This Privacy Policy explains how AdsPing (“AdsPing”, “we”, “our”) handles information in connection with the AdsPing service (the “Service”) — a server-side conversion tracking platform that forwards events from our customers’ websites to advertising platforms such as Meta, TikTok, and Google.
AdsPing serves two distinct groups: our customers (businesses that sign up to use the Service) and the visitors of those customers’ websites (end users). Each section below makes clear which group it applies to.
1. Our role
AdsPing operates as a data processor for website visitors and as a data controller for its own customer accounts.
- For customers — when you create an AdsPing account we act as the controller of your account information (name, email, billing details).
- For end users of customer websites — when events flow through AdsPing, we process them on behalf of our customer, under that customer’s instructions, and only for the purpose of delivering those events to the destinations (Meta, TikTok, Google, etc.) the customer has connected. The customer is the controller of that data.
2. Information we collect
2.1 Customer account information
- Name, email, password hash, and optional profile details.
- Billing information (processed by Stripe; we store only the last-four digits and customer identifier).
- Usage information such as pixel settings, connected destinations, and dashboard preferences.
- Product analytics for our own internal operations (see Section 6).
2.2 Event metadata processed on behalf of customers
When a visitor loads a website with the AdsPing tracking script installed, we receive events that include information such as:
- Event type (e.g. PageView, Purchase, Lead).
- URL of the page where the event occurred.
- UTM parameters (source, medium, campaign, content, term).
- Ad-click identifiers if present in the URL or cookies (fbclid, gclid, ttclid, msclkid, etc.).
- A first-party identifier generated by our script to stitch a visitor’s session together.
- Technical information sent by the browser (IP address, user agent, page URL).
- Values provided by the customer’s site for that event (e.g. order value, currency, product identifier).
- Hashed contact information for advanced matching (email, phone) — only if the customer’s site explicitly provides it and only in a one-way SHA-256 hashed form when forwarded to ad platforms.
Events are forwarded to the destinations our customer has configured and then stored only as aggregate counters in our systems. We do not retain per-event rows containing contact information. The metrics we retain are limited to counts and sums grouped by day, event type, UTM attribution, destination, and currency.
2.3 Cookies we set on customer websites
Our tracking script may set a first-party cookie (_ap_id) on the customer’s domain to provide a stable identifier across a browsing session and to deduplicate events. The cookie contains a random value — no personal information.
3. How we use information
- To operate, maintain, and improve the Service.
- To process events on behalf of customers and forward them to their chosen destinations.
- To communicate with customers about their account, billing, and service updates.
- To detect, prevent, and respond to fraud, abuse, and security issues.
- To comply with our legal obligations.
We do not sell personal information. We do not use event data for our own advertising or profiling.
4. Legal bases (EEA / UK)
Where the EU or UK GDPR applies we rely on one of the following legal bases:
- Contract — to provide the Service we have agreed to deliver.
- Legitimate interests — to operate and secure our Service, prevent abuse, and develop new features.
- Consent — where required (e.g. the customer’s website has obtained cookie consent from the visitor before firing events).
- Legal obligation — to comply with applicable law.
5. Subprocessors
We use a small number of vetted third-party providers to run the Service. Each is bound by contract to equivalent data-protection terms.
| Provider | Purpose | Region |
|---|---|---|
| Railway / Fly.io | Application hosting & database | US / EU |
| Cloudflare | CDN, DNS, TLS, DDoS protection | Global |
| Stripe | Billing & payment processing | US / EU |
| Resend | Transactional email | US / EU |
| Sentry | Error monitoring | US / EU |
Advertising platforms below receive conversion events only when a customer has explicitly connected them as a destination on their pixel. Each platform is an independent controller of the data it receives from the customer.
| Recipient | API used | Data forwarded |
|---|---|---|
| Google LLC — Google Ads | Google Ads API (Conversions API) — customers:uploadClickConversions | gclid / gbraid / wbraid, conversion timestamp, value & currency, order ID, SHA-256-hashed email and phone (Enhanced Conversions, optional) |
| Google LLC — Google Analytics 4 | GA4 Measurement Protocol | Event name, client ID, page URL, conversion value (when configured) |
| Meta Platforms, Inc. | Meta Conversions API | Event name, event ID for dedup, SHA-256-hashed identifiers (email, phone, IP, user-agent), value & currency |
| TikTok Pte. Ltd. | TikTok Events API | Event name, event ID, SHA-256-hashed identifiers, value & currency |
AdsPing does not forward direct identifiers (email, phone) to any recipient in plaintext — identifiers used for advertiser-side matching are SHA-256 hashed before transit in line with each platform’s Conversions/Events API specification.
6. Sharing
We share information only as described in this Policy, specifically:
- With the subprocessors listed above, under contract.
- With the advertising platforms a customer has connected as a destination — this is the core purpose of the Service.
- With law enforcement or courts when required by a valid legal request, in a jurisdiction that applies to us.
- In connection with a corporate transaction (merger, acquisition) provided the recipient continues to honour this Policy.
7. International data transfers
AdsPing operates from the United States and the European Union and may route event processing through either region. Where data is transferred from the EEA, UK, or Switzerland, we rely on the Standard Contractual Clauses and/or an applicable adequacy decision. Customers in Türkiye may opt to have their events processed in a Turkey-region endpoint for KVKK compliance.
8. Retention
- Customer account information — retained while the account is active and for up to 24 months after account closure, unless a longer retention period is required by law (e.g. tax records).
- Event metadata aggregates — retained for up to 24 months to support historical reporting; customers may request shorter retention via their account settings.
- Raw event payloads — not retained after forwarding.
9. Security
We encrypt data in transit (TLS 1.2+) and at rest. Access to production systems is limited to authorised personnel and protected by multi-factor authentication. We run regular backups, monitor for anomalies, and maintain an incident-response plan. If we become aware of a security incident affecting your data, we will notify you without undue delay.
10. Your rights
Depending on your location, you have rights to access, correct, delete, export, or restrict processing of your personal information, to object to processing, and to lodge a complaint with your local data-protection authority. End users of a customer website should contact that customer directly, since AdsPing processes event data on their behalf.
- EEA / UK — rights under the GDPR.
- California — rights under the CCPA / CPRA.
- Türkiye — rights under KVKK Article 11.
To exercise any of these rights, email [email protected]. We respond within 30 days.
11. Children
The Service is not directed to children under 16 and we do not knowingly process personal information of children. If you believe a child has provided us with personal information, contact [email protected] and we will delete it.
12. Changes to this Policy
We may update this Policy from time to time. Material changes are notified to customers by email and posted here with an updated “Last updated” date at least 14 days before taking effect.
13. Contact
AdsPing — operated by PixelBridge.
Data-protection contact: [email protected]
General contact: [email protected]
See also our Terms of Service and our Data Processing Agreement.