Privacy policy

Plain-language summary: Revtrace collects account information from dashboard users and attribution data from WooCommerce stores. We do not sell your data. We do not use end-customer data for any purpose other than providing the service to the merchant who connected their store. You can request deletion of your data at any time by emailing info@revtrace.io.

Contents

Who we are
Our two roles: controller and processor
Data we collect from dashboard users
Data we process on behalf of merchants
How we use your data
Legal basis for processing
Third-party processors
Data retention
Your rights
Cookies
Children
Changes to this policy
Contact

1. Who we are

Revtrace ("Revtrace", "we", "us", "our") provides first-party attribution analytics software for WooCommerce stores. The service is accessible at app.revtrace.io and marketed at revtrace.io.

For questions about this policy or data requests, contact us at info@revtrace.io.

2. Our two roles: controller and processor

Revtrace operates in two distinct roles depending on whose data is involved:

Data controller — dashboard users

When you create a Revtrace account, we are the data controller for your personal information — your name, email address, and account activity. We determine the purpose and means of processing this data, and this privacy policy governs it.

Data processor — end-customer attribution data

When a WooCommerce merchant connects their store to Revtrace, the merchant's customers' behavioural and order data flows into Revtrace for attribution analysis. In this context, the merchant is the data controller and Revtrace is a data processor acting on the merchant's instructions.

Merchants are responsible for having a lawful basis to collect and share their customers' data with Revtrace, and for disclosing this in their own privacy policies. Revtrace processes end-customer data solely to provide the attribution service — we do not use it for any other purpose, including advertising, profiling, or sale to third parties.

3. Data we collect from dashboard users

When you register for and use the Revtrace dashboard, we collect:

Account information

Name and email address
Password (stored as a bcrypt hash — we never store your password in readable form)
Store name, domain, timezone, and currency settings

Usage data

Login timestamps and session activity
AI analyst queries and the generated responses
Settings changes and store configuration

Billing data

Payment processing is handled entirely by Stripe. Revtrace does not store credit card numbers or full payment details. We receive and store your Stripe customer ID and subscription status so we can manage your account.

4. Data we process on behalf of merchants

When a WooCommerce store is connected to Revtrace, the following data is transmitted from the store and stored in Revtrace's systems:

Session and visitor data

A first-party session identifier (set as a cookie on the merchant's domain)
UTM parameters and referrer URL from each visit
Landing page URL
Device type (mobile, desktop, tablet)
Session start time
WooCommerce customer ID (a numeric identifier, not personally identifiable on its own)

Order and attribution data

WooCommerce order ID and order total (revenue)
Currency
First-touch and last-touch channel, source, medium, and campaign
Number of touchpoints in the customer journey
Attribution timestamp

Revtrace does not collect or store end-customer names, email addresses, postal addresses, or payment information from WooCommerce orders. The data processed is limited to what is needed to attribute revenue to marketing channels.

Data sent to Meta and Google (where enabled)

If a merchant enables Meta Conversions API or Google Enhanced Conversions, Revtrace sends purchase event data to those platforms on the merchant's behalf. Before transmission, any customer identifiers (such as WooCommerce customer IDs) are hashed using SHA-256 — they cannot be reversed to identify an individual.

5. How we use your data

Dashboard user data

To create and manage your Revtrace account
To process your subscription and send billing-related emails
To send the weekly AI revenue brief and anomaly alerts you have configured
To respond to support requests
To notify you of material changes to the service or this policy

Merchant end-customer data

To attribute revenue to marketing channels and campaigns
To generate the AI weekly brief and anomaly alerts for the merchant
To power the AI chat analyst when queried by the merchant
To transmit purchase events to Meta and Google on the merchant's behalf (where enabled)

We do not use end-customer data for advertising, cross-merchant analysis, training AI models, or any purpose not described in this policy.

6. Legal basis for processing (GDPR)

For users in the European Economic Area, we process personal data under the following legal bases:

Contract performance — processing your account data and subscription is necessary to provide the service you have signed up for.
Legitimate interests — sending service notifications, security alerts, and product updates that are reasonably expected as part of a software subscription.
Legal obligation — retaining billing records for the period required by Finnish and EU law.

As a data processor for merchant end-customer data, we rely on the lawful basis established by the merchant (data controller) for that processing.

7. Third-party processors

Revtrace shares data with the following third-party processors to operate the service. All are bound by data processing agreements consistent with GDPR requirements.

Stripe

Payment processing and subscription management. Stripe receives your email address and billing details when you subscribe. Stripe's privacy policy: stripe.com/privacy.

Anthropic

AI analysis for the weekly brief and AI chat analyst. Attribution data (channel names, revenue figures, campaign names) is sent to Anthropic's API to generate insights. No personally identifiable end-customer data is included in these requests. Anthropic's privacy policy: anthropic.com/privacy.

Zoho Mail

Transactional email delivery — used to send the weekly AI brief, anomaly alerts, password reset emails, and account notifications. Zoho receives your email address and the email content for delivery purposes.

Meta and Google (merchant-configured, optional)

Where a merchant enables Meta Conversions API or Google Enhanced Conversions, Revtrace transmits hashed purchase event data to those platforms on the merchant's behalf. This is controlled by the merchant and governed by the merchant's agreement with Meta and Google.

8. Data retention

Account data

Your account data is retained for as long as your account is active. If you close your account, we delete your personal data within 30 days, except where we are required to retain billing records for legal or tax purposes (typically 7 years under Finnish accounting law).

Attribution and store data

Attribution data is retained according to your plan's history limit (12 months on Growth, unlimited on Pro and Agency). If your store is deleted from Revtrace, its attribution data is deleted within 30 days.

AI insights

Generated weekly briefs and AI insight logs are retained for as long as your store is active and are deleted with the store.

9. Your rights

Under GDPR, you have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate data. You can update your name and email in your account settings at any time.
Erasure — request deletion of your personal data. We will action this within 30 days, subject to legal retention requirements.
Restriction — ask us to restrict processing in certain circumstances.
Portability — request your data in a machine-readable format.
Objection — object to processing based on legitimate interests.

To exercise any of these rights, email info@revtrace.io with your request. We will respond within 30 days.

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) or the data protection authority in your country of residence.

10. Cookies

On this website (revtrace.io)

The Revtrace marketing website uses only a session cookie necessary to maintain your login state on the dashboard. We do not use third-party analytics cookies, advertising cookies, or tracking pixels on this site.
We use Matomo Analytics to analyse and develop our website. You can disable it here:

On connected WooCommerce stores

The Revtrace WooCommerce plugin sets a first-party cookie (rt_sid) on the merchant's own domain. This cookie contains a session identifier used to connect website visits to eventual orders for attribution purposes. It has a 30-day lifetime.

Because this cookie is set by the merchant's own domain and is used to provide a service the merchant has requested, it is a first-party functional cookie. Merchants remain responsible for disclosing its use in their own cookie and privacy policies.

11. Children

Revtrace is a business-to-business service intended for adults operating WooCommerce stores. We do not knowingly collect data from anyone under the age of 16. If you believe a minor has provided us with personal data, contact us at info@revtrace.io and we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify active subscribers by email at least 14 days before the changes take effect. The date at the top of this page reflects when the policy was last updated. Continued use of Revtrace after the effective date constitutes acceptance of the revised policy.

13. Contact

For any questions, data requests, or concerns about this privacy policy:

Email: info@revtrace.io
Service: Revtrace (revtrace.io)

We aim to respond to all privacy-related enquiries within 5 business days.