Privacy Policy

Last updated: March 26, 2026

1. Introduction

EchoStack ("we", "our", "us") provides a mobile attribution platform that helps app developers understand which advertising campaigns drive app installs and in-app events. This Privacy Policy explains how we collect, use, and protect data.

2. Data We Collect

2.1 Dashboard Users (Our Customers)

• Email address and name (for account registration)
• Password (bcrypt-hashed, never stored in plaintext)
• Organization and app configuration data

2.2 End Users (Mobile App Users)

• IP address: captured at click and install time for fingerprint matching. Used temporarily, not stored long-term.
• User-Agent string: device type, OS version. Used for probabilistic matching.
• Device identifiers: IDFV (iOS), Install Referrer (Android). Never IDFA.
• Click IDs: fbclid, gclid, ttclid from ad network URLs.
• In-app events: event type, revenue, custom parameters sent by the app developer's SDK integration.

2.3 What We Do NOT Collect

• We do not collect IDFA (Apple Advertising Identifier)
• We do not perform cross-app tracking
• We do not build user profiles or sell data to third parties

3. How We Use Data

• Attribution matching: connecting ad clicks to app installs using temporary device signals
• S2S postback delivery: forwarding conversion events to ad networks (Meta, Google, TikTok) so they can optimize campaigns
• Analytics: providing aggregated campaign performance data in our dashboard

4. Data Retention & Deletion

• PII (email, phone): SHA-256 hashed before storage. Raw PII purged within 24 hours.
• Click fingerprints: stored in Redis with a 7-day TTL, then automatically deleted.
• Click IDs: 30-day TTL in Redis.
• Event data: retained for the duration of the customer's account. Deleted upon account termination.

5. Data Security

• All data transmitted over HTTPS (TLS 1.2+)
• OAuth tokens encrypted at rest using AES-256 (Fernet)
• Passwords hashed with bcrypt
• API keys SHA-256 hashed for storage
• PII redacted from application logs

6. Third-Party Data Sharing

We share conversion event data with ad networks only when configured by our customer through integration connections. Specifically:

• Meta Conversions API: when Meta integration is connected
• Google Enhanced Conversions: when Google integration is connected
• TikTok Events API: when TikTok integration is connected

We do not sell, rent, or share data with any other third parties.

7. GDPR Compliance

EchoStack acts as a data processor on behalf of our customers (data controllers). We process data only as instructed by the customer's SDK integration and dashboard configuration. We support data deletion requests. Contact us to exercise your rights.

8. Apple App Tracking Transparency

EchoStack does not require or use IDFA. Our attribution uses first-party web-click-to-install matching with temporary device signals (IP + User-Agent + timing) that comply with Apple's ATT framework.

9. Contact

For privacy questions or data deletion requests: privacy@echostack.app