Trackfully ("we", "us") provides lead tracking and marketing attribution software. This policy explains how we handle personal data — both for visitors to this website and for customers using the Trackfully platform.
Contact: support@trackfully.co.uk · [Legal entity name and registered address — to be confirmed before launch]
Two roles: controller and processor
For data about our own website visitors and customers (your account, billing and support history), we act as the data controller.
For lead and visitor data our customers capture through the platform (form submissions, tracked visits on our customers' websites), the customer is the controller and we act as a data processor on their instructions. If you've submitted a form on a business's website that uses Trackfully, contact that business directly about your data — we process it only on their behalf.
What we collect as controller
- Account data: name, email address, password (hashed), agency/company name, and the settings you configure.
- Billing data: your subscription plan and payment status. Card details are handled entirely by Stripe — they never touch our servers.
- Support data: messages you send us, and internal notes our support staff record while helping you.
- Usage and security data: server logs (IP address, user agent, timestamps), audit trails of significant account actions, and email delivery status.
What we process for customers
Lead records (names, email addresses, phone numbers, form fields), visit and session data (pages viewed, referrer, UTM parameters, click identifiers) and derived attribution. Retention is controlled by the customer; when a customer account is deleted, its data is deleted.
Lawful bases
Contract (providing the service you signed up for), legitimate interests (securing the platform, preventing abuse, improving the product), and legal obligation (accounting records). We don't sell personal data and don't use it for third-party advertising.
Sub-processors
We use a small set of infrastructure providers: Supabase (database and authentication — hosted in AWS eu-west-2, London), Vercel (application hosting), Stripe (payments), Resend (transactional email), and Google (only where a customer connects Google Ads or GA4 to their own workspace). Each processes data only as needed to provide their service to us.
Data residency and security
Primary data is stored in the UK (AWS eu-west-2, London). Data is encrypted in transit and at rest. Access is tenant-isolated at the database level, staff access requires multi-factor authentication, and support actions are audit-logged.
Retention
Account data is kept while your account is active and for a reasonable period afterwards for legal and accounting purposes. Customer-captured lead data is retained under the customer's control. Server logs rotate on our providers' standard schedules.
Your rights
Under UK GDPR you can request access, correction, deletion, restriction, portability, or object to processing. Email support@trackfully.co.uk and we'll respond within one month. You can also complain to the Information Commissioner's Office (ico.org.uk).
Changes
We'll post updates here and, for material changes, notify account holders by email.