Privacy Policy

1. Information We Collect

We collect account and workspace data such as your name, email address, display name, role, subscription plan, billing-account context, app memberships, and session metadata used to secure and operate the dashboard.

We also collect service and product data you create or configure in Attriax, including apps, links, dynamic links, Smart Pages, custom-domain settings, webhook endpoints, API key metadata, uploaded media, redirect destinations, preview content, and related operational logs.

Depending on which Attriax products you use, we may also process end-user and device-related data such as stable SDK-managed device identifiers, external user identifiers or names you submit through identify calls, event names and event properties, click and page-view data, deep-link resolution data, install-referrer data, external referrer data, attribution metadata, IP address, user agent, language, timezone, app package identifiers, browser metadata, and anti-abuse or fraud-prevention signals.

2. How We Use Information

We use information to provide and improve Attriax, including authenticating users, hosting Smart Pages, resolving deep links, redirecting traffic, attributing installs or app opens, generating analytics, enforcing plan limits, provisioning and renewing custom-domain certificates, processing uploads, securing accounts, preventing abuse, investigating incidents, and offering customer support.

We also use information for internal operations such as capacity planning, debugging, reliability monitoring, communications about service issues, and enforcing our agreements and platform rules. We do not sell your personal information.

3. Customer Data You Send Through Attriax

If you use Attriax SDKs, links, Smart Pages, webhooks, or related APIs in your own apps, sites, or campaigns, you may send us end-user or business data that you control. That can include device IDs, external user IDs, app events, campaign context, deep-link payloads, install-referrer values, webhook payloads, and destination URLs.

In that context, you remain responsible for the data you choose to collect and send to Attriax, including obtaining any required notices, permissions, or consent from your end users and ensuring that your use of Attriax complies with applicable law, your own privacy disclosures, and any third-party platform requirements.

For account, workspace, support, and website operations data, Attriax generally acts as an independent controller. For customer-submitted end-user analytics and attribution data, Attriax generally acts as a processor or service provider on your instructions. Additional role and provider detail is available on our Data Processing and GDPR page.

4. Sharing and Processing

We share data only where needed to operate Attriax, comply with law, protect the platform, or follow your product instructions. This includes service providers that support hosting, storage, authentication, measurement, geolocation, DNS and TLS certificate operations, customer communications, and payment or billing workflows. In practice this may include Google Firebase for identity and, where enabled, optional website measurement alongside Attriax first-party analytics flows, plus licensed local datasets such as MaxMind GeoLite2 that are operated inside Attriax-managed services.

If you configure webhooks, we will transmit the event payloads you choose to the webhook endpoints you configure. Those endpoints are controlled by you or your vendors, and their processing is governed by their own terms and privacy practices.

We may also disclose information if required by law, legal process, or a good-faith belief that disclosure is needed to protect Attriax, our users, third parties, or the public.

Additional third-party software notices, license references, and provider links are available on our Open Source and Third-Party Notices page.

5. Cookies, Local Storage, and Measurement Technologies

Attriax uses cookies, local storage, session storage, and similar technologies to keep users signed in, remember preferences, support offline queueing for some SDK operations, improve reliability, and measure product usage.

Where customer SDK traffic is sent without a device identifier, Attriax may use a cookieless anonymous fallback based on app ID, IP address, user agent, and a daily rotating salt to produce daily aggregate analytics without creating a stable user profile across days.

Our website or dashboard may also use first-party Attriax analytics and, where supported, Firebase Analytics. You can read more in our Cookie Policy.

6. Data Retention and Deletion

Analytics and client event data are retained according to the active subscription plan unless a stricter legal, security, or contractual requirement applies. At the time of writing, the standard plan windows are 14 days for Free, 30 days for Indie, 90 days for Startup, and 365 days for Growth. Enterprise retention may be longer, unlimited, or contractually customized.

Account, billing, operational security, and abuse-prevention records may be retained longer where necessary to provide the service, meet legal obligations, enforce agreements, or resolve disputes. When data is no longer needed, we delete, age out, or anonymize it.

7. Deleted Account, App, and Link Data

When you delete an account, app, or link, the record is moved into a private, access-restricted archive table instead of being immediately destroyed. We keep this archive only so a verified administrator can recover from accidental deletions and so we can investigate abuse reports.

Archived records are read-only recovery records. They are not part of normal product queries or reporting and are kept only for recovery, abuse review, dispute handling, or other limited operational and legal needs.

Default retention windows after deletion are 30 days for user accounts and 7 days for apps and links. Once the window passes, the archived record is permanently and automatically removed by a daily background job. You can contact support@attriax.com to request immediate purging of an archived record where the law requires it.

8. Security and International Transfers

We use reasonable administrative, technical, and organizational measures to protect information processed through Attriax. No service can guarantee absolute security, and you are responsible for maintaining the confidentiality of your own credentials, API keys, and team access.

Attriax and its service providers may process information in countries other than your own. By using the service, you understand that data may be transferred to and processed in locations where we or our providers operate, subject to applicable legal safeguards where required. If your organization needs a signed DPA or additional transfer-related documentation before rollout, contact us before sending regulated customer data through Attriax.

9. Your Rights and Choices

Depending on your region, you may have rights to access, update, export, restrict, or delete certain personal data. Signed-in users can use the Privacy Center and app Privacy tools for product-handled export, deletion, and SDK anonymization workflows. For other privacy questions, contact support@attriax.com.

Depending on context, Attriax typically relies on contractual necessity to operate accounts and workspaces, legitimate interests for security, abuse prevention, and platform reliability, and consent for optional website analytics where required by law.

If you are an Attriax customer sending your own end-user data into the platform, you are responsible for handling end-user rights requests relating to the data you control, unless applicable law requires otherwise.

10. Open Source and Third-Party Notices

Attriax uses third-party software libraries, SDKs, infrastructure components, and external service providers. The main notices, license families, and upstream references for those integrations are published on our Open Source and Third-Party Notices page.

11. Contact

For privacy questions, contact us at support@attriax.com.