FireTrack Privacy Policy

Effective Date: April 18, 2026 Last Updated: April 18, 2026

1. Who We Are

FireTrack is a service operated by Shadyne LLC, a Utah limited liability company doing business as FireTrack ("FireTrack," "we," "us," or "our").

Registered address: 7533 S Center View Ct #5946, West Jordan, UT 84084, United States

Contact:

Privacy inquiries and data subject requests: privacy@firetrack.io
Security reports: security@firetrack.io

EU / UK Article 27 Representative: Not appointed at this time. We will designate a representative if and when required by the volume or nature of our processing of EU or UK personal data.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal information. It applies to (a) visitors to our website at firetrack.io, (b) individuals who create FireTrack accounts (our "Customers"), and (c) individuals whose personal data we process on behalf of our Customers ("End-Users").

2. Our Role: Controller and Processor

Your rights and our obligations depend on which role we play for a given piece of personal data:

When you sign up for a FireTrack account, we act as a controller of your Customer account data (name, email, billing details, etc.). This Privacy Policy governs that processing.
When a Customer sends their visitors' data through FireTrack, the Customer is the controller and FireTrack is a processor acting on the Customer's documented instructions under GDPR Article 28 and analogous US laws. We process End-User data only to provide the Service to our Customer, and End-Users exercising data rights should generally direct those requests to the Customer first. Details of that processing are governed by our Data Processing Addendum (DPA), which Customers may execute with us.

This policy describes both relationships so that End-Users can understand what happens to their data, even though their direct contractual relationship is with the Customer whose website they visited.

3. The Service at a Glance

FireTrack is a server-side conversion tracking and attribution platform. Customers install a lightweight JavaScript tracker (ft.js) on their websites, or send events to us through our API or inbound webhooks. We capture conversion events (such as page views, form submissions, phone-number clicks, and purchases), stitch a visitor's activity together using first-party cookies and identifiers, and forward conversion events to advertising platforms (such as Meta and Google) to help our Customers measure and optimize their marketing.

Before any personal data that could directly identify an individual (such as email address or phone number) leaves FireTrack servers for an advertising platform, it is hashed using the SHA-256 algorithm. Hashing is a form of pseudonymization under GDPR Article 4(5); it is not anonymization, and we treat hashed identifiers as personal data.

4. Information We Collect About Customer Account Holders

When you create or use a FireTrack account, we collect and store (in PostgreSQL hosted with DigitalOcean Managed Databases in New York):

Identity and contact: name, email address, email verification status, optional profile photo URL.
Authentication: password hash, two-factor enrollment, active session tokens, the IP address and user agent associated with each session.
Account and role: which business account(s) you belong to, your role (Owner, Admin, Viewer), and membership history.
Billing: Stripe customer ID, subscription ID, plan identifier, subscription status, invoicing history, metered usage counts. We do not store payment card numbers — Stripe handles that directly.
API keys and invites: SHA-256 hashes of API keys you create, domains you allow them to be used on, and tokens sent in email invitations to co-workers.
Connector OAuth tokens: OAuth access and refresh tokens for advertising platforms you connect (Meta, Google, and any future platforms). These are stored encrypted at the application layer with AES-256-GCM and are used only to send conversions and read configuration on your behalf. When you disconnect a connector, FireTrack marks it inactive and stops using its tokens; the encrypted material is retained until the project or account to which it belongs is deleted, or sooner on written request — see §8.3 and §10.
Audit: an administrative log of actions you take in the dashboard (role changes, connector changes, deletions, etc.).
Support correspondence: the content of emails and messages you send us.

Our legal bases for processing Customer account data (under GDPR and equivalent US laws) are performance of a contract (providing the Service you signed up for), legal obligation (tax, accounting, and compliance recordkeeping), and legitimate interests (securing the Service, preventing abuse, improving the product).

5. Information We Process on Behalf of Our Customers

When a Customer embeds FireTrack on their website or sends us data through our API or webhooks, we process data about the Customer's End-Users on the Customer's instructions. Categories include:

5.1 Stored in our event warehouse (ClickHouse Cloud, AWS us-east-1)

Pseudonymized personal identifiers: SHA-256 hashes of email address, phone number (normalized to E.164 before hashing), and name (lowercased, non-alphabetic characters removed, before hashing). We do not store these fields in plain text in the event warehouse.
Event data: event type (for example, "form_submit," "page_view," "purchase"), monetary value and currency, page URL, referrer URL, event timestamp, a visitor identifier (UUID), and arbitrary event metadata the Customer chooses to send.
Click identifiers: Meta (fbclid), Google (gclid), TikTok (ttclid), and Microsoft (msclkid) click IDs as received. These are advertising identifiers, not hashed.
Technical data: user agent string (truncated to 500 characters) and a truncated IP address prefix. IP addresses are truncated at ingestion to the /24 prefix (IPv4) or /48 prefix (IPv6) so that the full address is never stored. The truncated prefix is then nulled entirely after 120 days.

5.2 Stored in our identity-resolution database (PostgreSQL)

To provide the Service, we must match subsequent events from the same End-User to a single visitor profile. For that purpose, and for that purpose only, we store in PostgreSQL:

End-User identifiers in plaintext: email address, phone number, name, and click IDs as received, alongside the internal visitor ID they correspond to. This is necessary for server-side identity stitching across sessions and devices. These records are retained for 12 months from the last activity for that End-User; once 12 months have elapsed without a new event, the identity-resolution row is automatically deleted. They are also deleted sooner when the Customer deletes the project or the End-User exercises a deletion right.

We understand that plaintext storage of email and phone creates meaningful privacy responsibilities. These records are stored with infrastructure-layer disk encryption; access is limited to authorized Customer account members and a small set of service accounts; every operator query that reads identity-resolution data is written to an access audit log (see §12 Security). We apply strict deletion SLAs and the automatic 12-month retention above.

5.3 Operational and diagnostic data

Delivery logs: records of each attempt to forward events to an advertising platform (status, HTTP response, error message). Retained 90 days.
Script error reports: uncaught JavaScript errors from our tracker (message, filename, line and column number, truncated user agent, IP prefix). Retained 90 days.
Dedup cache: event IDs in Redis (DigitalOcean Managed) with a 24-hour expiry.
Webhook capture cache: for Customers using our "listen mode" webhook setup UI, recent inbound webhook bodies are cached for 5 minutes.

Our legal basis, as a processor, is the Customer's instruction. Customers are responsible for identifying the appropriate lawful basis (typically consent under ePrivacy and GDPR Article 6(1)(a)) and for obtaining that consent from their End-Users before sending data to us.

6. Cookies and Similar Technologies

6.1 Cookies set by the FireTrack tracker (`ft.js`)

All cookies set by the FireTrack tracker are first-party cookies, set on the domain of the website the End-User is visiting. When a Customer uses a custom subdomain (for example, track.customer.com), the cookies are scoped to the Customer's apex domain. None are classified as strictly necessary; they support analytics and advertising measurement.

Cookie	Purpose	Duration
`_ft_uid`	A randomly generated visitor identifier (UUID) used to group page views and events into a single visitor profile.	90 days
`_ft_fbclid`	Stores the Meta click identifier from the URL (`fbclid`) so conversions that happen later in a session can be attributed to the originating ad click.	90 days
`_ft_gclid`	Stores the Google click identifier (`gclid`) for the same purpose.	90 days
`_ft_ttclid`	Stores the TikTok click identifier (`ttclid`) for the same purpose.	90 days
`_ft_msclkid`	Stores the Microsoft click identifier (`msclkid`) for the same purpose.	90 days
`_fbc`	Meta-format click cookie (`fb.1.<timestamp>.<fbclid>`) used by Meta's Conversions API to match server-side conversions to the browser click.	90 days
`_fbp`	Meta-format first-party browser identifier used for probabilistic matching across a session.	90 days

6.2 Global Privacy Control

When an End-User's browser sends the Global Privacy Control (GPC) signal, our tracker does not set the click-identifier cookies (_ft_fbclid, _ft_gclid, _ft_ttclid, _ft_msclkid) and does not construct the Meta _fbc cookie. We treat GPC as a valid opt-out of sale or sharing under California and other US state privacy laws. The visitor identifier (_ft_uid) and Meta's _fbp cookie are still set because they do not carry click-based advertising identifiers.

6.3 Local storage and session storage

Our tracker also uses the browser's local storage and session storage to cache non-personal configuration and short-lived diagnostic data. These keys do not contain End-User personal data.

6.4 Cookies on `firetrack.io` (our marketing and dashboard site)

Our own website uses a small number of cookies to keep you signed in, remember session preferences, and secure authentication. We do not use third-party advertising cookies on firetrack.io itself.

7. How We Use Personal Data

We use personal data only for the purposes listed below and only as long as necessary for those purposes:

To provide the Service — capturing events, stitching visitor identities, delivering conversions to advertising platforms our Customer has connected.
To operate and secure our infrastructure — rate limiting, abuse detection, fraud prevention, debugging, and incident response.
To communicate with Customers — transactional emails (authentication, billing, service notices), support responses, and (where permitted) product updates.
To bill for the Service — via Stripe.
To comply with legal obligations — tax, accounting, and responding to lawful government requests.

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. We do not use Customer or End-User data to train machine learning models.

8. How We Share Personal Data

We share personal data with two types of third parties — service providers (who process data on our instructions as our processors) and independent controllers (advertising platforms that receive conversion data on a Customer's behalf but use it under their own terms).

8.1 Service providers (our processors)

We rely on a small set of service providers to operate the Service. Each is bound by a written contract, processes personal data only on our documented instructions, and is subject to confidentiality and security obligations consistent with this Privacy Policy. They fall into the following categories:

Infrastructure hosting — cloud compute, managed databases, and caching infrastructure that store Account and End-User data.
Event warehousing — a managed analytics database that stores hashed identifiers, click IDs, and event metadata.
Edge network, CDN, and DNS — the globally distributed network that delivers our ft.js tracker, proxies custom-domain traffic, and issues TLS certificates for customer domains.
Payment processing — a PCI-compliant payment processor that handles subscription billing, invoicing, and metered usage reporting.
Transactional email — a provider that delivers authentication, billing, and account notification emails.

This list is representative as of the Effective Date and is not an exhaustive enumeration of every vendor we use. We commit to giving Customers at least 30 days' advance notice by email before engaging a new service provider that processes Personal Data on our behalf, so that Customers may reasonably object.

Customers who require the specific identities of our current service providers — typically in connection with a Data Processing Addendum or enterprise security review — may request the list by emailing privacy@firetrack.io.

8.2 Independent controllers (advertising platforms)

When a Customer connects an advertising platform to the Service, we forward conversion events — including SHA-256-hashed email, phone, and name identifiers and any click identifiers captured from the URL — to that platform on the Customer's behalf. The advertising platforms we integrate with today include Meta Platforms, Inc. and Google LLC.

The advertising platforms are not our processors. They are independent controllers (or, for certain activities, joint controllers with the Customer) and process the data they receive for their own purposes under their own terms, including to measure ad performance, attribute conversions to ad clicks, and optimize ad delivery. Their handling of the data is governed by their own agreements and privacy policies, including:

Meta Business Tools Terms and the Meta Privacy Policy;
Google Ads Data Processing Terms and the Google Privacy Policy.

The Customer is responsible, as controller, for ensuring that any consents required to transfer End-User data to these advertising platforms have been obtained, and for responding to End-User rights requests that concern the data those platforms hold.

8.3 Our access to Meta and Google platform data (Customer-authorized)

In addition to forwarding conversion data to Meta and Google as described in §8.2, FireTrack accesses certain advertising-platform data from Meta and Google on a Customer's behalf through those platforms' APIs. Access is authorized by the Customer via OAuth when the Customer connects an advertising account in the dashboard.

Google APIs. When a Customer connects a Google Ads account, FireTrack requests the following Google API scope:

https://www.googleapis.com/auth/adwords — to read the Customer's Google Ads accounts and conversion-action configuration, and to upload offline conversion data on the Customer's behalf via the Google Ads API.

FireTrack uses this access solely to (a) list the Customer's Google Ads accounts and conversion actions in the dashboard during setup, (b) upload conversion data the Customer has configured FireTrack to forward, and (c) read basic account metadata needed to present that configuration. FireTrack does not use Google user data to train machine-learning or generative-AI models, does not transfer Google user data to third parties other than back to Google on the Customer's behalf, and does not combine Google user data with data obtained from other sources.

FireTrack's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Meta APIs. When a Customer connects a Meta advertising account, FireTrack requests the following Meta permissions:

ads_read — to list the Customer's Meta ad accounts and read pixel / dataset configuration during setup.
ads_management — to send server-side conversion events to the Customer's Meta Conversions API endpoint and to read match-quality metrics.

FireTrack uses this access solely to (a) enumerate the Customer's ad accounts and pixels in the dashboard during setup and (b) send conversion events the Customer has configured FireTrack to forward via the Meta Conversions API. FireTrack does not use Meta data for any purpose other than providing the Service and complies with the Meta Platform Terms, the Meta Business Tools Terms, and (where applicable) Meta's Data Processing Terms and European Regulatory Data Addendum.

Retention and deletion of connector tokens. OAuth access tokens and refresh tokens obtained from Meta and Google are encrypted at rest with AES-256-GCM (see §12). When a Customer disconnects a connector through the dashboard, FireTrack marks the connector inactive and stops using its tokens to send conversions or read configuration. The encrypted token material is retained in that inactive state until the project or account to which the connector belongs is deleted — at which point it is removed along with the rest of the project data. A Customer who requires earlier deletion of a specific connector's token material may request it by email to privacy@firetrack.io; we will execute such requests within the timelines required by Applicable Data Protection Law (typically 30 days).

Disconnecting in FireTrack does not automatically revoke the authorization on the platform side. Customers wishing to ensure Meta or Google also invalidates the grant should additionally revoke access at:

Google: myaccount.google.com/permissions;
Meta: facebook.com/settings?tab=business_tools.

8.4 Other disclosures

We may also disclose personal data:

to our professional advisors (auditors, attorneys, accountants) bound by confidentiality;
in connection with a merger, acquisition, financing, or sale of all or part of our business, with notice to affected Customers;
where legally required (subpoena, court order, valid government request), giving notice to the affected Customer unless legally prohibited;
to protect the rights, property, or safety of FireTrack, our Customers, or others.

9. International Data Transfers

FireTrack is based in the United States and all of our service providers store data in the United States or on globally distributed edge networks. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal data will be transferred to the United States.

We rely on the following transfer mechanisms:

the EU-US Data Privacy Framework (and the UK Extension and Swiss-US Data Privacy Framework, where certified) for sub-processors that are Framework-certified;
the European Commission's 2021 Standard Contractual Clauses, Module Two (plus the UK International Data Transfer Addendum) for all processor-to-sub-processor transfers as a baseline, regardless of Framework status.

Customers may request a copy of our SCCs by emailing privacy@firetrack.io.

10. Data Retention

We retain personal data only as long as needed for the purpose it was collected or as required by law. The default retention schedule is:

Category	Default retention	Customer-configurable?
Events (ClickHouse)	13 months	Yes — per-project choice of 3, 6, 13, or 24 months
IP address prefix (ClickHouse)	120 days, then nulled	No (maximum)
Visitor identity graph (PostgreSQL)	12 months from last activity (or until project is deleted)	Follows project retention
Delivery logs (PostgreSQL)	90 days	No
Script error reports (PostgreSQL)	90 days	No
Audit logs (PostgreSQL)	12 months	No
Session tokens (PostgreSQL)	7 days, with 1-day refresh window	No
Connector OAuth tokens (PostgreSQL)	Retained encrypted until the connector's project or account is deleted (or sooner on written Customer request)	Yes — via project/account deletion or written request
Stripe webhook events (PostgreSQL)	90 days	No
Customer account data	Life of the account plus the shorter of (a) 12 months after closure for audit purposes or (b) longer periods required by law	No

When a Customer deletes a project, we delete the project's records from PostgreSQL immediately and purge the project's events from ClickHouse on a best-effort basis within hours. When a Customer deletes their account, we cancel the Stripe subscription immediately, cascade-delete all Customer and End-User records from PostgreSQL, and purge all of the Customer's events from ClickHouse. We retain a minimal audit record (account ID, deletion timestamp, actor) for 12 months in accordance with our records policy.

11. Your Rights

11.1 Rights under the GDPR and UK GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

Access the personal data we hold about you.
Rectify inaccurate personal data.
Erase your personal data ("right to be forgotten").
Restrict or object to certain processing.
Data portability — receive your personal data in a structured, machine-readable format.
Withdraw consent, where processing is based on consent, at any time.
Lodge a complaint with your supervisory authority.

When FireTrack acts as a processor on behalf of a Customer, End-User requests should be directed first to the Customer that operates the website where data was collected. If you don't know who to contact, email us at privacy@firetrack.io and we will route your request to the correct Customer.

When FireTrack acts as a controller (for Customer account data), you can exercise these rights directly by emailing privacy@firetrack.io.

11.2 Rights under California law (CCPA/CPRA)

If you are a California resident, you have the right to:

Know the categories and specific pieces of personal information we have collected about you.
Delete personal information we have collected.
Correct inaccurate personal information.
Opt out of sale or sharing. We do not sell personal information as defined by California law and do not share it for cross-context behavioral advertising on our own account. We honor Global Privacy Control signals received from your browser as a valid opt-out of any sharing.
Limit use of sensitive personal information. We do not use sensitive personal information for inferring characteristics about you.
Non-discrimination for exercising any of these rights.

You can exercise these rights by emailing privacy@firetrack.io. We may ask you to verify your identity before responding.

11.3 Other US state laws

If you are a resident of any US state with a comprehensive privacy law, you have substantially similar rights. We honor those rights on the same terms as described above and honor Global Privacy Control as a universal opt-out mechanism.

11.4 How we respond

We respond to verified rights requests within the timelines required by applicable law (typically 30 days under GDPR and similar US state laws). Where FireTrack acts as a processor, the timelines for executing Customer-forwarded deletion requests are set out in our Data Processing Addendum.

12. Security

We take security seriously and maintain administrative, technical, and physical controls designed to protect personal data, including:

Encryption at rest. Our managed databases and event warehouse apply AES-256 disk-level encryption by default. In addition, the following categories are encrypted at the application layer with AES-256-GCM before storage: session tokens; two-factor authentication secrets and backup codes; and advertising-platform OAuth tokens (Meta Conversions API, Google Ads API) used for conversion delivery on the Customer's behalf. Encryption keys and a separate HMAC pepper (used for audit-log query hashing) are stored in independent credential stores and backed up separately from production infrastructure. Rotation procedures are documented in an operator runbook.
Access audit for sensitive PII searches. Every operator-initiated search of End-User identity data in the identity-resolution database is recorded to an access audit log with the operator identity, timestamp, result count, and a keyed-HMAC fingerprint of the search term (plus the first three characters in plaintext for forensic correlation). The audit log itself does not store the full search term and is not a substitute PII store.
Automated retention. Identity-resolution records are deleted automatically after 12 months of inactivity; truncated IP-address prefixes are nulled after 120 days; event-warehouse data honors per-project retention.
Log sanitization. Free-text operational logs (delivery error messages, client-side script error reports, administrative audit metadata) are sanitized at write time to strip email addresses, advertising-platform OAuth tokens, and IPv4 addresses. The same detection patterns are shared with our error-monitoring scrubber to prevent drift.
TLS 1.2 or higher for all external traffic.
Two-factor authentication on all administrative interfaces.
Role-based access control with a principle of least privilege.
Key-only SSH to production servers; password authentication disabled.
Logging of administrative actions to a tamper-evident audit log; impersonation sessions banner-flagged and blocked from destructive operations.
Written internal policies covering information security, access control, data retention, incident response, vendor management, and acceptable use.
An incident-response process that provides for Customer notification without undue delay after confirmation of a breach, consistent with applicable law.

We are not SOC 2, ISO 27001, or PCI-DSS certified. We operate to SOC 2-aligned controls and will share our policy pack under NDA on request.

No system is perfectly secure. If you believe your FireTrack account has been compromised or you have discovered a security vulnerability, please email security@firetrack.io immediately.

13. Children

FireTrack is not directed to children. We do not knowingly collect personal data from individuals under 16 (or under 13 in the United States). Customers must not use FireTrack to knowingly track children. If you believe a child's personal data has been sent to us, email privacy@firetrack.io and we will delete it.

14. Automated Decision-Making

We do not use personal data to make decisions that produce legal or similarly significant effects on individuals through solely automated means.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice to Customers by email at least 30 days before the changes take effect and update the "Last Updated" date above. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Contact Us

Questions, concerns, or data-rights requests:

Shadyne LLC (d/b/a FireTrack) 7533 S Center View Ct #5946 West Jordan, UT 84084, United States

Privacy: privacy@firetrack.io
Security: security@firetrack.io