Data Retention and Access Policy
Scope
This policy covers personal data processed by the Attribution platform, including hashed customer emails, anonymous visitor IDs, browsing events, conversion records, and integration credentials.
Retention periods
| Data category | Retention | Mechanism |
|---|---|---|
| Browsing events (events table) | 13 months from event timestamp | Tinybird TTL on timestamp column |
| Identity links (anonymous_id ↔ hashed_email) | 13 months from `identified_at` | Tinybird TTL |
| Conversions (orders, deals, leads) | 13 months from `occurred_at` | Tinybird TTL |
| Attributed journeys | 13 months from conversion | Tinybird TTL |
| Integration credentials (encrypted tokens) | Until merchant uninstalls | Neon deletion on uninstall |
| Project configuration | Until project deletion | Neon deletion on request |
| Server logs | 30 days | Vercel default retention |
Data is automatically deleted when its retention period expires. No manual intervention is required.
Data minimization
- Customer emails are hashed with HMAC-SHA256 and a project-scoped secret before storage. Plaintext emails are never persisted.
- We collect only the customer identifiers and event data required for multi-touch attribution. We do not collect names, addresses, or phone numbers.
- OAuth access tokens are encrypted at rest with AES-256-GCM. Decryption requires project-scoped AAD context.
Access controls
Staff access
- Production data access is limited to employees and contractors with a documented business need (e.g., customer support, incident response).
- Access is granted on a least-privilege basis and reviewed quarterly.
- All staff use SSO-backed accounts with enforced strong passwords and MFA via Clerk.
Application access
- Multi-tenant isolation is enforced via
project_idin every query. Cross-project reads are prevented at the query layer. - Merchants can only see data for projects their Clerk organization owns.
- Encryption keys are rotated annually or on suspected compromise.
Third-party access
- No customer data is shared with third parties for marketing or advertising purposes.
- Sub-processors:
- Neon (Postgres) — configuration and credentials
- Tinybird (ClickHouse) — event and attribution data
- Upstash (Workflow/QStash) — event processing queue
- Vercel — application hosting
- Clerk — authentication
- All sub-processors are SOC 2 compliant.
Access logging
- All database queries and API requests are logged with timestamp, user, and project context.
- Logs are retained for 30 days and reviewed after security incidents.
Deletion requests
- Merchants can uninstall the app at any time to stop data collection. Uninstall triggers deletion of OAuth credentials and pauses event ingestion.
- Full data deletion requests can be sent to letsimmer@toonverbeek.com and are processed within 30 days.
- Individual end-user deletion requests are forwarded to the merchant, who is the data controller for their customers' data.
Review
This policy is reviewed annually and updated as infrastructure or sub-processors change.