Privacy Policy

Last updated: April 2026

1. Introduction

Amplyon ("we," "our," or "us") operates the Amplyon platform at amplyon.io. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services. By accessing or using Amplyon, you agree to the terms of this Privacy Policy.

2. Information We Collect

Account Information

When you create an account, we collect your email address, full name, and password (stored as a secure hash). We may also collect your organization name and billing information.

E-Commerce Store Data

When you connect your online store, we access order data, product data, and customer information as authorized through OAuth. Customer personally identifiable information (PII) such as email addresses, phone numbers, and names is immediately hashed using SHA-256 before storage. We never store raw PII.

Ad Platform Data

When you connect advertising accounts (Google Ads, Meta Ads, TikTok Ads), we access campaign performance data, conversion data, and ad spend information through their respective APIs. OAuth tokens for these platforms are encrypted using AES-256-GCM encryption at rest.

Google Ads API Data

Amplyon uses the Google Ads API to access and manage conversion tracking data on your behalf. We access campaign performance metrics, conversion data, and customer match data strictly for the purpose of providing our conversion tracking and analytics services. We do not use Google Ads API data for any purpose other than providing and improving our services to you. Our use of Google Ads API data adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Conversion Event Data

We process conversion events (such as purchases) to upload to your connected ad platforms. This data includes order values, click identifiers (gclid, fbclid, ttclid), and hashed customer identifiers. All PII within conversion events is hashed with SHA-256 prior to processing and transmission.

Usage Data

We automatically collect information about how you interact with our platform, including pages visited, features used, and timestamps.

3. How We Handle PII

We take the handling of personally identifiable information extremely seriously. All customer PII (email addresses, phone numbers, names, and physical addresses) is normalized (lowercased, trimmed) and hashed using SHA-256 immediately upon receipt. We never store raw PII in our database. Hashed PII is used solely for the purpose of conversion matching with advertising platforms.

4. How We Use Your Information

  • To provide, maintain, and improve our services
  • To process and upload conversion events to your connected ad platforms
  • To generate analytics, reports, and recommendations
  • To process payments and manage your subscription
  • To communicate with you about your account and our services
  • To detect, prevent, and address technical issues and security threats

5. Third-Party Services

We use the following third-party services to operate our platform:

  • Supabase -- Database hosting and authentication. Data is stored with row-level security policies ensuring tenant isolation.
  • Stripe -- Payment processing. We do not store credit card information; it is handled entirely by Stripe.
  • Google Ads API -- Conversion tracking and campaign performance data for users who connect their Google Ads accounts.
  • Meta Conversions API -- Server-side conversion tracking for users who connect their Meta Ads accounts.
  • TikTok Events API -- Server-side conversion tracking for users who connect their TikTok Ads accounts.
  • Vercel -- Application hosting and deployment.

6. Data Retention

Conversion event data and analytics data are retained for 90 days from the date of creation, after which they are automatically purged. Account information is retained for the duration of your active account. OAuth tokens are retained until you disconnect the associated platform or delete your account, at which point they are securely destroyed.

7. Data Security

We implement industry-standard security measures to protect your data. All OAuth tokens are encrypted using AES-256-GCM encryption at rest. All data in transit is protected by TLS. Database access is restricted through row-level security policies that ensure strict tenant isolation. All webhook payloads are verified using HMAC signatures. No PII is written to application logs.

8. Cookies

We use first-party cookies only. Session cookies maintain your authenticated state. Our tracking script sets a first-party cookie to capture click identifiers (such as gclid, fbclid, and ttclid) for the purpose of conversion attribution. We do not use third-party cookies or tracking technologies.

9. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Right to Access -- You may request a copy of the personal data we hold about you.
  • Right to Deletion -- You may request that we delete your personal data. Upon account deletion, all associated data, including encrypted tokens and event data, is permanently removed.
  • Right to Portability -- You may request your data in a machine-readable format.
  • Right to Rectification -- You may request that we correct inaccurate personal data.
  • Right to Opt Out of Sale -- We do not sell personal data. If you are a California resident, you have the right to know that no sale of personal information occurs.

To exercise any of these rights, contact us at info@amplyon.io.

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at info@amplyon.io.