90 days
• Legal holds: Data may be retained longer if required by law or pending legal proceedings

We use first-party cookies only for authentication session management (Supabase Auth). We do not use third-party cookies, tracking pixels, or advertising cookies.

The tracking snippet uses localStorage (not cookies) to store the click_id for attribution purposes. This data is scoped to the brand's domain and expires after 30 days.

We do not engage in cross-site tracking, behavioral advertising, or fingerprinting of end consumers beyond what is strictly necessary for click attribution.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 13 (or 16 in the EEA). If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly.

If you believe a child has provided us with personal data, please contact us at support@attriq.io.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email or a prominent notice on our website
• Provide at least 30 days' notice before material changes take effect

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.