Tagger.click treats privacy as an engineering requirement, not a formality. IPs and User-Agents are never stored in plaintext — they are processed exclusively as an irreversible SHA-256 hash with a per-account salt. This policy is designed to comply with the GDPR (EU) as its primary framework, and is also aligned with LGPD (Brazil) and PDPA (Thailand).
1. Who We Are
Tagger.click is a first-party attribution platform for paid traffic, operated from Tallinn, Estonia. Data controller and responsible person: [email protected].
2. Data We Collect
2.1 Account Data
When you create an account, we collect: name, email address, password (stored as a bcrypt hash — never in plaintext), and account configuration preferences. If you use Google Sign-In, we receive your name and email from Google, as authorized by you at login.
2.2 Visitor Tracking Data (as a Data Processor)
Tagger acts as a data processor with respect to visitors on our customers' (tenants') websites. We collect on behalf of the tenant:
- URL parameters: gclid, fbclid, UTMs, and other ad network click IDs
- Device signals: User-Agent, screen resolution, browser language
- Visitor IP address
- Click timestamp
PII Protection: IP addresses and User-Agent strings are immediately processed as SHA-256 hashes with a per-tenant salt. Original values are never stored. The hashes are irreversible and used solely to correlate clicks with conversions.
2.3 Payment Data
Payments are processed by Stripe, Inc. We do not store, process, or have access to credit card data. Payment data is governed by Stripe's privacy policy.
2.4 Technical Data
Technical logs (errors, latency, system events) may be retained temporarily for security and diagnostic purposes, without containing PII in plaintext.
3. How We Use Your Data
- Providing the attribution and conversion dispatch service
- Communicating about your account, updates, and support
- Billing and subscription management (via Stripe)
- Security, fraud prevention, and legal compliance
- Product improvement (aggregated and anonymized data)
4. Legal Basis (GDPR / LGPD / PDPA)
- Contract performance: to provide the contracted services
- Legitimate interest: security, diagnostics, and product improvement
- Consent: where applicable (e.g., marketing communications)
- Legal obligation: when required by law
5. Data Sharing
We do not sell your personal data. We share only with:
- Stripe: payment processing
- Google: OAuth authentication and, at the tenant's instruction, conversion dispatch to Google Ads
- Meta / TikTok: conversion dispatch at the tenant's instruction (Pro plan)
- Infrastructure: private VPS server — no data sharing with the hosting provider beyond what is technically necessary to operate the service
6. Data Retention
- Account data: retained while the account is active and for up to 90 days after cancellation
- Tracking data: retained as configured by the tenant, for a maximum of 24 months
- Payment data: subject to Stripe's retention policies
7. Your Rights (GDPR / LGPD / PDPA)
You have the right to:
- Confirm the existence of data processing
- Access your data
- Correct incomplete, inaccurate, or outdated data
- Request anonymization, blocking, or deletion
- Data portability
- Revoke consent
- Object to processing
To exercise these rights: [email protected]
8. Security
We implement technical and organizational measures to protect your data: encryption in transit (TLS 1.2+/HTTPS), irreversible PII hashing, complete per-tenant data isolation, role-based access control, and continuous monitoring.
9. Cookies
The dashboard uses a strictly necessary session cookie (httpOnly, Secure, SameSite=Lax) for authentication. The tracking script (tagger.js) uses no cookies and does not access localStorage.
10. Changes
This policy may be updated periodically. We will notify you of significant changes by email or through the dashboard. The last updated date is always indicated at the top of this page.
11. Contact
Tagger.click
Tallinn, Estonia
Responsible: [email protected]