Privacy Policy

Effective date: April 30, 2026
Last updated: April 30, 2026

This Privacy Policy explains how Attributer Pty Ltd (“Converly,” “we,” “us,” “our”) collects, uses, stores, and shares personal information in connection with the Converly service.

Who this policy covers

Converly handles personal information about two different groups of people, and the rules are different for each:

1. Converly customers — marketers, agencies, and businesses who sign up for a Converly account to track form submissions on their own websites. For this group, Converly is the data controller.
2. Visitors to a Converly customer’s website — people who submit forms on a website that has Converly installed. For this group, the website operator who installed Converly is the data controller, and Converly is the data processor acting on their instructions. If you’re an end visitor and want to know how your form data is handled, start with the privacy policy of the website where you submitted the form. The sections below describe what we (Converly) do with that data on the website operator’s behalf.

1. Who we are

Converly is a SaaS product that helps marketers track form submissions on their own websites and forward them as conversion events to advertising and analytics platforms (Google Ads, Google Analytics 4, Meta, and similar).

Converly is operated by Attributer Pty Ltd, registered in Australia. Privacy questions should be sent to privacy@converly.io.

2. Information we collect

2.1 From Converly customers (account holders)

When you sign up for or use Converly, we collect:

• Name and email address (for account creation and product communications)
• Password (stored using industry-standard one-way hashing — never recoverable in plaintext)
• Company name and website URL
• Billing information (processed by Stripe — Converly does not store full card numbers; we receive only the last four digits and card brand)
• IP address and browser user agent (for authentication, security, and abuse prevention)
• OAuth refresh and access tokens for the advertising and analytics platforms you connect to your account (stored encrypted at rest using AES-256)

2.2 From visitors to customer websites

When a visitor submits a form on a website that has Converly installed, the Converly tracking script collects and sends to our servers:

• Personal information submitted in the form: email address, phone number, first name, last name, and any other fields the website operator chooses to capture
• The names of all fields in the form (but not their values, except for the personal fields above)
• The visitor’s IP address and browser user agent
• The URL of the page where the form was submitted, and the URL of the page that referred the visitor there
• The timestamp of the submission
• Advertising click identifiers from the URL (e.g. Google’s gclid, Microsoft’s wbraid/gbraid, Facebook’s fbclid)
• Advertising cookies set by the visitor’s browser (e.g. Facebook’s _fbp and _fbc cookies)
• Marketing parameters from the URL (e.g. UTM parameters: utm_source, utm_medium, utm_campaign)

How this data is stored. Plaintext personal information (email, phone, first name, last name), IP address, and user agent are stored for 7 days so the website operator can review their conversion activity in the Converly dashboard. After 7 days, this personal information is automatically purged from our database. The remaining metadata (timestamps, click identifiers, page URLs, UTM parameters) is retained for a further period for diagnostic purposes; the entire record is then automatically deleted at 30 days.

What Converly does NOT collect from form submissions:

• Payment card details, bank account numbers, or other financial credentials (Converly is not a payment processor and is not designed to capture such fields)
• Health, biometric, genetic, sexual-orientation, religious-belief, political-opinion, or other special-category personal data
• Personal information about children under 13

The website operator is responsible for ensuring that the forms they install Converly on do not capture any of the above.

2.3 From OAuth integrations with ad platforms

When a Converly customer connects their Google Ads, Google Analytics, or Meta account via OAuth, Converly receives:

• OAuth refresh and access tokens issued by the platform
• Identifying metadata about the connected account (e.g. the customer ID, account name, list of conversion actions or data streams)

OAuth refresh tokens are encrypted at rest using AES-256 in a dedicated secrets store, separate from operational data. Converly personnel cannot access OAuth tokens in plaintext in the normal course of operation. Tokens are decrypted only at the moment of forwarding a conversion event to the corresponding platform.

3. How we use information

We use the information we collect to:

• Provide the Converly service: track conversions, display the dashboard, and forward conversion events to the advertising and analytics platforms the customer has connected
• Authenticate customers and secure the service
• Bill customers (via Stripe)
• Send transactional emails (account notifications, billing receipts, password resets)
• Diagnose technical issues and investigate abuse
• Improve the service through aggregated, anonymized analysis

We do not:

• Sell personal information to third parties under any circumstances
• Use Google or Meta user data for advertising, retargeting, or audience building
• Train artificial intelligence or machine learning models on customer or visitor data

4. How we share information

4.1 Forwarding conversion events to connected ad platforms

The core function of Converly is to forward conversion events to the advertising and analytics platforms the customer has connected. When a form is submitted on a customer’s website, Converly transmits the conversion event to those platforms on the customer’s behalf. Specifically:

• Google Ads (Enhanced Conversions for Web API). Email, phone number, first name, and last name are SHA-256 hashed before being transmitted. The Google Click ID (gclid) is transmitted in the clear (it is not personal information). Plaintext name, email, or phone is never sent to Google Ads.
• Google Analytics 4 (Measurement Protocol). Email, phone number, first name, and last name are SHA-256 hashed before being transmitted. The visitor’s IP address is transmitted in the clear, as required by GA4 for geographic attribution. Plaintext name, email, or phone is never sent to GA4.
• Meta Conversions API (CAPI). Email, phone number, first name, last name, and the Meta external ID are SHA-256 hashed before being transmitted. The visitor’s IP address and user agent are transmitted in the clear, as required by Meta for event match-quality scoring. The Facebook click ID (fbc) and Facebook pixel cookie (_fbp) are transmitted unhashed because they are device identifiers, not personal information per Meta’s specification. Plaintext name, email, or phone is never sent to Meta.

In all cases, the destination platform is the one the customer chose when configuring their flow, and the website operator is responsible — under their own privacy notice and consent obligations — for the lawful basis of forwarding visitor data to those platforms.

4.2 Subprocessors

We rely on the following third-party service providers (“subprocessors”) to operate Converly. Each is contractually bound by appropriate data-protection terms.

We do not authorize any subprocessor to use personal information for any purpose other than providing the contracted service to Converly.

Note on Sentry session replay: Sentry session replay captures interaction events on the Converly dashboard for debugging purposes. It is configured to mask all input fields and personal information by default; it does not record visitor activity on customer websites.

4.3 Legal disclosures

We will disclose personal information to law enforcement, courts, or other authorities only when required by valid legal process (subpoena, warrant, court order) and only the minimum necessary to comply. Where legally permitted, we will notify the affected customer before disclosure.

5. Google API Services User Data Policy

Converly’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, data accessed via Google Ads or Google Analytics OAuth scopes is only used to provide or improve user-facing features that are prominent in the Converly user interface — namely, sending conversion events to the customer’s own connected Google Ads or Google Analytics 4 account, and displaying account, property, and conversion-action lists in the dashboard so the customer can choose where to send their conversions.

Data accessed via Google APIs is not used to:

• Serve advertisements (including retargeting or personalized advertisements)
• Sell or transfer to third parties for advertising or marketing purposes
• Train, improve, or fine-tune artificial intelligence or machine learning models
• Allow humans to read the data, except (i) with the explicit consent of the affected user, (ii) for security purposes (such as investigating abuse), (iii) to comply with applicable law, or (iv) where the data has been aggregated and anonymized

Customers can revoke Converly’s access to their Google account at any time by visiting https://myaccount.google.com/permissions and removing Converly from the list of authorized apps.

6. Data retention

Customers can request earlier deletion of any of their data at any time by emailing privacy@converly.io or by closing their account from within the dashboard.

7. Your rights

Depending on where you live, you may have rights under GDPR, the UK GDPR, the CCPA/CPRA, or similar laws to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Delete your personal information
• Restrict or object to processing
• Receive your information in a portable format
• Withdraw consent where processing is based on consent
• Opt out of the sale or sharing of personal information (Converly does not sell personal information; this right is provided automatically)
• Lodge a complaint with your local data protection authority

To exercise any of these rights:

• If you are a Converly customer, email privacy@converly.io from the email address associated with your account, or contact us through your account settings.
• If you are a visitor whose form submission was tracked by Converly on a website, please contact the website operator first — they are the data controller and can identify your records and request deletion through Converly. You may also contact us directly at privacy@converly.io, but please note that without coordination with the website operator, we may not be able to identify your specific records.

We will respond to verified requests within 30 days, or sooner where required by applicable law.

8. Security

We protect personal information using:

• TLS 1.2 or higher encryption in transit
• AES-256 encryption at rest for OAuth tokens and other sensitive credentials
• Industry-standard one-way hashing for customer passwords (passwords are never recoverable in plaintext)
• Role-based access controls; production database access is restricted to a small number of authorized personnel and is logged
• Code review and security testing on changes that touch authentication, encryption, or data-handling logic
• Hosting on infrastructure providers (Railway, Supabase) with SOC 2 Type II compliance

No system is perfectly secure. If we discover a security incident affecting your personal information, we will notify you and the relevant authorities as required by applicable law, without undue delay.

9. International data transfers

Converly is operated from Australia, and our infrastructure subprocessors are located in the United States (see Section 4.2). If you are accessing Converly from outside the United States — including from the EU, UK, or other regions — your personal information will be transferred to and processed in the United States.

Where required by GDPR, UK GDPR, or other applicable law, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and (where applicable) the UK International Data Transfer Addendum to ensure an adequate level of protection for international transfers. A copy of the relevant SCCs is available on request from privacy@converly.io.

10. Children’s privacy

Converly is a business-to-business product designed for marketers and is not intended for use by children. We do not knowingly collect personal information from children under 13 (or under 16, in jurisdictions where that is the applicable threshold).

If you become aware that a child has submitted a form on a website using Converly and you believe their data may be held in our systems, please contact privacy@converly.io and we will delete it promptly. Website operators are responsible for ensuring their site complies with COPPA, GDPR-K, and similar children’s-privacy laws — including not installing Converly on forms that target or are likely to be used by children.

11. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent version. For material changes, we will notify Converly customers by email and post a notice in the dashboard at least 14 days before the change takes effect.

12. Contact us

For privacy questions, data subject requests, or to report a privacy concern:

Email: privacy@converly.io
Mailing address: Attributer Pty Ltd, 18 Lesley Close, Elanora Heights, NSW 2101, Australia

If you are in the EU/EEA or UK and we are unable to resolve your concern, you may lodge a complaint with your local data protection authority:

• EU: https://edpb.europa.eu/about-edpb/about-edpb/members_en
• UK: https://ico.org.uk/