Privacy Policy

Last updated: April 11, 2026

This Privacy Policy describes how Attribu ("we," "us," or "our") collects, uses, and discloses information when you use our website attribu.tech and the services we provide (the "Service").

1. Information We Collect

1.1 Account Information

When you sign up, we collect: email address, password (hashed), and any profile information you provide.

1.2 Data from Your Customers' Visitors

As an analytics and attribution service, we help you track visitors to your own websites. When your website uses our tracking pixel, we collect on your behalf:

• A randomly-generated visitor ID stored in a first-party cookie
• Pages viewed, timestamps, and referring URL
• UTM parameters and ad-click IDs from the URL
• IP-derived approximate location (country, region, city)
• User-agent data (browser, OS, device type)
• Screen and viewport dimensions
• Language and timezone
• Any data you explicitly pass via our identify() or custom event APIs

We do not collect names, email addresses, phone numbers, or precise GPS location from your visitors unless you explicitly send that data via our API.

1.3 Payment and Revenue Data

If you connect Stripe, Shopify, WooCommerce, or similar, we process charge records (amount, currency, timestamp, customer email, metadata) to attribute revenue to traffic sources. We do not see or store full card numbers.

1.4 Usage Data

When you use the Attribu dashboard, we collect standard web logs (IP, user-agent, requested paths, timestamps) for security and debugging.

2. How We Use Information

• Provide, operate, and maintain the Service
• Authenticate you and secure your account
• Attribute revenue, bookings, and events to traffic sources
• Respond to support requests
• Send service-related emails (not marketing unless you opt in)
• Detect abuse, fraud, and violations of our Terms
• Comply with legal obligations

3. Cookies and Tracking Technologies

Our tracking pixel sets two first-party cookies on websites that install it:

• attribu_visitor_id – persistent (365 days). Identifies a returning visitor.
• attribu_session_id – session cookie (30-minute rolling). Identifies a single visit.

Visitors may opt out at any time by setting localStorage.setItem('attribu_optout', '1') in their browser. The pixel respects the Do Not Track header where present.

If you run our pixel on a site subject to GDPR or similar laws, you are responsible for displaying a cookie banner and obtaining consent before the pixel loads.

4. How We Share Information

We do not sell personal information. We share data only with:

• Service providers acting under our instructions (e.g., Supabase for database hosting, Vercel for web hosting, Resend for transactional email, Stripe for billing, Google Cloud for favicon resolution).
• Legal authorities when required by law, subpoena, or to protect rights and safety.
• Acquirers in the event of a merger, acquisition, or sale of assets (you will be notified).

5. Data Retention

Event data is retained for the duration of your account. You can delete individual events, entire sites, or your account at any time. When you delete data, it is removed from our live database; backups are rotated out within 30 days.

6. Your Rights (GDPR, CCPA, and similar)

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate data
• Delete your data ("right to be forgotten")
• Export your data in a portable format
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent
• Lodge a complaint with a supervisory authority

To exercise these rights, email us at support@attribu.tech. We will respond within 30 days.

7. Data Security

We use TLS for all data in transit. Passwords are hashed. Database access is restricted by role-based access control and row-level security. No system is perfectly secure; we cannot guarantee absolute security.

8. International Transfers

We are based in Serbia and use providers in the US and EU. By using the Service, you consent to the transfer and processing of your data in those jurisdictions. Where required, we rely on Standard Contractual Clauses or equivalent mechanisms.

9. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have, contact us and we will delete it.

10. Advertising and Ad Platforms

If you use the Service to track advertising campaigns, we help you measure the performance of ads run on platforms like Google Ads and Meta Ads. We capture ad-click IDs (e.g., gclid, fbclid) from URLs to attribute revenue. We do not share your visitor data with Google or Meta, nor do we use their tracking on our marketing site beyond what is disclosed here.

11. Changes to This Policy

We may update this policy. Material changes will be announced by email and/or a notice in the dashboard at least 30 days before taking effect. Continued use of the Service after changes means you accept the updated policy.

12. Contact

Questions? Email support@attribu.tech.