Legal

Privacy Policy

Date of latest revision: March 21, 2026

1. General Information

This Privacy Policy explains how personal data is collected, processed, and protected by:

KRZYSZTOF WICHER

NIP: 5521725458

REGON: 384388742

Email: contact@sowitrack.app

(hereinafter: "we", "our", or "Company").

We provide high-end software solutions for server-side tracking and marketing data processing, helping businesses optimize their attribution and data accuracy.

2. Roles Under GDPR

Depending on the context, we act as:

  • Data Controller: For website visitors and our direct business customers (B2B relationship).
  • Data Processor: For clients using our tracking software. In this case, we process personal data only on behalf of the Client (Controller) and based on their documented instructions.

3. Data Processing Agreement (DPA)

We provide a formal Data Processing Agreement (DPA) to all customers. This agreement governs the scope of processing, security measures, and responsibilities of both parties. By using our services, the Client agrees to the terms of the DPA.

4. Data Subjects

We process data related to:

  • Business Customers (our direct clients).
  • Website Users (visitors of our platform).
  • End Users of our Clients: Individuals whose data is processed via our server-side tracking systems.

5. Categories of Personal Data

A. Business Customers: Name, company name, address, email, phone number, billing/payment data.

B. Website Users: IP address, browser type, device information, cookies/identifiers, and data submitted via forms.

C. End Users (via Server-Side Tracking): Depending on client configuration, we may process:

  • IP address and User Agent (device data).
  • Client identifiers (e.g., client_id).
  • Advertising identifiers (e.g., gclid, fbclid).
  • Hashed personal data (e.g., SHA-256 hashed emails/phone numbers — if provided by the Client).
  • Event and transaction data (page views, conversions, value, currency).

We do not intentionally process special categories of data (e.g., health, religion).

6. Purpose and Legal Basis

We process data based on performance of a contract, legal obligations, legitimate interest, and consent (where required). Main purposes include:

  • Providing and maintaining tracking infrastructure.
  • Processing marketing events and conversions for attribution.
  • Improving software performance and security.
  • Billing, accounting, and fraud prevention.

7. Consent and Client Responsibility

The Client (as the Data Controller) is solely responsible for:

  • Obtaining valid user consent (e.g., via a CMP/Cookie Banner).
  • Ensuring a lawful basis for tracking under GDPR and ePrivacy laws.

We process data strictly based on the instructions of the Client.

8. Server-Side Tracking Technology

Our technology enables direct server-to-server data transmission between the Client's environment and external platforms (e.g., Google, Meta). This reduces reliance on third-party browser cookies and improves data accuracy.

Note: Server-side tracking does not eliminate the legal requirement for user consent.

9. Cookies and Tracking Technologies

We use essential technologies for security (e.g., Cloudflare) and analytical tools (e.g., Google Analytics). Tracking may involve first-party cookies and API-based event transmission. Users can manage their preferences via browser settings or our consent tools.

10. Profiling and Advertising

We process data for analytics and marketing optimization. This may involve profiling (automated processing to evaluate user behavior). However, we do not make decisions producing legal effects based solely on automated processing.

11. Data Sharing and Subprocessors

We do not sell personal data. Data may be shared with:

  • Subprocessors: Trusted infrastructure providers (AWS, Google Cloud, Cloudflare) bound by DPAs.
  • Authorities: When required by law.
  • Third Parties: Only with explicit consent or direct client instruction.

12. International Transfers

Data may be transferred outside the EEA (e.g., to the USA). We ensure protection via Standard Contractual Clauses (SCCs) and additional technical safeguards where required.

13. Data Retention

  • Tracking/Event Data: Up to 12–25 months (configurable by client).
  • System Logs: Up to 90 days.
  • Financial/Tax Data: 5–7 years (legal requirement).

14. Data Security

We implement industry-standard measures:

  • Encryption of data in transit (TLS) and at rest.
  • Strict access control and multi-factor authentication.
  • Proactive monitoring and incident response protocols.

15. Data Subject Rights

Under GDPR, you have the right to access, correct, or delete your data, as well as the right to data portability and to object to processing.

Contact: contact@sowitrack.app

You may also file a complaint with the Polish Data Protection Authority (UODO).

16. Google API Services Compliance

Our use of Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Data accessed via Google APIs is used strictly to provide and improve the tracking features of our software.

17. Changes to this Policy

We reserve the right to update this policy. The latest version is always available on our website.