This page explains how Attriax handles controller and processor roles, which third parties are involved in live product processing, and how to request GDPR-related support or a signed DPA discussion.
Last updated: April 28, 2026
Attriax acts in different roles depending on the data and workflow involved. For account registration, workspace administration, billing context, website operations, security monitoring, and support communications, Attriax generally acts as an independent controller of that information.
For end-user analytics, attribution data, event payloads, webhook payloads, Smart Page traffic data, and SDK identifiers that you send into Attriax for your own apps or campaigns, Attriax generally acts as a processor or service provider on your instructions. You remain responsible for the data you choose to collect and send to the platform.
If you use Attriax to collect data from your own end users, you are responsible for providing legally required privacy notices, collecting any required consent, choosing lawful bases for processing, configuring appropriate webhook recipients, and ensuring that your own policies accurately describe how Attriax is used in your product stack.
You are also responsible for coordinating end-user deletion, correction, portability, or objection requests for the data that you control. Attriax can help route those requests, but the current product does not expose a self-service per-end-user export or deletion API for customer-submitted SDK records.
Attriax uses Firebase for dashboard authentication and, when optional consent is granted on the website, Firebase Analytics for website measurement.
Terms: https://firebase.google.com/terms
Privacy: https://policies.google.com/privacy
Attriax uses a licensed local GeoLite2 database inside Attriax-managed services for approximate IP geolocation. Runtime traffic is not sent to MaxMind for lookups from this product path.
If you enable webhooks, Attriax sends the payloads you configure to endpoints chosen by you. Those recipients are controlled by you or your vendors and are not selected by Attriax on your behalf.
Event and analytics retention follows the active plan window unless a stricter legal or contractual rule applies. Deleted user records may remain in a restricted archive for up to 30 days, and deleted apps or links may remain there for up to 7 days, before automated permanent deletion.
Those archive records are read-only recovery records, not normal product records. They are retained only to support accidental deletion recovery, abuse review, or legal and operational obligations.
Attriax and its service providers may process information in countries other than your own. If your organization needs a signed Data Processing Addendum, security questionnaire response, or additional transfer-related documentation before using Attriax for regulated customer data, contact us before rollout so we can review the request with the correct commercial and legal context.
For GDPR, privacy, or DPA-related questions, contact support@attriax.com. If you are requesting a signed DPA, mention your company name, planned use case, and whether you are sending end-user event or attribution data through Attriax.
