Legal
Privacy Policy
Effective date: July 2026
This policy explains how RoasProof (“RoasProof”, “we”, “us”) handles personal data. Because we operate a conversion-tracking service, we wear two hats: we act as a processor for data our customers ask us to handle, and as a controller for data we collect for our own purposes (accounts, billing, this website).
1. Who we are
RoasProofprovides server-side conversion tracking: we capture ad-click data first-party on our customers' websites, match it to users and orders, and deliver conversion events to advertising platforms such as Meta, Google and TikTok on our customers' behalf. You can reach us at [email protected].
2. Data we process on behalf of customers (as processor)
When a business (the “customer”) uses RoasProofon its website or store, we process the following categories of data about that customer's end users, acting on the customer's documented instructions:
- Click and campaign data: click identifiers (such as
fbclid,gclid,ttclid), UTM parameters, landing page URL, referrer. - Visitor and session data: a first-party visitor identifier, session timestamps, device and browser information (user agent), IP address.
- Customer and order data: email address, phone number, name and address fields, order identifiers, order value and currency, as provided by the customer's store or API.
- Derived identifiers: SHA-256 hashes of identifiers such as email and phone number, prepared for transmission to advertising platforms.
For this data, the customer is the controller and RoasProof is the processor. Processing is governed by our Data Processing Agreement. If you are an end user of a website that uses RoasProof, please direct privacy requests to that website's operator; we will assist them in responding.
3. Data we collect for our own purposes (as controller)
- Account data: name, email address, password hash, workspace settings, when you register for RoasProof.
- Billing data: plan, invoices and payment status. Card details are handled by our payment processor and never stored by us.
- Usage and log data: product usage events, API request logs, IP addresses and security logs, used to operate, secure and improve the service.
- Website data: limited, privacy-respecting analytics on this marketing site and any information you send us by email.
4. Hashed identifiers
Before conversion events leave our servers for an advertising platform, direct identifiers such as email addresses and phone numbers are normalized and hashed with SHA-256. Platforms receive hashes for matching purposes (not raw values), except for fields the platforms specify must be sent unhashed (for example IP address and user agent, where enabled by the customer).
5. Subprocessors and recipients
We share data with the following categories of recipients, only as needed to provide the service:
- Advertising platforms: Meta Platforms (Conversions API), Google (Google Ads conversion APIs) and TikTok (Events API), strictly as directed by the customer whose site generated the data.
- Infrastructure providers: cloud hosting, storage and content delivery.
- Operational vendors: payment processing, transactional email and customer-support tooling.
The current, complete subprocessor list is maintained in our DPA. We notify customers before adding or replacing subprocessors.
6. Legal bases
Where the GDPR applies to processing we control, we rely on: performance of a contract (providing your account), legitimate interests (service security, product improvement, defending legal claims), legal obligations (tax and accounting), and consent where required (for example marketing communications).
7. Retention
Event and click data processed on behalf of customers is retained for the period configured by the customer and deleted or anonymized afterwards, and in any case deleted following termination of the customer's contract in accordance with the DPA. Account and billing data is kept for as long as your account exists plus any period required by law.
8. International transfers
Where personal data is transferred outside the EU/EEA, including to advertising platforms, we rely on adequacy decisions or the European Commission's Standard Contractual Clauses, together with supplementary measures where appropriate.
9. Your rights
If you are in the EU/EEA or another jurisdiction with similar laws, you may have the right to access, rectify, erase, restrict or object to the processing of your personal data, the right to data portability, and the right to lodge a complaint with a supervisory authority. To exercise rights over data we control, contact [email protected]. For data we process on behalf of a customer, contact that customer; we will support their response.
10. Security
We apply technical and organizational measures appropriate to the risk, including encryption in transit, encryption at rest, hashing of direct identifiers, role-based access controls and audit logging. A fuller description is in the DPA.
11. Cookies on this website
This marketing website uses only the cookies and local storage necessary to operate and to measure aggregate traffic.
12. Changes and contact
We will post updates to this policy on this page and, for material changes, notify customers by email. Questions: [email protected].