GDPR ReadySOC 2 Aligned

Trust & Privacy

Privacy. Security.
Built-in.

Proova is a revenue attribution platform. We earn trust by handling your data responsibly, maintaining strong security practices, and being transparent about everything we do with your information.

Privacy Policy Data We Collect How We Use Data Data Sharing Your Rights Security Cookies International Transfers Data Retention Compliance Contact Us

🔒

Data Minimization

We collect only what's necessary to deliver attribution. Nothing more.

🛡️

No Data Selling

Your data is never sold, rented, or traded to third parties — ever.

⚙️

You're in Control

Export, update, or delete your data at any time, no questions asked.

Legal

Privacy Policy

Proova, Inc. · Effective Date: April 2026 · Version 1.0

ℹ️Who this applies to

This Privacy Policy applies to all users of the Proova platform globally — visitors, registered customers, and end users whose data is processed through the platform. If you are in the EEA or UK, additional rights described in the International Transfers section apply to you.

Proova, Inc. ("Proova", "we", "our", or "us") operates a revenue attribution and analytics platform that helps businesses track and measure marketing performance across online and offline channels. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our platform, website, and related services (the "Services").

By accessing or using our Services, you acknowledge that you have read and agree to this Privacy Policy. If you do not agree, please discontinue use immediately.

1. Who We Are

Proova, Inc. is the data controller responsible for personal data processed through our Services. For any privacy-related questions, contact us at privacy@proova.app.

Transparency

2. Information We Collect

We collect only the information necessary to operate our Services. Data falls into the following categories:

👤

Account & Registration

Information needed to create and manage your Proova account.

Full name and professional title
Business email address
Company name and size
Password (stored in hashed form — never readable)
Billing contact information

📊

Platform & Usage Data

Data generated as you interact with the platform.

Click IDs, session tokens, referral parameters
Timestamps of attribution events
IP address (fraud prevention & analytics)
Browser type, OS, device identifiers
Features used and navigation patterns

💰

Revenue & Transaction Data

Data required for attribution and reconciliation.

Order IDs, amounts, currency, status
Product SKUs and categories (if provided)
Offline and online conversion events
CSV imports and webhook data you submit

💳

Billing & Payment

Handled via PCI-DSS-compliant providers. We store only:

Last four digits of card (reference only)
Billing address and postal code
Transaction IDs and payment status
Subscription tier and renewal history

🔒What we never collect

We do not store raw credit card numbers, CVV codes, online banking passwords, or banking credentials. Payment data is handled exclusively by PCI-DSS-compliant processors (Stripe). We do not use invasive fingerprinting as a default approach.

Purpose

3. How We Use Your Information

3.1 Service Delivery

Authenticate and maintain your account
Provide attribution tracking, analytics dashboards, and reporting
Process transactions and manage subscriptions
Integrate with third-party platforms you authorize

3.2 Platform Improvement

Analyze usage patterns to identify and fix bugs
Develop new features and improve existing functionality
Fraud detection and abuse prevention (using aggregated, anonymized data)

3.3 Communication

Transactional emails: invoices, password resets, security alerts
Product updates, release notes, and service announcements
Responding to support and sales inquiries
Marketing communications with your consent (opt-out available at any time)

3.4 Legal & Security Obligations

Detect, investigate, and prevent fraud and unauthorized access
Comply with applicable laws, regulations, and legal processes
Enforce our Terms of Service
Protect rights, property, and safety of Proova, users, and the public

4. Legal Bases for Processing (GDPR / UK GDPR)

For users in the EEA or United Kingdom, we process data under the following legal bases:

Legal Basis	When We Apply It
Performance of Contract	Delivering the Services you subscribed to
Legitimate Interests	Analytics, fraud prevention, product improvement, direct marketing to existing customers
Consent	Marketing communications, non-essential cookies (withdrawal possible at any time)
Legal Obligation	Compliance with applicable laws, tax regulations, and court orders

Third Parties

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

5.1 Service Providers (Sub-processors)

We work with trusted sub-processors who access data only as needed to perform their contracted functions. All sub-processors are bound by Data Processing Agreements (DPAs) and must maintain adequate security standards.

Category	Examples	Purpose
Cloud Infrastructure	AWS, Google Cloud	Hosting and data storage
Payment Processing	Stripe	Subscription billing
Customer Support	Intercom, Zendesk	Support ticket management
Error Monitoring	Sentry, Datadog	Platform reliability
Email Delivery	SendGrid, Postmark	Transactional emails

A current list of sub-processors is available upon request at privacy@proova.app.

5.2 Business Transfers

If Proova undergoes a merger, acquisition, or sale of assets, your information may be transferred to the successor entity. We will notify you via email with at least 30 days' advance notice.

5.3 Legal Disclosures

We may disclose data when required by law, subpoena, or court order, or to protect the rights and safety of Proova, our users, or the public. We will notify you of such requests where legally permitted.

5.4 Aggregated Data

We may share aggregated, anonymized data (from which individuals cannot be identified) for research, industry reports, or with partners. This is not personal data.

Your Rights

6. Your Privacy Rights

Depending on your location, you have the following rights. To exercise any of them, email privacy@proova.app with subject "Privacy Rights Request". We respond within 30 days.

👁️

Right of Access

Obtain a copy of the personal data we hold about you.

✏️

Right to Rectification

Request correction of inaccurate or incomplete data.

🗑️

Right to Erasure

Request deletion of your data (subject to legal obligations).

⏸️

Right to Restriction

Request we limit processing in certain circumstances.

📦

Right to Portability

Receive your data in a structured, machine-readable format.

🚫

Right to Object

Object to processing based on legitimate interests, including direct marketing.

↩️

Withdraw Consent

Where processing is consent-based, withdraw at any time without affecting past processing.

🏛️

Lodge a Complaint

File a complaint with your local data protection authority at any time.

Security

7. Security Measures

We implement industry-standard technical and organizational safeguards to protect your data:

🔐

Encryption in Transit

All data transmitted to and from Proova is encrypted using TLS 1.2 or higher.

🗄️

Encryption at Rest

Sensitive data is encrypted at rest using AES-256.

👥

Access Controls

Role-based access controls (RBAC) restrict data access to authorized personnel only.

🔑

Multi-Factor Auth

MFA is enforced on all internal Proova systems and production access.

🔍

Security Audits

Regular vulnerability assessments and security reviews are performed.

🚨

Incident Response

We maintain documented breach notification processes aligned with GDPR timelines.

⚠️Important note

While we take data security seriously, no system can guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law (within 72 hours under GDPR).

8. Payments Security

Payments are processed exclusively by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. Proova does not collect, store, or transmit raw credit card numbers, CVV codes, or banking credentials. We retain only the last four digits of your card for reference, billing address, and transaction metadata.

9. Cookies & Tracking Technologies

We use cookies and similar technologies. You can manage preferences through our Cookie Settings panel (in the platform footer) or your browser settings. Disabling certain cookies may affect platform functionality.

Cookie Type	Purpose	Can Opt Out?
Strictly Necessary	Authentication, security, core platform functionality	No — required
Functional	Language preferences, session state, UI settings	Limited
Analytics	Aggregate usage patterns (e.g., Google Analytics)	Yes — via cookie banner
Marketing	Ad retargeting and campaign measurement	Yes — consent required

Global

10. International Data Transfers

Proova may transfer personal data outside your country of residence. When transferring from the EEA, UK, or Switzerland to countries not deemed to provide adequate data protection, we rely on:

Standard Contractual Clauses (SCCs) approved by the European Commission
UK International Data Transfer Agreements (IDTAs) where applicable
Other lawful transfer mechanisms as required by applicable law

Details of applicable transfer mechanisms are in our Data Processing Agreement (DPA), available on request at privacy@proova.app.

11. Children's Privacy

Our Services are not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware we have inadvertently done so, we will delete it promptly. Contact privacy@proova.app if you believe a child has submitted data.

Retention

12. Data Retention

We retain personal data only as long as necessary to fulfill the purposes described in this policy, or as required by law.

Data Type	Retention Period
Account data	Duration of subscription + 90 days after closure
Transaction & billing data	7 years (tax and financial reporting obligations)
Usage logs & analytics	24 months identifiable, then anonymized
Support communications	3 years from date of last contact
Deleted data in backups	Up to 30 days before permanent deletion

13. Your Data Control

You may request deletion of your data at any time. Contact privacy@proova.app. Note that some data may be retained to fulfill legal obligations even after deletion requests.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When material changes occur, we will:

Post the updated policy with a new Effective Date
Notify you via email at the address associated with your account
Request re-consent where required by applicable law

Your continued use of the Services after the effective date constitutes acceptance.

Compliance

15. Compliance Posture

Proova is designed for global businesses. We take a proactive approach to privacy and compliance as we grow.

🇪🇺

GDPR / UK GDPR

We process EEA and UK data in compliance with GDPR and UK GDPR, including lawful basis documentation, data subject rights, and DPA agreements.

Standard Contractual Clauses for transfers
Data Processing Agreements available on request
72-hour breach notification process
Privacy by design principles applied

🇺🇸

CCPA / US Privacy

For California residents, we honor all rights under the CCPA including right to know, right to delete, and right to opt-out.

No sale of personal information
Right to know what data is collected
Right to request deletion
Non-discrimination for exercising rights

💳

Paddle Merchant Compliance

Proova uses Paddle as a Merchant of Record for subscription billing. Paddle handles VAT, tax compliance, and payment regulation globally.

Paddle manages tax collection and remittance
Payment data governed by Paddle's PCI-DSS compliance
Subscription terms disclosed at checkout
Refunds processed via original payment method

🌍

Global Merchant Support

Proova supports merchants worldwide including UK, US, EU, and Africa.

Region-appropriate bank linking via Open Banking / aggregators
CSV import fallback for all regions
DPA available for enterprise customers
Security questionnaires fulfilled on request

📋Procurement or compliance review?

If your team needs a security questionnaire response, DPA, or vendor documentation, email hello@proova.app and we'll respond within 2 business days.

Contact

16. Contact Us

If you have questions, requests, or concerns about this Privacy Policy or our data practices, please reach out through any of the following channels:

🔐

Privacy Requests

Data access, deletion, portability, and all privacy rights requests.

✉️privacy@proova.app

💬

General Inquiries

Questions about Proova, compliance, or vendor onboarding.

✉️hello@proova.app

🛠️

Support & Billing

Platform support, refund requests, and billing inquiries.

✉️support@proova.app

Response commitment: We aim to acknowledge all privacy requests within 2 business days and fully resolve them within 30 days. For complex requests requiring additional time, we will inform you within the initial response.

Proova

privacy@proova.app|

Privacy. Security.Built-in.