Data Deletion Instructions

Effective Date: April 18, 2026 Last Updated: April 18, 2026

Overview

This page explains how individuals can request deletion of personal data that FireTrack has processed about them in connection with our integration with Meta (Facebook). It also explains FireTrack's role in that processing, because the right place to send a deletion request depends on how your data reached us.

For full context on what FireTrack does and how we handle personal data more broadly, see our Privacy Policy. The terms used here (Customer, End-User, controller, processor) are defined there.

How your data reached FireTrack

FireTrack is a server-side conversion tracking platform. We do not run a website that consumers sign up for. Instead, businesses ("Customers") install our JavaScript tracker (ft.js) on their own websites, or send us events through our API. When you visit a Customer's website, that Customer may capture conversion events (page views, form submissions, phone-number clicks, purchases) and route them through FireTrack to advertising platforms like Meta and Google.

This means that when we process your personal data:

• The Customer (the website operator) is the controller of that data. They decide what is collected, why, and for how long.
• FireTrack is the processor. We process the data only on the Customer's documented instructions, under a Data Processing Addendum.

For most deletion requests, the right place to start is therefore with the Customer whose website you visited — they have the direct relationship with you and can authorise deletion on their account, which we will then carry out.

What personal data we hold

Depending on what the Customer site collected, FireTrack may hold the following about you:

• A visitor identifier (a random UUID stored in a first-party cookie or localStorage entry on the Customer's domain) that ties your activity on that site together over time.
• Hashed identifiers — if you submitted a form on the Customer's site that included your email address or phone number, FireTrack stores those values only as SHA-256 hashes. We never store the raw email or phone number after the initial capture step.
• Event metadata — the URLs you visited on the Customer's site, the type of event recorded (e.g. purchase, form_submit), timestamps, the device user-agent string, and the IP address used at the time of the event.
• Derived attributes — counts of events, "first-seen" and "last-seen" timestamps, conversion attribution edges.

Hashed identifiers are treated as personal data under GDPR Article 4(5) (pseudonymous data). They are forwarded to Meta as part of the Conversions API call so that Meta can match the event to an advertising audience.

How to request deletion

There are two paths, and either is fine.

Path 1 — through the Customer (recommended)

Contact the website where your data was collected. They can:

1. Confirm to FireTrack that you have made a valid request.
2. Trigger deletion of all data tied to your visitor identifier through the FireTrack dashboard.

This is the fastest path because the Customer is best positioned to confirm your identity and locate your records.

Path 2 — directly to FireTrack

If you do not know which website's data you want deleted, or if the Customer is unresponsive, email us directly at:

privacy@firetrack.io

Please include as much of the following as you can — the more context, the faster we can locate your records:

• The URL or domain of the website where you submitted information.
• An approximate date or date range when you visited.
• Any email addresses or phone numbers you submitted on that site (we will SHA-256 hash these on receipt and use the hashes to search; we do not retain the plaintext beyond the search).
• Your FireTrack visitor identifier, if you happen to know it (it is stored in a first-party cookie named _ft_v or similar on the Customer's domain).

You do not need to provide all of these — just what you have.

What happens after we receive your request

1. Acknowledgement: We acknowledge receipt of your request, typically within 3 business days.
2. Identity verification: For requests made directly to FireTrack, we may ask follow-up questions to confirm you are the data subject. For requests routed through a Customer, the Customer is responsible for identity verification.
3. Location and deletion: We locate records associated with your visitor identifier and/or hashed identifiers and delete them from:
   • Our primary application database (Postgres) — immediate.
   • Our event ingestion log (Redpanda) — events older than the 7-day retention window are already gone; any in the active window are tombstoned.
   • Our analytics store (ClickHouse) — events linked to your visitor identifier are removed on the next scheduled purge run. Some non-identifying aggregate counts may persist if they cannot be tied back to you (these are no longer personal data under GDPR Recital 26).
4. Confirmation: We send written confirmation that the deletion has been completed, no later than 30 days after we received the request. If the request is unusually complex we may extend by a further 60 days and will tell you in writing if we need to.

What we cannot delete

Some data is outside FireTrack's reach even after a valid request:

• Data already forwarded to Meta, Google, or other advertising platforms. Once an event is sent through the Meta Conversions API, Meta becomes an independent controller of that event under its own terms. To delete it from Meta, submit a deletion request directly through your Facebook account settings or Meta's privacy center.
• Server access logs kept for security and abuse-prevention purposes. These are retained for up to 90 days and then purged on a rolling basis; they contain IP addresses and request paths but are not linked back to your visitor identifier.
• Backups taken before the deletion request. Backups are encrypted, kept for up to 35 days, and are not restored to live systems except after a disaster recovery event. If a restore happens within that window, we re-apply pending deletion requests after the restore completes.

Specifically for Meta / Facebook deletion requests

If you came to this page from a Facebook prompt — for example, after removing the FireTrack Facebook app from your account — please email privacy@firetrack.io with the subject line "Facebook data deletion request" and include:

• The Facebook user ID or email address associated with your Facebook account.
• The name of the FireTrack Customer (the business or website) whose ads you interacted with, if you remember it.

We will hash any identifiers on receipt, search for matching records linked to events that were sent to Meta via the FireTrack Conversions API integration, and delete those records following the process above.

Contact

You also have the right to lodge a complaint with your local data protection authority. In the EU/UK, you can find your supervisory authority through the European Data Protection Board.