Legal

Privacy Policy

Version 2.0 · Effective 3 June 2026 · Last updated 3 June 2026

This Privacy Policy explains how Attributed Ltd processes personal data when you use attributed.io, the Attributed web application, and the connected integrations that power our agents. It is written for the people who use Attributed, the organisations they work for, and the visitors to the storefronts that we help operate.

1. Who we are

Attributed Ltd ("Attributed", "we", "us", "our") is a company registered in England and Wales. We provide Attribution Intelligence for Ecommerce: a platform that connects to a brand's ecommerce, analytics, advertising and messaging stack and runs a fleet of specialised agents (Ledger, Signal, Pulse, Vector, Scout, Merchant, Loop and Forge) to detect tracking gaps, revenue mismatches and conversion leaks, and to produce Implementation Packs that engineering and marketing teams can apply.

For the purposes of UK GDPR, the EU GDPR and other applicable data protection laws, Attributed Ltd is the controller of personal data covered by sections of this policy that concern our own account, billing and marketing operations, and the processor of Customer Data ingested via the integrations a customer authorises.

Contact: privacy@attributed.io · Data Protection enquiries: dpo@attributed.io · Legal: legal@attributed.io.

2. Scope

This policy applies to the Attributed marketing website at attributed.io, the Attributed web application, the agent runtime, the integrations a customer connects from within their workspace, the Attributed JavaScript tracking layer when deployed on a customer storefront, and all support, billing and security operations associated with the foregoing.

This policy does not cover third-party websites or services linked from the Attributed platform, including the dashboards of the integrations our customers connect. Those services are governed by their own privacy notices.

3. Definitions

  • Customer — the organisation that subscribes to Attributed and opens a workspace.
  • Authorised User — a person the Customer invites into its workspace.
  • Customer Data — data ingested from a Customer's integrations or storefront, processed by Attributed on the Customer's instructions.
  • Storefront Events — anonymised, consent-aware events emitted by the Attributed tracking layer when deployed on a Customer's storefront.
  • Findings — diagnostic outputs produced by Attributed agents.
  • Implementation Pack — a structured set of recommended changes generated from one or more Findings.
  • Personal Data, Controller, Processor, Special Category Data — have the meanings given in UK GDPR and EU GDPR.

4. Our role: processor and controller

Attributed is the processor in respect of Customer Data. The Customer is the controller and is responsible for ensuring that it has a lawful basis for the processing it instructs us to perform, that it has configured appropriate consent and disclosures to its end users, and that the OAuth scopes it grants us are appropriate for the work it wants us to do.

Attributed is the controller for the limited set of personal data we process for our own purposes, including: account registration and authentication, billing and tax records, customer support conversations, product telemetry and security logs, and direct marketing to business contacts.

5. Data we process

5.1 Account data

When an Authorised User registers we process their name, business email address, hashed password where applicable, workspace identifier, role within the workspace, session and device metadata, and authentication events. If the user signs in with Google, we process the basic profile fields returned by Google sign-in.

5.2 Integration data via OAuth

When a Customer connects an integration we receive an OAuth access token (encrypted at rest) and the data exposed by the scopes granted. We default to read-only scopes and only request write scopes where an Implementation Pack genuinely needs them. Integrations include, without limitation, Shopify, WooCommerce, Magento, Google Analytics 4, Google Tag Manager, Google Ads, Google Search Console, Meta Ads, Klaviyo and Slack. The categories of data accessed are listed in section 17.

5.3 Storefront Events

Where a Customer deploys the Attributed tracking layer, we receive Storefront Events. These events are designed to be consent-aware: they respect the consent state expressed by the Customer's consent management platform and are anonymised at ingestion. We retain hashed identifiers required for cross-event de-duplication and attribution. We do not store cleartext email addresses, names, postal addresses or payment data emitted from the storefront.

5.4 Billing data

Subscriptions are processed by Stripe. We receive billing contact details, the last four digits of the card or other tokenised reference, the country of issue, plan and invoice metadata. We never receive or store full card numbers.

5.5 Product telemetry, logs and support

We collect application logs, performance metrics, error reports and the metadata needed to operate the service securely. We process support conversations sent to us by email or in-app. We do not place advertising or third-party analytics trackers in the Attributed application.

5.6 Marketing data

We process limited information about business contacts who interact with our marketing website (page views, form submissions, content downloads). Where consent is required, we obtain it via the cookie banner.

6. Lawful bases

  • Contract — to provide the Attributed service to a Customer that has subscribed (Art. 6(1)(b)).
  • Legitimate interests — to operate, secure, debug and improve the service, prevent fraud, and conduct business-to-business marketing (Art. 6(1)(f)).
  • Legal obligation — to retain billing records, respond to lawful requests and meet regulatory requirements (Art. 6(1)(c)).
  • Consent — for non-essential cookies and for direct marketing where consent is required (Art. 6(1)(a)).

7. How we use data

We use the data described above to:

  • authenticate users and run their workspace;
  • run agent diagnostics against Customer Data and Storefront Events;
  • generate Findings, Implementation Packs and alerts;
  • deliver alerts via email or Slack to the destinations the Customer chooses;
  • provide customer support, resolve incidents and produce status communications;
  • bill the Customer and handle taxes;
  • operate, secure and improve the platform, including capacity planning and abuse detection; and
  • comply with legal obligations.

8. Cookies and similar technologies

On the Attributed marketing website we use a small number of strictly necessary cookies (for session, security and consent state) and, subject to consent, first-party analytics for aggregate visitor measurement. Inside the Attributed application we use first-party cookies and local storage for authentication and session continuity only. We do not use third-party advertising cookies. The Attributed tracking layer deployed on Customer storefronts is configured by the Customer to respect the storefront's consent management platform.

9. Sharing and disclosure

We share personal data only as described below:

  • with sub-processors listed in section 11, under written agreements that impose data-protection obligations equivalent to those in this policy;
  • with the integrations a Customer has explicitly connected, only to the extent necessary to perform the work the Customer has asked us to do;
  • with professional advisers, auditors and regulators where required;
  • where required by law, court order or to protect the rights, property and safety of Attributed, our customers or the public; and
  • in connection with a merger, acquisition or sale of assets, subject to standard confidentiality protections.

We do not sell personal data. We do not use Customer Data to train third-party AI models.

10. International transfers

Attributed is headquartered in the United Kingdom and our primary production infrastructure is hosted in the European Union. Some sub-processors are located in the United States or other jurisdictions outside the UK and EEA. Where personal data is transferred outside the UK or EEA, we rely on adequacy decisions where they apply, and otherwise on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and supplementary technical and organisational measures. A copy of the transfer mechanism applicable to a particular sub-processor is available on request.

11. Sub-processors

We use a small number of vetted sub-processors to deliver the service. Each is bound by a written data-processing agreement and is subject to security review. The categories of sub-processor we use are:

  • Cloud hosting and managed database (EU region by default).
  • Content delivery and edge security.
  • Payment processing.
  • Transactional email delivery.
  • Error and performance monitoring.
  • Model inference providers for the agent runtime, configured to disable training on submitted content.
  • Customer communication tooling (in-app messaging, support inbox).

A current sub-processor list, with vendor names, locations and processing purposes, is available on request from privacy@attributed.io. We will notify Customers of material changes to the sub-processor list in line with the Data Processing Addendum.

12. Retention

  • Account data — for the lifetime of the workspace and 30 days thereafter, then deleted or anonymised.
  • Customer Data ingested via integrations — retained for as long as the integration is connected. On disconnection the corresponding tokens and credentials are deleted immediately, and cached data is purged on a rolling schedule no longer than 30 days.
  • Storefront Events — 13 months by default, configurable down by the Customer.
  • Findings and Implementation Packs — retained for the workspace's history, deletable by the Customer at any time.
  • Application and security logs — 90 days.
  • Billing records — retained for the period required by law (typically 6 years in the UK).
  • Backups — retained on a 30-day rolling window and overwritten in the ordinary course.

13. Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • TLS 1.2 or higher for all data in transit.
  • AES-256 encryption at rest for databases and managed storage.
  • Row-level security in our application database, scoped per workspace.
  • Encrypted storage of OAuth tokens, webhook secrets and integration credentials, never exposed to the browser.
  • Scoped, least-privilege OAuth, with read-only as the default posture.
  • Mandatory single sign-on, hardware-key MFA and audited access for Attributed personnel with production access.
  • Continuous dependency scanning, secret scanning and security review of code changes.
  • Documented incident response procedures and customer breach notification within 72 hours of becoming aware of a notifiable incident.

We are progressing towards SOC 2 Type II. A summary of our security posture is available to qualified prospects under NDA.

14. Your rights

Subject to applicable law, you have the right to:

  • access the personal data we hold about you;
  • request rectification of inaccurate or incomplete data;
  • request erasure ("right to be forgotten") where the legal grounds apply;
  • request restriction of processing;
  • request data portability for data you have provided to us;
  • object to processing carried out on the basis of our legitimate interests, including direct marketing;
  • withdraw consent at any time where processing is based on consent; and
  • lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office; in the EU, your local Data Protection Authority.

If you are an end user of a Customer's storefront and wish to exercise rights over data we process on that Customer's behalf, please contact the Customer directly; we will assist them as their processor.

To exercise any of the rights above against Attributed as controller, write to privacy@attributed.io. We will respond within one calendar month.

15. Children's data

Attributed is a business-to-business service. It is not directed to children under 16 and we do not knowingly collect personal data from children. If you believe a child has provided personal data to Attributed, please contact us and we will delete it.

16. AI and automated processing

The Attributed agent runtime uses a combination of in-house heuristics, deterministic analytics and third-party large-language-model inference to produce Findings and Implementation Packs. We configure inference providers to disable training on submitted content and we do not use Customer Data to train any model that is shared with other customers or third parties.

Implementation Packs are advisory. They are designed for review by a qualified human before any change is applied to a Customer's stack. Where an Implementation Pack proposes changes that affect users (such as edits to a GTM container), Attributed requires explicit Customer approval before applying them.

Where automated processing produces an output that has a significant effect on an individual, the Customer remains responsible for ensuring an appropriate route to human review.

17. Per-integration disclosures

17.1 Shopify, WooCommerce, Magento

We request read-only access to order, customer count, product, inventory and checkout metadata necessary to compute revenue, conversion and merchandising diagnostics. We do not export the contents of customer records to third parties and we do not enrich or resell merchant data.

17.2 Google Analytics 4 and Google Tag Manager

We request read scopes on GA4 properties and Tag Manager containers selected by the Customer. Where the Customer enables it, we additionally request edit and publish scopes on Tag Manager so that Implementation Packs can propose container changes. No change is applied to a container without explicit in-app approval by an Authorised User. We never read or modify properties outside those the Customer has selected.

17.3 Google Ads

We request the read scopes required to inspect conversion actions, campaign structure and Smart Bidding signals. We do not modify Google Ads accounts without explicit Customer approval.

17.4 Meta (Facebook and Instagram) Ads

We request read scopes on the ad accounts the Customer selects to assess pixel health, conversion API completeness and campaign-level mismatches against ecommerce truth.

17.5 Klaviyo

We request event and list-metadata scopes to evaluate flow performance and revenue attribution. We do not read message content or transmit subscriber lists outside the Customer's Klaviyo account.

17.6 Slack

When you connect Slack to Attributed we store the bot access token (encrypted at rest), the destination channel ID and name, your Slack workspace ID and name, and the user ID of the installer. We use these only to deliver Findings and Implementation Packs to the channel you chose. We never read messages in your channels and we do not request message-history scopes. Disconnecting from the Integrations page removes the token, channel and destination settings from our systems immediately. Messages we previously posted remain in your Slack workspace and follow your Slack retention policy.

18. California (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act. We do not sell or share personal information for cross-context behavioural advertising. The categories of personal information we collect, the purposes for collection and the sources, mirror those described above. To exercise your rights to know, delete, correct or limit, contact privacy@attributed.io. We do not discriminate against individuals for exercising their rights.

19. Changes to this policy

We may update this policy from time to time. For material changes we will notify Customers by email to the workspace owner and by an in-app notice at least 30 days before the change takes effect. The "Last updated" date at the top of this page shows when the policy was last revised. Prior versions are available on request.

20. Contact

Attributed Ltd, United Kingdom.

Privacy: privacy@attributed.io
Data Protection: dpo@attributed.io
Legal: legal@attributed.io
Security: security@attributed.io

This Privacy Policy is provided for transparency and does not constitute legal advice. It should be read together with our Terms of Service and, for business Customers, the Data Processing Addendum available on request.