Privacy Policy

This Privacy Policy explains how Perm Solutions AB, a company registered in Sweden with registration number [Company Registration Number], with registered office at Högalidsgatan 34D, 11730, Stockholm, Sweden ("TrueROAS", "Company", "we", "us" or "our") collects, uses, discloses, and otherwise processes Personal Data (as defined below) in connection with our attribution tracking platform and services.

This Privacy Policy applies to all TrueROAS-owned domains and services, including but not limited to:

• www.trueroas.com and all subdomains (including app.trueroas.com)
• www.trueroas.io and all subdomains (including app.trueroas.io)
• Any other websites, applications, or services operated by TrueROAS
• Our attribution tracking scripts and pixels embedded on our customers' websites

Collectively, these are referred to as the "Services". This Privacy Policy does not address our privacy practices relating to job applicants, employees and other personnel.

IMPORTANT NOTICE ABOUT ATTRIBUTION TRACKING

TrueROAS provides advertising attribution and analytics services. When our customers (e-commerce businesses and advertisers) implement our tracking scripts on their websites, we collect data about visitors to those websites for the purpose of measuring advertising performance and attribution.

Customer Implementation Responsibility: Our customers are responsible for implementing appropriate consent mechanisms, privacy notices, and script blocking for users who do not consent to tracking on their websites. If you are a visitor to one of our customer's websites and have questions about how your data is collected or wish to exercise your rights, you should first contact the website owner directly. However, we also provide mechanisms for you to exercise your rights directly with us as described in this policy.

Information We Collect

We collect Personal Data in three ways: (1) directly from individuals when they interact with our Services, (2) automatically through our tracking technology when individuals visit our websites or our customers' websites where our scripts are implemented; and (3) from third-party sources such as advertising platforms and data providers.

What is Personal Data?

"Personal Data" means any information relating to an identified or identifiable natural person under applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and equivalent regulations.

1. Information You Provide to Us Directly

When you register for our Services, create an account, subscribe to our communications, or contact us, you provide us with Personal Data. This may include:

• Contact Information: Name, email address, phone number, company name, job title, and communication preferences.
• Account Information: Username, password, billing information, payment details (processed through third-party payment processors), subscription details, and account settings.
• Business Information: Information about your advertising accounts, connected platforms (e.g., Facebook Ads, Google Ads, Shopify), advertising spend, revenue data, and other business metrics you provide or authorize us to access.
• Customer Data Integration: When you connect third-party platforms to TrueROAS, you authorize us to access certain data from those platforms, including customer information, order details, and advertising data necessary for attribution analysis. This data is encrypted and tokenized to protect privacy.
• Communications: Information provided in support requests, inquiries, or other communications with us.

2. Information We Collect Automatically Through Tracking Technology

On TrueROAS Websites (trueroas.com, trueroas.io, and subdomains):

When you visit our websites, we automatically collect certain information about your device and browsing behavior, including:

• IP address (which may be used to infer general geographic location)
• Browser type and version
• Device type, operating system, and screen resolution
• Referring website/source
• Pages viewed and time spent on pages
• Date and time stamps of visits
• Clickstream data

On Customer Websites (Attribution Tracking):

This is the core function of our Services. When our customers implement our tracking scripts on their websites, we collect the following information about visitors to those websites:

• Visitor Identifiers: Unique identifiers, hashed email addresses (where provided by the customer), and other pseudonymous identifiers
• Browsing Data: Pages visited, products viewed, items added to cart, and other on-site behavior
• Transaction Data: Purchase information, order values, product SKUs, and order IDs (encrypted and tokenized)
• Ad Interaction Data: Information about which ads were clicked, ad campaign identifiers, and referral sources
• Technical Data: IP address (hashed), user agent, device type, browser information, and timestamp data
• Customer Personal Data: When customers make purchases on our clients' websites, we may receive encrypted/tokenized versions of email addresses, phone numbers, and names for the sole purpose of attribution matching. This data is never used in readable form and is immediately encrypted.

IMPORTANT - Consent Responsibility:

Our customers (the website owners) are the data controllers for visitor data collected on their websites. They are legally required to: (1) obtain appropriate consent from visitors before our tracking scripts execute, (2) provide clear privacy notices about our tracking, and (3) implement technical measures to block our scripts for users who do not consent. If you did not consent to tracking but our script still collected your data due to improper implementation by the website owner, you have the right to object and request deletion of your data as described in the "Your Rights" section below.

Tracking Technologies We Use:

• Cookies: Small data files stored on your device containing a unique identifier. We use both first-party and third-party cookies for attribution tracking. Cookies may be session-based (deleted when you close your browser) or persistent (remain until deleted or expired). For more information about cookies, visit http://www.allaboutcookies.org.
• Local Storage: Browser-based storage mechanisms that allow us to store data locally on your device for attribution purposes.
• Tracking Pixels: Small invisible images embedded on websites that allow us to track page views and conversions.
• JavaScript Tracking Scripts: Code embedded on customer websites that collects behavioral and conversion data for attribution analysis.
• Server-Side Tracking: Data sent directly from customer servers to TrueROAS servers for enhanced attribution accuracy.
• API Integrations: Direct connections with advertising platforms and e-commerce systems to retrieve attribution-related data.

Analytics Services:

We use Google Analytics on our own websites (trueroas.com and trueroas.io) to understand website usage. You can learn more about Google Analytics' privacy practices at https://policies.google.com/privacy and opt out at https://tools.google.com/dlpage/gaoptout.

Managing Cookies and Tracking:

You can control cookies through your browser settings. However, note that:

• Blocking cookies may affect the functionality of our Services
• You must configure each browser on each device separately
• Deleting cookies may remove your opt-out preferences
• To opt out of tracking on customer websites, use the opt-out mechanism provided by the website owner or contact us directly

3. Information We Obtain From Third Parties

We receive Personal Data from third-party sources, which we combine with other information we collect to provide accurate attribution analysis:

• Advertising Platforms: We receive data from advertising platforms such as Facebook Ads, Google Ads, TikTok Ads, and other platforms that our customers authorize us to access. This includes ad spend data, campaign performance metrics, click data, and advertising identifiers.
• E-commerce Platforms: When customers connect their e-commerce platforms (e.g., Shopify, WooCommerce) to TrueROAS, we receive order data, customer information (encrypted/tokenized), product data, and transaction details necessary for attribution matching.
• Analytics and Marketing Tools: We may receive data from other analytics and marketing tools that our customers use, including Google Analytics, marketing automation platforms, and CRM systems.
• Third-Party Data Enrichment Services: We may use third-party services to enhance and validate data, such as verifying email addresses or enriching business contact information for our direct customers (not end-user data).
• Payment Processors: We receive payment confirmation and subscription information from payment processors (e.g., Stripe) to manage customer accounts and billing.
• Social Media Platforms: If you choose to connect your social media accounts to TrueROAS or interact with us on social media, we may receive information from those platforms in accordance with your privacy settings on those platforms.

How We Use Your Personal Data

We process Personal Data for the following purposes, with corresponding legal bases under GDPR and other applicable data protection laws:

1. To Provide Attribution and Analytics Services
Legal Basis: Contractual necessity (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR)

• Tracking and attributing conversions to advertising sources
• Analyzing advertising campaign performance and ROAS (Return on Ad Spend)
• Matching customer purchase data with advertising interactions
• Generating attribution reports and dashboards for our customers
• Calculating accurate metrics for advertising effectiveness
• Providing insights and recommendations to improve advertising performance

2. To Operate and Improve Our Platform
Legal Basis: Contractual necessity (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR)

• Creating and managing customer accounts
• Processing payments and managing subscriptions
• Providing customer support and responding to inquiries
• Integrating with third-party platforms (advertising, e-commerce, analytics)
• Improving the functionality, accuracy, and performance of our Services
• Testing, debugging, and fixing technical issues
• Developing new features and services

3. For Security and Fraud Prevention
Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR), Legal obligations (Art. 6(1)(c) GDPR)

• Detecting and preventing fraud, abuse, and security incidents
• Protecting the security and integrity of our Services
• Verifying user identity and account ownership
• Enforcing our Terms of Service and other policies

4. For Communications and Marketing
Legal Basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR)

• Sending transactional emails (account notifications, service updates, billing)
• Sending marketing communications about our Services (where you have consented or we have a legitimate interest)
• Responding to your inquiries and requests
• Conducting customer surveys and collecting feedback

5. For Legal and Business Purposes
Legal Basis: Legal obligations (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR)

• Complying with legal obligations and responding to legal requests
• Establishing, exercising, or defending legal claims
• Business transactions such as mergers, acquisitions, or asset sales
• Maintaining business records and analytics

How We Share or Otherwise Disclose Your Personal Data

We Do Not Sell Personal Data

We do not sell, rent, or lease Personal Data to third parties and have not done so in the past 12 months. We do not share Personal Data for cross-context behavioral advertising purposes.

We may share Personal Data with third parties in the following circumstances:

• Service Providers and Subprocessors: We engage trusted third-party service providers to perform functions on our behalf, including:
  • Cloud hosting and infrastructure providers (e.g., AWS, Google Cloud)
  • Data storage and database providers
  • Payment processors (e.g., Stripe)
  • Customer support and communication tools
  • Security and fraud detection services
  • Analytics and monitoring services
  These service providers have access only to the Personal Data necessary to perform their functions and are contractually obligated to maintain the confidentiality and security of Personal Data and to process it only as instructed by us.
• Advertising and E-commerce Platforms: We share data with advertising platforms (Facebook, Google, TikTok, etc.) and e-commerce platforms (Shopify, WooCommerce, etc.) as necessary to provide our attribution services. This sharing is done pursuant to our customers' instructions and authorized integrations.
• Our Business Customers: When we act as a data processor collecting attribution data on our customers' websites, we share attribution insights, reports, and analytics with those customers. These customers are the data controllers for end-user data collected on their websites.
• Business Transfers: If TrueROAS is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your Personal Data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Services before your Personal Data is transferred and becomes subject to a different privacy policy.
• Legal Requirements and Protection: We may disclose Personal Data if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, or government agencies). We may also disclose Personal Data to:
  • Comply with legal obligations
  • Protect and defend our rights, property, or safety and that of our users
  • Detect, prevent, or investigate fraud, security breaches, or illegal activities
  • Establish, exercise, or defend legal claims
• With Your Consent: We may share Personal Data with third parties when you have explicitly consented to such sharing, such as when you authorize us to connect with specific third-party platforms or when you direct us to share your testimonial or feedback publicly.
• Aggregated or Anonymized Data: We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you for research, marketing, analytics, or other business purposes. This data is not considered Personal Data.

Your Data Protection Rights (GDPR, UK GDPR, and Other Applicable Laws)

If you are located in the European Economic Area (EEA), UK, Switzerland, or other jurisdictions with comprehensive data protection laws, you have specific rights regarding your Personal Data. We are committed to facilitating the exercise of these rights.

If You Were Tracked on a Customer Website Without Proper Consent:

If our tracking script collected data about you on a customer's website and you did not provide consent (or the website owner did not properly block our script for non-consenting users), you have the right to object to this processing and request deletion of your data. Please contact us using the information below, and we will promptly investigate and delete your data if it was collected without proper legal basis.

Your Rights Include:

• Right of Access (Art. 15 GDPR): You have the right to request confirmation of whether we process your Personal Data and, if so, to receive a copy of that data along with information about how we process it. This is commonly known as a "data subject access request" (DSAR).
• Right to Rectification (Art. 16 GDPR): You have the right to request that we correct inaccurate Personal Data and complete incomplete Personal Data. We may need to verify the accuracy of new information you provide.
• Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR): You have the right to request deletion of your Personal Data when:
  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed (e.g., collected without proper consent)
  • Deletion is required to comply with legal obligations
  Note: We may be unable to delete certain data if we have a legal obligation to retain it or if it is necessary to establish, exercise, or defend legal claims.
• Right to Restriction of Processing (Art. 18 GDPR): You have the right to request that we limit processing of your Personal Data in certain circumstances, such as when you contest the accuracy of the data or object to processing while we verify our legitimate grounds.
• Right to Data Portability (Art. 20 GDPR): You have the right to receive Personal Data you provided to us in a structured, commonly used, and machine-readable format and to transmit it to another controller. This right applies when processing is based on consent or contract and is carried out by automated means.
• Right to Object (Art. 21 GDPR): You have the right to object to processing of your Personal Data when:
  • Processing is based on legitimate interests (Art. 6(1)(f))
  • Processing is for direct marketing purposes
  • Processing is for scientific, historical research, or statistical purposes
  If you object to marketing, we will stop processing for that purpose immediately. For other objections, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. You can withdraw consent by contacting us or using opt-out mechanisms we provide.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority (data protection authority) in your country of residence, place of work, or place of alleged infringement. For Sweden (where TrueROAS is based), the supervisory authority is the Swedish Authority for Privacy Protection (IMY) at www.imy.se. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/board/members_en.
• Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR):You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects. We do not make automated decisions that significantly affect individuals without human involvement.

U.S. State Privacy Rights (California, Nevada, Utah, Colorado, Virginia, Connecticut, and Others)

If you are a resident of certain U.S. states, you may have additional privacy rights under state laws including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and similar laws in other states.

Right to Know: You have the right to request information about the categories and specific pieces of Personal Data we have collected about you, the categories of sources from which we collected it, our business purposes for collecting it, and the categories of third parties with whom we share it.

Right to Delete: You have the right to request deletion of Personal Data we have collected from you, subject to certain exceptions.

Right to Opt-Out of Sale/Sharing: We do not sell Personal Data as defined by applicable state laws, and we have not sold Personal Data in the past 12 months. We do not share Personal Data for cross-context behavioral advertising purposes.

Right to Correct: You have the right to request correction of inaccurate Personal Data.

Right to Limit Use of Sensitive Personal Information: If we use or disclose sensitive Personal Information for purposes beyond those specified in applicable law, you have the right to limit such use or disclosure.

Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To exercise these rights, please contact us at privacy@trueroas.io or using the contact information provided at the end of this Privacy Policy. We will verify your identity before processing your request.

California "Shine the Light" Law: California residents may request certain information about our disclosure of Personal Information to third parties for their direct marketing purposes. We do not disclose Personal Information to third parties for their direct marketing purposes.

Do Not Track and Global Privacy Control

Some browsers and devices offer "Do Not Track" (DNT) signals or Global Privacy Control (GPC) mechanisms that communicate a user's preference not to be tracked.

Currently, we do not respond to DNT signals. However, we respect GPC signals for users in jurisdictions where we are legally required to do so. If you enable GPC, we will treat it as a request to opt-out of tracking on customer websites where our scripts are implemented, to the extent technically feasible. Please note that DNT and GPC mechanisms may not function properly if you are not logged in or if cookies are disabled.

Children's Privacy

Our Services are not directed to children and we do not knowingly collect Personal Data from children under the age of 16 (or 13 in jurisdictions where the age of digital consent is 13). If you are under 16 (or 13, as applicable), do not use our Services or provide any Personal Data to us. If we learn that we have collected Personal Data from a child under the applicable age without verifiable parental consent, we will delete that information as quickly as possible. If you believe we have collected information from a child, please contact us immediately at privacy@trueroas.io.

Third-Party Links and Integrations

Our Services may contain links to third-party websites, integrations with third-party platforms (such as advertising and e-commerce platforms), and other third-party services. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services before providing them with Personal Data. Our integrations with advertising platforms (Facebook, Google, TikTok, etc.) and e-commerce platforms (Shopify, WooCommerce, etc.) are governed by those platforms' respective privacy policies and terms of service.

Data Retention

We retain Personal Data for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations. Specific retention periods vary depending on the type of data and the purpose for which it is processed:

• Account Data: Retained for the duration of your account plus up to 7 years for legal and accounting purposes
• Attribution Data: Retained for up to 2 years from collection or as long as our customer maintains an active account, whichever is longer
• Marketing Communications Data: Retained until you unsubscribe or withdraw consent
• Security and Fraud Prevention Data: Retained for up to 3 years or as required by law

When we no longer have a legitimate business or legal need to process your Personal Data, we will either delete it or anonymize it. If deletion is not possible (for example, because data is stored in backup archives), we will securely isolate your Personal Data from further processing until deletion is possible. You may request deletion of your data at any time by exercising your rights as described in this Privacy Policy, subject to legal retention requirements.

International Data Transfers

TrueROAS is based in Sweden (European Economic Area). However, our Services involve processing data that may be transferred to and stored in various locations worldwide, including countries outside the EEA, such as the United States, where some of our service providers (e.g., cloud infrastructure providers) are located.

When we transfer Personal Data from the EEA to countries outside the EEA that do not have an adequacy decision from the European Commission, we implement appropriate safeguards to protect your Personal Data, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules where applicable
• Other approved transfer mechanisms under applicable data protection laws

You have the right to request information about the safeguards we have in place for international transfers of your Personal Data and to obtain a copy of such safeguards by contacting us at privacy@trueroas.io.

Data Security

We implement appropriate technical and organizational security measures to protect Personal Data against unauthorized access, loss, destruction, alteration, or disclosure. Our security measures include:

• Encryption: All Personal Data is encrypted both in transit (using TLS/SSL) and at rest (using industry-standard encryption algorithms)
• Tokenization: Customer personal data (email addresses, phone numbers, names) collected through our attribution tracking is immediately tokenized and hashed, making it unreadable. We never store or use this data in plaintext form.
• Access Controls: Strict access controls limit who can access Personal Data to authorized personnel only on a need-to-know basis
• Authentication: Multi-factor authentication for access to systems containing Personal Data
• Monitoring: Continuous security monitoring and logging of access to Personal Data
• Regular Security Assessments: Regular security audits and vulnerability assessments
• Employee Training: Regular privacy and security training for employees who handle Personal Data
• Secure Development: Security-by-design principles in our software development practices

Important Security Notice: While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of Personal Data. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that your account has been compromised), please contact us immediately at security@trueroas.io.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law, typically within 72 hours of becoming aware of the breach.

Marketing Communications and Opt-Out

You may opt out of receiving marketing communications from us at any time by:

• Clicking the "unsubscribe" link in any marketing email we send you
• Adjusting your communication preferences in your account settings
• Contacting us at privacy@trueroas.io with "Opt-Out" in the subject line

Please note that even if you opt out of marketing communications, we will still send you transactional and service-related messages, such as account notifications, billing statements, security alerts, and other essential communications related to your use of our Services.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, Services, legal requirements, or for other operational reasons. When we make changes, we will:

• Update the "Last Modified" date at the top of this Privacy Policy
• Notify you of material changes via email (if you have an account with us) or through a prominent notice on our Services
• For users in the EEA/UK/Switzerland, obtain your consent where required by law before the changes take effect

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after changes become effective constitutes your acceptance of the revised Privacy Policy, except where additional consent is required by law.

Data Protection Officer and Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, or if you wish to exercise any of your data protection rights, please contact us:

For EEA/UK/Switzerland Residents - Supervisory Authority:

If you are located in the EEA, UK, or Switzerland and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority. For Sweden, this is:

A list of data protection authorities in the EU/EEA is available at:
https://edpb.europa.eu/about-edpb/board/members_en