← Attriloop

Privacy Policy

Last updated: July 6, 2026 · Attriloop is a prototype in private beta.

This policy explains how Attriloop handles personal data for the public site, console, APIs, SDK ingest, attribution engine, and integrations. For end-user data processed through a customer's app, the customer controls the purposes and instructions; Attriloop acts as a processor or service provider.

Beta/prototype notice: This policy describes the current intended behavior of an early-stage prototype. Data categories, SDK behavior, attribution methods, deletion flows, retention periods, subprocessors, integrations, security controls, exports, and postbacks may change while Attriloop remains in private beta.

1. Data we process

Depending on how Attriloop is configured, we may process the data below. Because the product is in beta, these categories may change as prototype features are added, removed, or redesigned.

2. How we use data

We use personal data to:

3. Legal bases and customer responsibilities

For console account data, we process data to perform our contract, operate the service, protect our legitimate interests, comply with law, and, where needed, based on consent.

For app end-user data, customers are responsible for choosing the lawful basis, presenting required notices, collecting required consent, honoring opt-outs, and ensuring their SDK configuration complies with applicable privacy laws, App Tracking Transparency, app store rules, and ad-network terms. Do not use the beta prototype with production personal data until you have reviewed the current behavior, documentation, and required agreements.

4. Attribution, identifiers, and fingerprinting

Attriloop does not collect IDFA or GAID by default. If a customer app provides those identifiers, they must be collected under a valid consent or platform permission and are used for attribution.

When deterministic identifiers are unavailable, Attriloop may use limited, coarse matching signals such as IP address, platform, and locale within a short attribution window. This matching is intended as a fallback and should be enabled only where the customer has the right to use it. Matching logic may change while the attribution engine is in prototype development.

Apple SKAdNetwork and AdAttributionKit postbacks are processed separately as aggregate, privacy-preserving attribution signals and are not treated as device-level identifiers.

5. Sharing and subprocessors

We share data only as needed to operate Attriloop, follow customer instructions, or comply with law. Subprocessors may change during beta as the prototype infrastructure changes.

Attriloop does not sell personal information.

6. Retention

We keep data for as long as needed to provide the service, meet legal and accounting obligations, resolve disputes, and enforce agreements. Attribution results and audit records may be kept for the life of the account plus a reasonable backup, tax, and legal retention period. Retention periods and deletion behavior may change during private beta.

Attribution cache entries are short-lived and expire after the configured attribution window. Append-only aggregate analytics expire according to the analytics store retention settings.

7. Deletion and privacy rights

Customers can request deletion of a specific install through the SDK-key authenticated POST /v1/gdpr/delete endpoint by attriloopId. This removes the attribution result, paid-install record, revenue events, and attribution cache entries for that app and install. This beta endpoint may change before general availability.

End users should send access, correction, deletion, objection, opt-out, or portability requests to the app developer whose app uses Attriloop. We help customers respond to those requests where the data is processed by Attriloop. Console users may contact us directly about their account data.

8. Security

We use access controls, API-key scoping, rate limits, encryption in transit, hashed email and phone matching fields, audit records, and least-privilege operational practices appropriate for a beta SaaS prototype. These controls may evolve as the product moves toward production. No internet service can guarantee perfect security, so customers should rotate exposed keys and avoid sending data that is not needed for attribution.

9. International transfers

Attriloop and its subprocessors may process data in the United States, the European Economic Area, and other locations where infrastructure providers operate. Where required, customers should put a data processing addendum and appropriate transfer safeguards in place before production use.

10. Changes

We may update this policy frequently as the prototype, subprocessors, laws, or beta scope changes. The "Last updated" date shows when the current version took effect.

11. Contact

Privacy questions: contact your Attriloop account owner or email privacy@attriloop.com. For commercial use, request a data processing addendum before sending production personal data.

See also the Terms of Service.