Privacy Policy
Last updated: July 6, 2026 · Attriloop is a prototype in private beta.
This policy explains how Attriloop handles personal data for the public site, console, APIs, SDK ingest, attribution engine, and integrations. For end-user data processed through a customer's app, the customer controls the purposes and instructions; Attriloop acts as a processor or service provider.
Beta/prototype notice: This policy describes the current intended behavior of an early-stage prototype. Data categories, SDK behavior, attribution methods, deletion flows, retention periods, subprocessors, integrations, security controls, exports, and postbacks may change while Attriloop remains in private beta.
1. Data we process
Depending on how Attriloop is configured, we may process the data below. Because the product is in beta, these categories may change as prototype features are added, removed, or redesigned.
- Account data: name, email, organization, authentication records, roles, support messages, and audit events.
- Tracking link data: link IDs, campaign parameters, timestamps, redirect targets, click IDs, IP address, user agent, platform, language, coarse country, and related request metadata.
- SDK install data:
attriloopId, app ID, SDK version, operating system, OS version, device model, locale, timezone, screen size, IP address observed at ingest, install referrer, Apple AdServices token, and consented IDFA or GAID when an app provides it. - Event and revenue data: event names, event timestamps, revenue amount, currency, attribution fields, idempotency IDs, and customer-supplied event parameters.
- Advanced matching data: email or phone only when a customer app sends them for a configured integration. We hash supported matching fields with SHA-256 before sending them to ad-network postbacks where required.
2. How we use data
We use personal data to:
- provide, secure, debug, and improve the Attriloop service;
- route tracking links and attribute installs, events, and revenue;
- send configured postbacks or exports to destinations selected by a customer;
- detect abuse, enforce limits, and protect accounts; and
- comply with legal, tax, accounting, and security obligations.
3. Legal bases and customer responsibilities
For console account data, we process data to perform our contract, operate the service, protect our legitimate interests, comply with law, and, where needed, based on consent.
For app end-user data, customers are responsible for choosing the lawful basis, presenting required notices, collecting required consent, honoring opt-outs, and ensuring their SDK configuration complies with applicable privacy laws, App Tracking Transparency, app store rules, and ad-network terms. Do not use the beta prototype with production personal data until you have reviewed the current behavior, documentation, and required agreements.
4. Attribution, identifiers, and fingerprinting
Attriloop does not collect IDFA or GAID by default. If a customer app provides those identifiers, they must be collected under a valid consent or platform permission and are used for attribution.
When deterministic identifiers are unavailable, Attriloop may use limited, coarse matching signals such as IP address, platform, and locale within a short attribution window. This matching is intended as a fallback and should be enabled only where the customer has the right to use it. Matching logic may change while the attribution engine is in prototype development.
Apple SKAdNetwork and AdAttributionKit postbacks are processed separately as aggregate, privacy-preserving attribution signals and are not treated as device-level identifiers.
5. Sharing and subprocessors
We share data only as needed to operate Attriloop, follow customer instructions, or comply with law. Subprocessors may change during beta as the prototype infrastructure changes.
- Cloudflare for edge hosting, Workers, queues, KV, R2, and request handling;
- Neon for Postgres database hosting; and
- professional advisers, authorities, or service providers where legally required.
Attriloop does not sell personal information.
6. Retention
We keep data for as long as needed to provide the service, meet legal and accounting obligations, resolve disputes, and enforce agreements. Attribution results and audit records may be kept for the life of the account plus a reasonable backup, tax, and legal retention period. Retention periods and deletion behavior may change during private beta.
Attribution cache entries are short-lived and expire after the configured attribution window. Append-only aggregate analytics expire according to the analytics store retention settings.
7. Deletion and privacy rights
Customers can request deletion of a specific install through the SDK-key authenticated POST /v1/gdpr/delete endpoint by attriloopId. This removes the attribution result, paid-install record, revenue events, and attribution cache entries for that app and install. This beta endpoint may change before general availability.
End users should send access, correction, deletion, objection, opt-out, or portability requests to the app developer whose app uses Attriloop. We help customers respond to those requests where the data is processed by Attriloop. Console users may contact us directly about their account data.
8. Security
We use access controls, API-key scoping, rate limits, encryption in transit, hashed email and phone matching fields, audit records, and least-privilege operational practices appropriate for a beta SaaS prototype. These controls may evolve as the product moves toward production. No internet service can guarantee perfect security, so customers should rotate exposed keys and avoid sending data that is not needed for attribution.
9. International transfers
Attriloop and its subprocessors may process data in the United States, the European Economic Area, and other locations where infrastructure providers operate. Where required, customers should put a data processing addendum and appropriate transfer safeguards in place before production use.
10. Changes
We may update this policy frequently as the prototype, subprocessors, laws, or beta scope changes. The "Last updated" date shows when the current version took effect.
11. Contact
Privacy questions: contact your Attriloop account owner or email privacy@attriloop.com. For commercial use, request a data processing addendum before sending production personal data.
See also the Terms of Service.