Privacy Policy
Effective: 1 May 2026 · Last updated: 13 May 2026
If you have a Trackflowy account
You are a Customer. This policy covers your account data, dashboard activity, and subscription.
If you clicked a Trackflowy link
You are an End-Visitor. We collect anonymized, non-identifiable click data only — no personally identifiable information (PII) is ever stored about you.
What we never do
- Sell your personal data
- Share data for advertising or cross-context behavioural tracking
- Store raw End-Visitor IP addresses or any PII about End-Visitors
- Store payment card data
- Track visitors across third-party sites
1. Introduction
Trackflowy ("we", "us", "our") operates the Trackflowy link tracking platform at trackflowy.com and app.trackflowy.com. This Privacy Policy explains what data we collect about Customers (people who hold a Trackflowy account) and End-Visitors (people who click a Trackflowy tracking link or visit a website where a Customer has embedded our conversion pixel), how we use it, and your rights.
2. Data We Collect
We collect the following categories of data:
- Account data (Customers): name, email address, hashed password (PBKDF2), and (if you enable two-factor authentication) your TOTP secret and backup recovery codes.
- Business content (Customers): destinations, tracking links, posts, templates, conversion goals, and custom domains you create.
- Session and security data (Customers): session token, login IP and User-Agent, activity and audit logs of dashboard actions.
- Click data (End-Visitors): no PII is ever collected or stored. We receive only anonymized, non-identifiable signals — we never store raw IP addresses or any information that could identify an individual. What we do record:
- IPv4 address with last octet zeroed (e.g.
1.2.3.0) - IPv6 address truncated to first 48 bits
- HMAC-SHA256 IP hash (keyed with a server-side secret) for bot detection — computationally irreversible without the key
- Country, User-Agent, referrer, and timestamp
- IPv4 address with last octet zeroed (e.g.
- Conversion data (End-Visitors): when a Customer embeds our pixel, we receive the most recent tracking ID from the visitor's localStorage (key
trackflowy_click_id, capped at 10 IDs), the conversion URL, optional event name, optional value and currency, the page referrer, and the User-Agent. The pixel uses localStorage, not cookies. - YouTube data (optional, Customers): if you connect your YouTube channel via Google OAuth (read-only scope), we store channel metadata and video metadata so we can display them inside the dashboard. OAuth access and refresh tokens are encrypted at the application layer with AES-256-GCM before database storage; the encryption key is a server-side secret so a database read alone cannot yield usable tokens.
- Error and performance data: Sentry session replays with text and input masking enabled (10% of sessions, 100% of error sessions).
3. How We Use Your Data
- Operate the Service: authenticate you, redirect tracking-link clicks, attribute conversions, and enforce plan limits.
- Send transactional emails (verification, password reset, 2FA notices, plan usage nudges, trial and grace-period notices), and occasionally product updates or offers. You can unsubscribe from non-transactional emails at any time via the link in the email.
- Detect bots and abuse, rate-limit sensitive endpoints, and maintain audit logs.
- Diagnose bugs and monitor performance via Sentry.
- Display your YouTube channel and video metadata inside your Trackflowy dashboard, if you connect a YouTube channel. We do not use your YouTube OAuth tokens for any purpose other than fetching your channel data on your behalf, and we do not use your YouTube data to build advertising profiles or to train machine learning models.
- Comply with legal obligations and enforce our Terms of Service.
4. Legal Basis (GDPR / UK GDPR)
We rely on the following legal bases:
- Performance of a contract: to provide the Service to you.
- Legitimate interests: for security, fraud prevention, audit logs, error monitoring, and product communications where you would reasonably expect them.
- Consent: for optional product updates and offers — you can withdraw consent at any time by unsubscribing.
- Legal obligation: where required by applicable law.
For data collected via tracking links and the conversion pixel, Trackflowy acts as a data processor on behalf of our Customers, who are the data controllers. A Data Processing Agreement is available to Customers on request — see our Data Processing Agreement.
5. Data Sharing and Subprocessors
We do not sell your personal data, and we do not share it for cross-context behavioural advertising. We share data only with the following subprocessors:
| Provider | Purpose | Region | Privacy policy |
|---|---|---|---|
| Cloudflare | Infrastructure — Workers, Pages, D1 database, custom domain SSL, DDoS protection | Global | cloudflare.com |
| Sentry | Error tracking and session replay (text & input masking on) | US | sentry.io |
| Resend | Transactional email delivery | US | resend.com |
| Google / YouTube | OAuth tokens + channel/video metadata (only if you connect a YouTube channel) | Global | google.com |
We share data with law enforcement or governmental authorities only when required by applicable law.
6. International Data Transfers
We are based outside the EU, and our infrastructure is globally distributed. For transfers of EU/UK personal data to providers in the United States, we rely on our subprocessors' own transfer mechanisms (including Standard Contractual Clauses where applicable), supplemented by encryption in transit and at rest.
7. Cookies and Browser Storage
We do not use third-party advertising or analytics cookies. The tables below list every key we set, what it stores, and how long it lasts.
Session cookie (strictly necessary)
| Key | Details | Lifetime |
|---|---|---|
trackflowy.session_token | Keeps you logged in. Encrypted, httpOnly, secure, SameSite=Lax. | 7 days (sliding) |
localStorage (functional, dashboard only)
| Key | Purpose | Lifetime |
|---|---|---|
trackflowy-theme | Saves your dark/light mode preference | Until cleared |
trackflowy-tour-welcomed | Records whether you dismissed the welcome dialog | Until cleared |
trackflowy-tour-completed | Records whether you completed the guided product tour | Until cleared |
sessionStorage (functional, dashboard only)
| Key | Purpose | Lifetime |
|---|---|---|
chunkErrorReloaded | One-time flag that prevents infinite reload loops on chunk-load failures | Tab session |
localStorage (analytics/conversion tracking, Customer websites)
| Key | Purpose | Lifetime |
|---|---|---|
trackflowy_click_id | Stores up to 10 tracking IDs set by Trackflowy links, used by our pixel for conversion attribution on Customer websites | Until cleared |
Customers who embed the pixel on EU/UK-facing websites are responsible for obtaining the appropriate consent from their visitors before the pixel activates.
8. Data Retention
We retain account data, click and conversion records, YouTube records, and audit logs for the life of your account. When you delete your account from the dashboard, deletion is immediate and permanent. We delete your profile, business content, click and conversion records, YouTube data, sessions, and logs from our database, and we revoke any active YouTube OAuth tokens with Google. Residual copies may persist temporarily in encrypted backups maintained by our infrastructure provider and in Sentry / Resend logs until they roll off per each provider's schedule.
End-Visitor data: anonymized click and conversion records are retained for the life of the Customer account that generated them and deleted when that Customer deletes their account. Because the data is anonymized and contains no PII, it cannot be linked back to an individual and is not subject to individual deletion requests.
9. Your Rights
Depending on your jurisdiction, you may have the right to access, correct, export, delete, restrict, or object to the processing of your personal data, and the right to lodge a complaint with your local data-protection authority.
You can exercise most rights directly inside the dashboard — no need to email us first:
Export your data
Download everything as JSON — links, destinations, posts, click data, and account details. Rate-limited to once per 24 hours. You can also export per-post analytics as CSV.
Go to Data settingsDelete your account
Deletion is immediate and permanent — your profile, links, click data, and all associated records are removed from our database right away.
Go to Data settingsYou can also access and correct your profile data directly in account settings. To restrict processing, withdraw YouTube OAuth access, or make any other request, contact us at support@trackflowy.com. We will respond to verified requests within 30 days (or sooner as required by law).
End-Visitors: requests about data collected via tracking links or the pixel should be directed to the Customer whose link or pixel collected your data. If you cannot identify or reach that Customer, contact us and we will try to help.
California residents: we do not sell personal information and we do not share it for cross-context behavioural advertising.
10. Security
We hash passwords with PBKDF2, support TOTP-based two-factor authentication with backup codes, and anonymize End-Visitor IP addresses. Click IP addresses are additionally hashed with HMAC-SHA256 keyed to a server-side secret — the hash is computationally irreversible without that key. YouTube OAuth tokens are encrypted at the application layer with AES-256-GCM before being written to the database, meaning a database read alone cannot yield usable tokens. All data is encrypted in transit (HTTPS/TLS) and at rest (Cloudflare D1). Sensitive endpoints are rate-limited and audit logs are maintained for administrative actions. No system is perfectly secure; we will notify affected users and the relevant supervisory authority of a data breach in accordance with applicable law (within 72 hours where required by GDPR Art. 33).
11. Children's Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us for removal.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and notify registered Customers via email at least 30 days before the changes take effect.
13. Contact
For privacy questions or to exercise your rights, contact us at support@trackflowy.com. We will respond to verified requests within 30 days (or sooner as required by law).
Terms of Service
Effective: 1 May 2026 · Last updated: 1 May 2026
Introduction
These Terms of Service ("Terms") govern your access to and use of Trackflowy (the "Service"), available at trackflowy.com and app.trackflowy.com, operated by Solo Funnels ("Trackflowy", "we", "us"). By creating an account or using the Service (including embedding our conversion tracking pixel on your website) you agree to these Terms. If you do not agree, you may not use the Service. These Terms incorporate by reference our Privacy Policy.
1. The Service
Trackflowy provides link tracking, click analytics, conversion attribution, and related tools for content creators and businesses. The Service is currently in early-access / beta: features may change, and we do not offer a service-level agreement (SLA) or uptime guarantee at this stage. The Service is provided "as is" and "as available".
2. Eligibility and Accounts
You must be at least 16 years old to create an account. You represent that you are not located in or a national of any country, region, or party subject to comprehensive sanctions by the EU, UN, UK, or US (including Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine), and that you are not on any prohibited-party list.
You are responsible for keeping your password and any 2FA backup codes confidential, for all activity under your account, and for keeping your account information accurate. Notify us at support@trackflowy.com if you suspect unauthorized access.
3. Plans, Billing, and Refunds
Plan features and limits are described on our pricing page. We may change plan features, limits, and pricing for new sign-ups at any time; for existing paid subscribers we will give at least 30 days' advance notice of any price increase that applies to your renewal.
Paid plans are not yet enabled. When billing is introduced, subscriptions will renew automatically at the end of each billing period at the then-current price for your plan, until you cancel. You may cancel at any time from account settings; cancellation takes effect at the end of your current paid period. For annual subscriptions we will email a renewal reminder approximately 30 days before each annual renewal. Payments will be processed by Stripe; we do not store your full card details. Prices are exclusive of any applicable taxes (including VAT) unless stated otherwise.
Refunds. Fees are non-refundable, except: (a) consumers in the EU, UK, or another jurisdiction granting an equivalent statutory right may withdraw from a paid subscription within 14 days of purchase for a full refund (this right may be reduced proportionately where you have already used substantive parts of the Service during that period); (b) where required by applicable law; or (c) at our discretion.
Beta and "lifetime" plans. Any plan described as "beta", "lifetime", or "free forever" covers the lifetime of the Service, not a perpetual right. We may revoke or migrate such grants if the account is misused or used materially beyond normal use of the plan tier. Beta and lifetime plans carry no SLA or priority-support guarantee.
4. Acceptable Use
You agree not to use the Service to:
- Track links to, host, distribute, or promote content that is illegal under applicable law (including child sexual abuse material, content infringing third-party rights, or content inciting violence or hatred).
- Distribute malware or viruses, conduct phishing, impersonate others, or run scams.
- Send unsolicited bulk messages (spam) or otherwise violate anti-spam laws.
- Cloak or deceptively disguise the final destination of a tracking link in a way intended to mislead end users.
- Reverse-engineer, scrape, or extract source code or data from the Service (except where mandatory law permits).
- Probe, attack, or attempt to bypass the security, rate limits, or quotas of the Service; create accounts by automated means; or use the Service to attack third-party systems.
- Resell, sublicense, or white-label the Service as your own offering, unless we authorize you in writing.
- Track end users in any jurisdiction in a manner that violates applicable consent, privacy, or e-marketing laws.
The Service may be used for lawful adult, gambling, or cryptocurrency-related content, provided you comply with all applicable laws (including age-gating and licensing) and with our infrastructure and email providers' rules. We may decline or terminate any such use that creates legal or operational risk for us.
5. Customer Responsibilities for End-Visitors
When you embed our pixel on your website, or publish a Trackflowy tracking link, you are the data controller for the personal data of your visitors and we act as your data processor. You represent and warrant that you have a lawful basis under applicable law (e.g., GDPR, UK GDPR, ePrivacy, CCPA/CPRA), that you have obtained any required prior informed consent (and provide a way to withdraw it), that you disclose your use of Trackflowy in your own privacy notice, and that you respond to data-subject requests directed to you. A Data Processing Agreement is available to Customers — see our Data Processing Agreement.
6. Custom Domains
If you connect a custom domain to your account, you represent that you own or otherwise have the right to use it for that purpose, and you agree to disconnect it promptly if you lose that right. We may disconnect a custom domain that we reasonably believe is no longer authorized, that violates these Terms, or that is misused for abuse, fraud, or unlawful content.
7. YouTube Integration
If you connect a YouTube channel, you authorize us to access (on your behalf) the YouTube data covered by the youtube.readonly scope, solely to display your own channel and video information inside the Service. Your use of the integration is also subject to the YouTube Terms of Service and the Google Privacy Policy, and our use of YouTube data complies with the Google API Services User Data Policy, including the Limited Use requirements. You may disconnect at any time; we will revoke the OAuth tokens and delete the associated records.
8. Suspension and Termination
You may stop using the Service and delete your account at any time from account settings; deletion is immediate and permanent. We may suspend, restrict, or terminate your access if you materially breach these Terms, fail to pay fees due (after a reasonable grace period), are reasonably believed to be using the account for fraud or abuse (including chargebacks), where required by law or a competent regulator, or where an infrastructure or payment provider we rely on prevents us from serving your account. Where the breach is non-material and curable, we will normally try to give you notice and an opportunity to cure first.
9. Intellectual Property
The Service, including our software, design, trademarks, and content, is owned by Solo Funnels and its licensors. We grant you a limited, non-exclusive, non-transferable, revocable licence to use the Service as permitted by these Terms.
You retain ownership of the data and content you submit through the Service. You grant us a worldwide, royalty-free, non-exclusive licence to host, store, copy, transmit, display, and process that content solely as necessary to provide and maintain the Service for you and to comply with our legal obligations. If you send us feedback, you grant us a perpetual, irrevocable, royalty-free licence to use it.
10. Disclaimers
To the fullest extent permitted by law, the Service is provided "as is" and "as available", without warranties of any kind, express or implied (including merchantability, fitness for a particular purpose, title, and non-infringement). We do not warrant that the Service will be uninterrupted, error-free, secure against attack, or that any data or attribution it produces will be accurate, complete, or fit for any particular decision. Nothing here excludes warranties or liabilities that cannot be excluded under applicable consumer-protection law; if you are an EU/UK consumer, your statutory rights are unaffected.
11. Limitation of Liability
To the fullest extent permitted by law, we will not be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for any loss of profits, revenue, business, goodwill, data, or anticipated savings. Our total cumulative liability arising out of or in connection with the Service or these Terms will not exceed the total amount you have paid to us for the Service in the 12 months immediately preceding the event giving rise to the claim. If you are on a free, trial, or beta plan, our aggregate liability is capped at zero. These limits do not apply to liability that cannot be excluded under applicable law.
12. Indemnification
You agree to indemnify and hold harmless Solo Funnels and its officers, employees, and agents from any claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising from your breach of these Terms (including §4 and §5), your violation of any applicable law or third-party right, or the content of the destinations to which your tracking links point. This does not apply to the extent the claim is caused by our own breach or wilful misconduct, and is limited where mandatory law restricts indemnification by consumers.
13. Force Majeure
We are not liable for any failure or delay in performance to the extent caused by events beyond our reasonable control, including acts of God, natural disasters, war, civil unrest, government action, labour disputes, internet or telecommunications failures, attacks on our infrastructure, or outages or restrictions imposed by our infrastructure or payment providers.
14. Governing Law and Disputes
These Terms are governed by the laws of Hungary, excluding its rules on conflict of laws. Any dispute that cannot be resolved amicably will be subject to the exclusive jurisdiction of the competent courts of Hungary. If you are a consumer in the EU or UK, this clause does not deprive you of the protection of mandatory provisions of the law of your country of habitual residence, and you may also bring proceedings in the courts of that country where the law allows. EU consumers may use the European Commission's Online Dispute Resolution platform, although we are not obliged to participate.
15. Changes to These Terms
We may update these Terms from time to time. When we make material changes, we will update the "Last updated" date and notify registered Customers via email at least 30 days before the changes take effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Terms.
16. General
These Terms (together with the Privacy Policy and any feature-specific terms we present to you) are the entire agreement between you and us about the Service. If any provision is held invalid or unenforceable, the remaining provisions remain in effect. Our failure to enforce any right is not a waiver of it. You may not assign these Terms or your account without our prior written consent; we may assign in connection with a merger, acquisition, sale of assets, or by operation of law on notice to you. Notices to you will be sent to the email address on your account; notices to us should go to support@trackflowy.com.
17. Contact
For questions about these Terms, contact us at support@trackflowy.com.
Data Processing Agreement
Effective: 1 May 2026 · Last updated: 11 May 2026
This Data Processing Agreement ("DPA") forms part of the Trackflowy Terms of Service between Solo Funnels ("Trackflowy", "Processor") and the Customer named on the Trackflowy account ("Customer", "Controller"). It applies whenever Trackflowy processes personal data on the Customer's behalf in providing the Service, and supplements our Privacy Policy. Customers can accept this DPA in-product or request a countersigned copy at privacy@trackflowy.com.
1. Definitions
Capitalised terms not defined here have the meanings given in the Terms of Service or, where used, in the GDPR.
- "Applicable Data Protection Law" means all laws applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), and any successor or analogous legislation.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Trackflowy on the Customer's behalf in connection with the Service.
- "End User" means a natural person whose personal data is processed by Trackflowy on the Customer's behalf — typically a visitor to a website or property the Customer controls.
- "Subprocessor" means any third party engaged by Trackflowy to process personal data on the Customer's behalf.
- "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission in Decision 2021/914 for the transfer of personal data to third countries, as amended or replaced.
- "Processing", "Controller", "Processor", "Data Subject" have the meanings given in GDPR Article 4.
2. Roles of the Parties
The Customer is the Controller of the personal data processed under this DPA. Trackflowy is the Processor and processes personal data only on the Customer's documented instructions, as set out in this DPA and the Terms of Service.
The Customer's documented instructions for the purposes of GDPR Article 28(3)(a) are the Terms of Service, this DPA, the configurations the Customer makes within the Service (for example, the destinations and conversion goals they create), and any additional written instructions given in support tickets or admin tools.
Where Trackflowy uses de-identified, aggregated data derived from the Customer's personal data for its own legitimate purposes (including service improvement, security, and statistical analysis) in a manner that cannot reasonably re-identify any End User, Trackflowy acts as an independent Controller for that activity, and will only do so in compliance with Applicable Data Protection Law.
3. Scope of Processing
The subject matter, duration, nature and purpose of the processing, the categories of personal data, and the categories of Data Subjects are described in Annex I below.
4. Customer Obligations
The Customer represents and warrants that:
- it has all rights, consents, notices, and lawful bases required by Applicable Data Protection Law to authorise the processing carried out by Trackflowy on its behalf;
- where the Service is deployed to End Users in the EEA, the UK, Switzerland, or any jurisdiction with an active "cookie law" or equivalent regime, the Customer has obtained valid, prior consent (or has another applicable legal basis under that regime) before any Trackflowy script reads from or writes to an End User's device;
- its instructions to Trackflowy comply with Applicable Data Protection Law; and
- it will not use the Service to process special categories of personal data (GDPR Article 9), criminal offence data, payment card numbers, government identifiers, passwords, or other particularly sensitive information.
The Customer will respond to Data Subject requests it receives directly. Trackflowy will provide reasonable assistance under §7.
5. Trackflowy's Obligations as Processor
Trackflowy will:
- Process only on instructions — process personal data only on the Customer's documented instructions, including with regard to transfers, unless required to do otherwise by EU, Member-State, or other applicable law, in which case Trackflowy will inform the Customer of that legal requirement in advance unless prohibited from doing so.
- Confidentiality — ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
- Security — implement appropriate technical and organisational measures, as set out in Annex II.
- Subprocessors — engage subprocessors only on the terms of §8.
- Assistance — with Data Subject rights (§7), security/breach/DPIA obligations (§9, §10), and deletion or return of data at the end of processing (§11).
- Records — maintain a record of processing activities carried out on the Customer's behalf, available on reasonable request.
- Audit — make available the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, as set out in §12.
- Notify of contravening instructions — inform the Customer immediately if, in Trackflowy's opinion, an instruction infringes Applicable Data Protection Law.
6. Assistance with Data Subject Rights
Trackflowy will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).
Where Trackflowy receives a Data Subject request directly relating to personal data it processes on the Customer's behalf, Trackflowy will, unless prohibited by law, forward the request to the Customer without undue delay and will not respond to it directly, except to confirm receipt and to refer the Data Subject to the Customer.
The Customer may submit Data Subject request escalations to privacy@trackflowy.com. Trackflowy will respond within thirty (30) days.
7. Subprocessors
The Customer gives Trackflowy general written authorisation to engage the subprocessors listed in our Privacy Policy.
Trackflowy will give the Customer at least thirty (30) days' prior notice of any addition or replacement of a subprocessor, by updating the published list and, where practical, notifying the Customer's account administrator by email or in-app notice. The Customer may object on reasonable data-protection grounds within that period; if the parties cannot in good faith resolve the objection, the Customer may terminate the part of the Service that depends on the new subprocessor and receive a pro-rata refund of pre-paid fees for the unused period.
Trackflowy will impose on each subprocessor, by written contract, data-protection obligations no less protective than those in this DPA, and remains liable to the Customer for the acts and omissions of its subprocessors as if they were Trackflowy's own.
8. Security and Breach Notification
Trackflowy will implement and maintain the technical and organisational measures described in Annex II.
Trackflowy will notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a personal data breach affecting the Customer's personal data. The notice will include, to the extent then known: the nature and likely consequences of the breach; the categories and approximate number of Data Subjects and records affected; the measures taken or proposed to address the breach; and the contact details of Trackflowy's point of contact.
Trackflowy will cooperate with the Customer in good faith and provide reasonable assistance with the Customer's own notification obligations. Trackflowy's notification of, or response to, a breach is not an acknowledgement of fault or liability.
9. DPIAs and Prior Consultation
Trackflowy will provide the Customer with reasonable assistance, taking into account the nature of the processing and the information available to Trackflowy, with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under Applicable Data Protection Law.
10. Deletion and Return of Personal Data
On termination or expiry of the Service, Trackflowy will, at the Customer's choice, delete or return to the Customer all personal data processed on the Customer's behalf and delete existing copies, unless retention is required by EU, Member-State, or other applicable law. This mirrors the account-deletion process described in our Privacy Policy.
Trackflowy may retain personal data in encrypted, isolated backups for up to ninety (90) days after deletion has been requested, after which time all backups containing such data will be overwritten or destroyed in the ordinary backup rotation. During this period, the deleted data will not be used or made available for any active processing other than backup restoration in response to a security incident.
11. Audit Rights
The Customer may, at its own expense and not more than once in any twelve-month period (unless an audit is required by a competent supervisory authority or follows a personal data breach), audit Trackflowy's compliance with this DPA, on at least thirty (30) days' prior written notice, during normal business hours, in a manner that does not unreasonably interfere with Trackflowy's operations or the security of other customers' data, and subject to reasonable confidentiality undertakings.
Trackflowy may satisfy its audit obligations by providing a recent third-party audit report (for example, SOC 2 Type II or ISO 27001) or by completing the Customer's standard security questionnaire, as long as the information provided is sufficient to demonstrate compliance with this DPA.
12. International Data Transfers
The parties acknowledge that Trackflowy operates a globally distributed Service on Cloudflare's edge network, and that personal data may be transferred to, or processed in, jurisdictions outside the EEA, the UK, or Switzerland.
To the extent such a transfer requires an Article 46 GDPR (or analogous UK GDPR / FADP) transfer mechanism, the parties incorporate by reference the EU Standard Contractual Clauses in Decision 2021/914 — Module Two (controller-to-processor) where Trackflowy acts as the Customer's processor, and Module Three (processor-to-processor) where the Customer is itself a processor for an underlying controller — governed by the law of Ireland, with the competent supervisory authority being the Irish Data Protection Commission.
For transfers subject to the UK GDPR, the parties incorporate the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner's Office. For transfers subject to the Swiss FADP, the parties apply the SCCs as varied by Swiss Federal Data Protection and Information Commissioner guidance.
The parties will, where reasonably required, carry out and document a transfer impact assessment in good faith.
13. CCPA / CPRA — Service Provider Status
Where the CCPA / CPRA applies, Trackflowy is a "Service Provider" (and not a "Third Party") with respect to Personal Information processed on the Customer's behalf. Trackflowy will not sell or share Personal Information; will not retain, use, or disclose Personal Information for any purpose other than the specific business purpose of providing the Service and the limited purposes permitted under CCPA / CPRA §1798.140(e); will not retain, use, or disclose Personal Information outside the direct business relationship with the Customer; and will not combine Personal Information received from the Customer with Personal Information from other sources, except as expressly permitted under that section.
Trackflowy will notify the Customer if it determines that it can no longer meet its obligations under this section.
14. Liability and Order of Precedence
Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law, including any liability a Data Subject may pursue directly against either party under GDPR Article 82.
If there is any conflict between this DPA, the Terms of Service, the SCCs, or the UK IDTA, the order of precedence (highest first) is: (1) the SCCs and UK IDTA, in respect of restricted transfers; (2) this DPA; (3) the Terms of Service.
Annex I — Description of Processing
Subject matter, nature and purpose: Trackflowy provides link tracking, click analytics, conversion attribution, and related tools for content creators and businesses. Processing consists of receiving, storing, analysing, and presenting click and conversion data generated by End Users of the Customer's marketing properties.
Duration: for the term of the Customer's subscription to the Service, plus the post-termination retention period set out in §10.
Categories of Data Subjects: the Customer's authorised users (the Controller's own staff), and End Users (visitors who click a Customer's tracking link, or who visit a property on which a Customer has installed the Trackflowy script).
Categories of Personal Data: account data of the Customer's staff (name, email address, hashed password, 2FA secret and recovery codes, session metadata); End-User click and conversion data (short-link identifier, timestamp, truncated IP address, User-Agent, referrer URL, click ID, conversion event type and value where supplied by the Customer, and any custom event metadata supplied by the Customer); and support communications.
Special categories of data: none. Customers may not use the Service to process special categories of personal data (GDPR Article 9), criminal offence data, payment data, or government identifiers.
Retention: account data, click and conversion records, and audit logs are retained for the life of the Customer's account, as described in our Privacy Policy.
Annex II — Technical and Organisational Security Measures
Trackflowy implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Pseudonymisation and encryption: TLS 1.2+ in transit for all Customer and End-Visitor traffic; at-rest encryption of the underlying storage (Cloudflare D1); passwords stored only as one-way hashes (PBKDF2); End-Visitor IP addresses truncated before storage.
- Confidentiality, integrity, availability and resilience: Cloudflare's globally distributed network and DDoS protection; daily automated backups of the production database, retained for at least 30 days; multi-region replication of Customer account data.
- Restoration of availability after an incident: documented disaster-recovery procedures with backups tested at least annually; point-in-time recovery available for the primary database.
- Regular testing and evaluation: static analysis, dependency-vulnerability scanning, and automated CI security checks on each release; Sentry error monitoring with PII scrubbing in front-end and back-end SDKs.
- Access management: role-based access control inside the Service; mandatory 2FA for all Trackflowy staff with production access; least-privilege, logged, and reviewed access.
- Data protection by design and by default: consent-required tracking mode available out of the box; customer-facing settings to opt out of cross-site identifiers; a published, versioned subprocessor list.
- Incident response: 72-hour breach notification (§8); a documented incident-response runbook.
- Transfers under GDPR Chapter V: SCCs and UK IDTA as set out in §12; transfer impact assessments on request.
Contact
For questions about this DPA, or to request a countersigned copy, contact us at privacy@trackflowy.com.