GDPR
RedTrack is a performance marketing platform for tracking, attributing, and automating campaigns across major ad networks. We provide accurate measurement even after the end of third-party cookies, consolidating all campaign data in one tool.
RedTrack operates in compliance with the General Data Protection Regulation (GDPR) in our role as both a data controller and data processor, depending on the data processing activities.
Full Legal Name: RedTrack Technologies Ltd
Registration Number: HE 397054
Address: 25 Martiou, 27, D.MICHAEL TOWER, Flat/Office 105A, Egkomi 2408, Nicosia, Cyprus
Email: privacy@redtrack.io
RedTrack has appointed an internal Privacy Officer whom you can contact with any questions or concerns about our products or services regarding the processing of personal data. To exercise your privacy rights or direct any privacy-related queries, please contact: privacy@redtrack.io
Our Agreement on the processing of personal data (hereinafter Data Processing Agreement or DPA) is based on the standard contractual clauses model adopted by the European Commission. This DPA forms an integral part of our Terms of Service and details our commitments as a data processor.
All RedTrack customers can access and review our DPA at any time. The current version is available at: https://www.redtrack.io/dpa/.
If you have specific questions about our DPA or require a signed copy, please contact our Privacy Officer at privacy@redtrack.io.
For our core services – tracking your marketing campaigns and analyzing performance data – RedTrack acts as a data processor. We process end-user data according to your instructions as the data controller.
We act as a data controller for the processing of personal data of our own customers (for the management of your account information, billing details, and marketing communications).
RedTrack as a Processor| Processing Activity | Description | Categories of Data | Processing Details | Retention Period |
|---|---|---|---|---|
| Campaign Tracking | Collecting and attributing ad performance data across multiple platforms | Technical Information: Browser type, device type, system language, OS version, timestamps Technical Identifiers: IP addresses (with anonymization options for EU), advertising IDs, user agents, customer-issued user IDs Engagement Information: Ad clicks, impressions, visits | Processing occurs only under documented controller instructions; data is processed to match conversions to their source campaigns; RedTrack implements IP anonymization upon controller request | 12-month rolling retention period for log-level data; aggregated metrics may be retained longer as configured by controller |
| Performance Analytics | Aggregating data from various channels (paid, organic, email, partnerships, referrals) into a single dashboard for real-time monitoring | Campaign performance metrics, cost data, revenue data, ROI calculations, audience segment data | Data is processed to provide real-time and historical performance metrics; processing includes data normalization across channels for unified reporting | As specified by controller, typically 12 months for detailed data; aggregated metrics may be retained longer |
| Data Synchronization | Synchronizing ad spend and revenue data from integrated ad networks and e-commerce platforms | Campaign metrics, cost data, conversion data, revenue figures, integration-specific identifiers | Automated synchronization processes retrieve data from controller-authorized platforms to maintain accurate performance metrics | As specified by controller; typically synchronized data is refreshed regularly and historical snapshots maintained according to controller configuration |
| Attribution Services | Connecting user interactions to conversion events through multi-touch attribution models | User journey touchpoints, Attribution timestamps, Conversion pathways, Attribution model parameters | Attribution algorithms process data to allocate conversion credit across multiple touchpoints according to controller-defined models | Data is maintained according to controller configuration; attribution data typically follows the same retention as the underlying tracking data |
| Processing Activity | Description | Legal Basis | Data Categories | Retention Period |
|---|---|---|---|---|
| Customer Account Management | Processing data of direct customers using our platform, including account creation, verification, and maintenance | Article 6.1.b: Processing is necessary for the performance of a contract to which the data subject is party | Names, email addresses, job titles, company information, account credentials, user preferences, account settings | Duration of business relationship plus 3 years for legal claims |
| Firewall Application (WAF) | Protection of infrastructure and platform against cyber attacks; traffic analysis to block attacks and implement security measures | Article 6.1.b: Contract necessity- Article 6.1.c: Legal obligation- Article 6.1.f: Legitimate interest (ensuring platform security) | IP addresses, browser information, device information, access patterns, login attempts | 6 months |
| Website Analytics | Analytics and user experience optimization for website visitors; understanding user navigation patterns and feature preferences | Article 6.1.a: Consent -Article 6.1.f: Legitimate interest (improving our services and user experience) | IP address (anonymized for EU users), browser type, device type, navigation behavior, feature usage, page views | 12 months |
| Marketing Communications | Sending newsletters, platform updates, and information about RedTrack services | Article 6.1.a: Consent - Article 6.1.f: Legitimate interest (for existing customers) | Email address, name, communication preferences, interaction with previous communications | Until consent withdrawal or 2 years after last platform interaction |
| Financial Operations | Processing payments, issuing invoices, maintaining financial records, and complying with tax regulations | Article 6.1.b: Contract necessity - Article 6.1.c: Legal obligation | Payment details, transaction records, billing addresses, purchase history, tax information | 7 years for financial records as required by tax regulations |
RedTrack implements comprehensive technical and organizational security measures to ensure an appropriate level of security for personal data processing. These measures include (please read our DPA for more details):
| Measure Type | Implementation Details |
|---|---|
| Physical Access Control | Physical access to our data centers is strictly restricted with secure entrance systems, video surveillance, and visitor management systems that maintain detailed access logs for all visitors to sensitive areas. |
| Network Security | Multiple infrastructure protection layers including firewalls, intrusion prevention systems (IPS), hardened external-facing servers, anti-malware controls, and encrypted remote access requiring multi-factor authentication. |
| Data Encryption | All data in transit is encrypted using TLS 1.2+ protocols; HTTPS is enforced for all web communications; sensitive data is encrypted at rest in database systems. |
| Access Control | Administrative access to our production environment is strictly limited with granular role-based permissions; user authentication employs multi-factor authentication for enhanced security. |
| Data Minimization | IP anonymization for EU countries (replacing the last octet with 0); collection of only necessary data with configurable data collection parameters. |
| Retention Controls | 12-month rolling retention period for log-level reporting; automated data lifecycle management for timely deletion or anonymization of outdated data. |
| Vulnerability Management | Regular security scans at least twice monthly; annual third-party penetration testing by independent security firms; swift deployment of critical security updates. |
| Incident Response | Comprehensive incident management process ensuring prompt notification to affected parties in case of personal data breaches; clear procedures for containment, mitigation, and remediation. |
RedTrack maintains a data breach response plan compliant with GDPR requirements. Our detection system operates 24/7 with trained staff identifying potential breaches promptly. When an incident occurs, our Response Team assesses severity and impact within 12 hours, classifying breaches based on risk to determine appropriate actions.
Notification protocols ensure Data Protection Authorities are informed within 72 hours for qualifying incidents. When acting as a processor, we promptly notify affected customers. Complete documentation is maintained for all incidents regardless of severity.
Our remediation process includes immediate containment measures followed by thorough root cause analysis. We implement additional safeguards as needed and regularly test our response capabilities through simulated breach scenarios. For our complete Data Breach Response Protocol, contact privacy@redtrack.io.
RedTrack incorporates privacy principles from the earliest stages of product development. Our process includes privacy impact assessments for new features and privacy-protective default settings such as configurable IP anonymization.
Our architecture integrates privacy controls into core functionalities, supporting data segregation, minimization, and configurable retention while maintaining full functionality.
Key features include configurable data collection, real-time IP anonymization, consent management integration, custom retention periods, and analytics capabilities using pseudonymized data.
RedTrack works with carefully selected sub-processors to deliver our services. All sub-processors that may receive personal data are subject to:
- Rigorous Due Diligence: We evaluate sub-processors' privacy practices, security measures, and compliance capabilities before engagement.
- Data Processing Agreements: All sub-processors must sign data processing agreements with RedTrack that include obligations at least as stringent as those we undertake with our customers.
- Regular Compliance Monitoring: We periodically review our sub-processors' compliance with our privacy and security requirements.
The full list of our current sub-processors is available in Annex IV of our Data Processing Agreement. In accordance with our DPA, we provide advance notice of any intended changes to our sub-processor list, giving customers the opportunity to object to such changes.
GDPR mandates rights to access, correct, delete, restrict processing of, and port your personal data. You may also object to processing based on legitimate interests or for marketing.
To exercise your rights with RedTrack, email privacy@redtrack.io. Data subjects who’s personal data is processed by RedTrack, have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Right to Access | You have the right to confirm whether RedTrack processes your personal data and to receive a copy of your personal data in a structured, commonly used format. | Contact privacy@redtrack.io with your request. We will respond within one month as required by GDPR. |
| Right to Rectification | You have the right to have inaccurate personal data corrected or incomplete data completed. | For RedTrack customers, many data points can be updated directly in your account settings. For other requests, contact privacy@redtrack.io. |
| Right to Erasure | You have the right to request the deletion of your personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected. | Contact privacy@redtrack.io with your erasure request. Please note that we may need to retain certain information for legal compliance, fraud prevention, or other legitimate purposes |
| Right to Restriction | You have the right to request that we restrict the processing of your personal data under certain circumstances. | Contact privacy@redtrack.io with details about which processing activities you wish to restrict and why. |
| Right to Object | You have the right to object to processing based on legitimate interests, including profiling, and for direct marketing purposes. | For marketing communications, you can unsubscribe using the link in any email. For other objections, contact privacy@redtrack.io. |
| Right to Data Portability | You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit this data to another controller. | Contact privacy@redtrack.io with your portability request. |
| Rights Related to Automated Decision Making | You have rights relating to automated decision making, including profiling, which produces legal or similarly significant effects. | RedTrack does not currently engage in automated decision making that produces legal or similarly significant effects for data subjects. |
RedTrack stores personal data on secure servers located within the European Economic Area (EEA). Our primary data processing operations take place in EU-based data centers provided by our infrastructure partners. These facilities implement comprehensive physical and technical security measures to protect your data.
For transfers of personal data outside the EEA (which may occur when you access your data from outside the EEA or when using certain sub-processors), we implement appropriate safeguards through Standard Contractual Clauses (SCCs) adopted by the European Commission, ensuring equivalent levels of data protection.
Retention Principles and PeriodsRedTrack adheres to the data minimization principle and retains personal data only for as long as necessary to fulfill the purposes for which it was collected. Our retention practices are guided by:
- Contractual Requirements: Data necessary for service delivery is retained for the duration of our contractual relationship
- Legal Obligations: Data required for legal compliance (e.g., financial records) is retained in accordance with applicable laws
- Legitimate Business Needs: Data needed for security, fraud prevention, and business intelligence is retained only as long as necessary for these purposes
Specific retention periods for different data categories include:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account Information | Duration of business relationship plus 3 years | Contract fulfillment and potential legal claims |
| Payment Information | 7 years | Financial regulations compliance |
| Security Logs | 6-12 months | Security monitoring and incident investigation |
| Marketing Preferences | Until consent withdrawal or 2 years after last platform interaction | Respecting user preferences while maintaining business communications |
| Tracking Data | 12-month rolling retention period for log-level data | Balance between analytics needs and data minimization |
For questions about our GDPR compliance, data processing activities, or to exercise your rights, please contact:
Email: privacy@redtrack.io
While RedTrack is committed to GDPR compliance and supporting our customers in their compliance efforts, this information should not be construed as legal advice. We recommend consulting with your legal counsel regarding your specific GDPR obligations.