Privacy Policy

1. Who we are

The data controller responsible for your personal information is ATTRCTION. You can contact us at privacy@attrction.com.

2. Information we collect

We collect the following categories of information:

2.1 Information you provide

• Account information. When you sign up, our authentication provider (Clerk) collects your name, email address, password (or third-party sign-in identifier), and profile image. We store the resulting user identifier and basic profile fields.
• Creator profile. Niche, languages, location, portfolio links, sample content, rates, social handles, and any biographical information you choose to publish.
• Brand profile. Company name, industry, website, billing details, team members, and any campaign briefs you publish.
• Communications. Messages, applications, briefs, revisions, files, and other content you exchange with other users or with us through the Service.
• Deliverables. Content you upload (images, video, audio, copy) and metadata about that content.
• Payment details. Payments are processed by Stripe. We do not store full card numbers. We retain payout details, tax forms, transaction history, and identity verification records that Stripe shares with us to operate the marketplace.
• Support requests. Information you send us when you request help, report a dispute, or otherwise contact us.

2.2 Information from connected platforms

When you connect a third-party account, we receive data from that platform under the scopes you grant during authorization. You can revoke these connections at any time from your dashboard or from the third-party platform.

• Shopify.Store domain, OAuth access token, shop metadata, products, variants, orders, and conversion events used for attribution and reporting. We process Shopify customer data only to the extent required by Shopify’s app requirements and our compliance webhooks.
• Meta (Facebook & Instagram).Pages, ad accounts, business assets, and (where you opt in) posts and ad performance data. If you whitelist a Creator handle, we may receive handle, asset IDs, and consent metadata. We use Meta’s Conversions API (“CAPI”) to send hashed event data attributable to your campaigns.
• TikTok. Ad accounts, business assets, posts, and ad performance data under the scopes you grant.

Our use of information received from Meta APIs adheres to Meta’s Platform Terms, including the Limited Use requirements. We do not sell Meta data and do not use it for any purpose other than providing the Service to you.

2.3 Information collected automatically

• Device and log data. IP address, browser type, operating system, referring URLs, pages viewed, timestamps, and crash diagnostics.
• Cookies and similar technologies. We use:
  • Session cookies set by our authentication provider to keep you signed in.
  • Security and CSRF cookies that protect the Service.
  • First-party attribution cookies and anonymous visitor identifiers set on Brand storefronts via our web pixel, used to associate site events with specific Creators or campaigns.
  • Browser local storage for UI preferences and session state.
  You can control cookies through your browser settings; disabling them may prevent some features (including sign-in and attribution) from working.
• Attribution events. When a Brand installs our web pixel on their storefront, we record click identifiers, page views, add-to-cart, and purchase events to attribute conversions to specific Creators or campaigns. Where required, we hash personal identifiers before transmission.

3. How we use information

• Operate, maintain, and secure the Service.
• Match Brands and Creators, route briefs, manage partnerships, and facilitate messaging.
• Process payments and payouts, hold funds in escrow, calculate fees, and prevent fraud.
• Send transactional emails (e.g., new applications, brief updates, payouts, security notices).
• Provide attribution and reporting on ads and conversions linked to campaigns you participate in.
• Detect and verify Creator Content usage in advertisements and across marketing channels for attribution, fee calculation, and anti-circumvention purposes.
• Improve the Service, debug issues, and develop new features.
• Comply with legal obligations, enforce our Terms, and protect the rights, property, or safety of users and the public.

4. Legal bases for processing (EEA / UK)

If you are located in the European Economic Area or United Kingdom, we process personal data on the following bases: (a) performance of a contract, when processing is necessary to deliver the Service you have requested; (b) legitimate interests, including running and improving our marketplace, preventing fraud, and securing our systems; (c) consent, for optional features such as connecting a third-party ad account or installing a web pixel; and (d) compliance with legal obligations.

5. How we share information

• With other users on the Service. Profile information you publish, applications you send, briefs you post, and messages and deliverables you exchange are visible to the counterparty in the partnership. Public profile fields may be indexed by search engines.
• With service providers (sub-processors). We use vetted vendors to host and run the Service. Current categories include authentication (Clerk), payments (Stripe), database hosting, email delivery (Resend), background jobs (Inngest), cloud hosting, analytics, and customer support tooling. They process data on our behalf under written agreements.
• With ad platforms you connect. When you authorize an integration we send and receive data with that platform (Meta, TikTok, Shopify) per the scopes you grant. We send conversion events to Meta and TikTok via their server-side Conversions APIs to power attribution.
• Attribution data with Brands you partner with. Brands receive attribution and conversion data related to their own stores and campaigns, such as order values, traffic sources, and Creator-level performance. This data does not include personally identifiable information of store visitors except where you explicitly enable that data flow through a connected integration.
• For legal reasons. We may disclose information when required by law, subpoena, or other legal process, or to protect rights, property, or safety.
• In a corporate transaction. If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred subject to standard confidentiality protections.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.

6. Data retention

We retain personal information for as long as your account is active and as needed to provide the Service. After account closure we retain limited information required to comply with legal, accounting, tax, dispute-resolution, and fraud-prevention obligations (typically up to seven years for financial records). Aggregated or de-identified data may be retained indefinitely.

7. Your rights

Subject to applicable law, you may have the right to access, correct, delete, export, or restrict processing of your personal information, and to withdraw consent or object to processing. You may exercise most of these rights from your account settings. You may also email privacy@attrction.com and we will respond within the time required by law. If you are in the EEA or UK, you have the right to lodge a complaint with your local supervisory authority.

8. Deleting your account and connected-platform data

You can delete your ATTRCTION account at any time from your dashboard or by emailing privacy@attrction.com. When you delete your account, we delete or anonymize your personal information within 30 days, subject to the retention exceptions in Section 6.

If you connected your Facebook or Instagram account and want us to delete the data we received from Meta, email privacy@attrction.com with the subject line “Meta Data Deletion” and include the email address tied to your ATTRCTION account. We will delete the associated data and confirm completion. You can also revoke our app’s access from your Facebook settings under Apps and Websites.

9. International transfers

We are based in the United States and our service providers are located in the United States and other jurisdictions. Where we transfer personal data out of the EEA, UK, or other regions with data-export rules, we rely on lawful transfer mechanisms such as the Standard Contractual Clauses.

10. Security

We use technical and organizational safeguards designed to protect personal information, including encryption in transit, access controls, audit logging, and least-privilege secrets management. No system is perfectly secure; you are responsible for safeguarding your password and notifying us of any suspected unauthorized access.

11. Children’s privacy

The Service is intended for users 18 years of age and older. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK). If you believe a child has provided us with personal information, contact us and we will delete it.

12. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you additional rights regarding personal information we collect:

• Right to know. You may request a copy of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share it.
• Right to delete. You may request that we delete personal information we collected from you, subject to legal exceptions.
• Right to correct. You may request that we correct inaccurate personal information.
• Right to limit use of sensitive personal information. We do not use or disclose sensitive personal information for purposes that would trigger this right under the CCPA.
• Right to opt out of sale or sharing. We do not sell personal information and we do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA.
• Right to non-discrimination. We will not deny you services, charge you different prices, or provide a different level of service for exercising your CCPA rights.

To exercise these rights, email privacy@attrction.com with the subject line “California Privacy Request.” We may need to verify your identity before responding. You may designate an authorized agent to act on your behalf, subject to our verification of the agent’s authority.

13. Shopify merchants

For Brands using ATTRCTION through our Shopify integration, we additionally comply with Shopify’s API License and Terms of Use and the Shopify Partner Program Agreement:

• We only access and use merchant and customer data as necessary to provide the Service (for example, to read products, write orders for attribution, and serve the web pixel).
• We protect merchant data with the technical and organizational measures described in Section 10 (Security).
• We do not sell merchant data and do not share it with third parties except as described in Section 5 (How we share information).
• Merchants can request data deletion by uninstalling the ATTRCTION app from their Shopify admin (which triggers Shopify’s mandatory data-erasure webhooks) or by emailing privacy@attrction.com.
• We respond to Shopify’s GDPR webhooks (customers/data_request, customers/redact, and shop/redact) in accordance with Shopify’s required timelines.
• We maintain written data-processing agreements with all sub-processors that handle merchant data on our behalf.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated policy here with a new “Last updated” date and, where required by law, notify you by email or in-product notice before changes take effect.

15. Contact us

Questions about this policy or our data practices?
ATTRCTION
Email: privacy@attrction.com
Web: attrction.com