Privacy Policy

TrackAPI is a server-side tracking platform developed and operated by Speltech. We provide infrastructure for capturing conversion events via ad platform APIs (Meta, TikTok, Google Analytics 4), using our customers' own domains (CNAME first-party).

Our privacy contact address is: contato@trackapi.app.br

We collect data in two distinct contexts:

Platform customer data (Dashboard users)
- Name, email address and account information provided at sign-up
- Billing data securely processed by Stripe (we do not store card numbers)
- Project, domain and integration settings
- Platform access and usage logs

Visitor data from our customers' websites (end users)
- Behavioral events (pageview, click, purchase) configured by the customer
- Anonymized identification data: first-party cookies (_tapi_vid), partial IP address
- UTM parameters and ad click identifiers (fbclid, gclid)
- User data submitted by the customer (email, phone) — always stored and transmitted as SHA-256 hash, never as plain text

We use the data collected to:

- Service delivery: process conversion events and forward them to the ad platforms configured by the customer
- Authentication and security: verify user identity and protect accounts
- Billing: process subscription payments and issue invoices
- Support: answer questions and resolve technical issues
- Product improvement: aggregated, anonymized usage analysis to improve features
- Communication: send transactional emails (confirmations, alerts) and, with consent, marketing communications

We process your data based on the following legal grounds under the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018) and applicable international regulations:

- Contract performance: to provide the contracted services
- Legitimate interest: for security, fraud prevention and service improvement
- Consent: for sending marketing communications and using non-essential cookies
- Legal obligation: for issuing tax documents and fulfilling regulatory requirements

We do not sell your personal data. We share information only with:

- Ad platforms (Meta, TikTok, Google): conversion events configured by the customer, with user data always hashed
- Clerk (authentication): secure identity and session management
- Stripe (payments): subscription billing processing
- Resend (email): transactional email delivery
- Cloudflare: hosting for the event processing infrastructure

All partners are selected for their commitment to security and privacy, and are subject to data processing agreements.

We use cookies and similar technologies for:

- Essential cookies: required for platform operation (authentication, session)
- Analytics cookies: aggregated, anonymized usage metrics for product improvement
- First-party cookies (_tapi_vid): visitor identifier set by the TrackAPI Worker on the customer's domain, used to improve conversion tracking quality

You can manage your cookie preferences at any time via the cookie banner displayed on first visit.

We retain your data for the period necessary for:

- Account data: while the account is active and for up to 90 days after closure
- Event data: processing logs for up to 90 days; aggregated analytics data for up to 2 years
- Billing data: as required by applicable tax law (minimum 5 years)

After the retention period, data is securely deleted or permanently anonymized.

As a data subject, you have the right to:

- Access: request confirmation and a copy of your personal data
- Rectification: correct incomplete, inaccurate or outdated data
- Erasure: request deletion of data processed based on consent
- Portability: receive your data in a structured, machine-readable format
- Withdrawal of consent: withdraw consent at any time
- Objection: object to processing carried out based on legitimate interest
- Information: obtain information about entities with whom your data is shared

To exercise these rights, contact us at: contato@trackapi.app.br

We implement technical and organizational measures to protect your data:

- All integration tokens and credentials are encrypted with AES-256-GCM before storage
- Personal identification data (email, phone) is always transmitted as SHA-256 hash — never as plain text
- Communications between systems use TLS 1.2+
- Infrastructure access is restricted to authorized personnel with multi-factor authentication
- Continuous security monitoring and regular dependency updates

If you identify any vulnerability, please contact us immediately at contato@trackapi.app.br

Some of our service providers process data outside Brazil (e.g., Cloudflare, Clerk, Stripe). These transfers are carried out with appropriate safeguards, including standard contractual clauses and compliance with applicable regulations.

We may update this Privacy Policy periodically. When significant changes occur, we will notify you by email or through a notice in the Dashboard. The date of the last update is always shown at the top of this page.

We recommend reviewing this policy regularly.

For questions, requests or complaints related to privacy and personal data processing:

Email: contato@trackapi.app.br
Suggested subject: [Privacy] — your request

We will respond within 15 business days as required by the LGPD.