Privacy Policy

Last Updated: March 20, 2025

RioStack ("we," "our," "us") is committed to protecting your privacy and ensuring the security of the data we process on behalf of our clients. This Privacy Policy explains how we collect, process, and use data to enable marketing and advertising attribution across platforms including LinkedIn, Google, Meta (Facebook and Instagram), TikTok, and others.

1. Scope of This Policy

This Privacy Policy applies to data processed through RioStack’s platform, including:

• Data Ingestion – Collection of data from client sources, including CRM platforms, eCommerce systems, and form providers.
• Data Processing – Standardization, enrichment, deduplication, and hashing (where applicable) of collected data.
• Data Activation – Transmission of processed data to third-party advertising and marketing platforms for conversion tracking, attribution, and optimization.

2. Data We Collect and Process

RioStack processes data on behalf of our clients. The types of data we collect and process may include:

• Personally Identifiable Information (PII)
  • Name
  • Email address
  • Phone number
  • IP address
• Marketing and Attribution Data
  • Ad click IDs (e.g., GCLID, FBCLID, Microsoft Click ID)
  • UTM parameters
  • Campaign engagement data
  • Conversion data
• Transactional Data
  • Purchase amounts
  • Product details
  • Conversion timestamps
• Behavioral Data
  • Website interactions
  • Form submissions
  • Ad engagement

3. How We Process Data

(a) Data Ingestion

Data is collected from client-side and server-side sources using secure APIs and webhook integrations.

(b) Data Processing

All personally identifiable information (PII) such as email addresses and phone numbers are hashed using SHA-256 encryption prior to processing. Data is enriched with campaign metadata, user engagement signals, and third-party tracking parameters.

(c) Data Activation

Processed data is transmitted securely to advertising platforms (e.g., LinkedIn, Google, Meta, Microsoft, TikTok) via server-side APIs (e.g., Conversions API, Offline Conversion API). Only hashed data and anonymized user IDs are sent where required by platform policies.

4. Legal Basis for Processing

We process data under the following legal bases:

• Consent – Where users have provided explicit consent for data collection.
• Legitimate Interest – When processing is necessary to provide services or improve campaign performance.
• Contract Performance – When processing is necessary to fulfill contractual obligations to our clients.

If you wish to withdraw your consent to our collection, use, or disclosure of your Personal Information, please contact us using the contact information below. Withdrawal of consent may affect our ability to provide certain services to you.

5. Data Retention

Conversion and attribution data are retained for up to 24 months unless otherwise agreed with the client.

6. Data Sharing and Disclosure

We do not sell data to third parties. We share data only under the following circumstances:

• With third-party platforms for advertising attribution and campaign optimization.
• With sub-processors or partners who provide essential services.
• Where required by law or in response to legal process.

7. Data Security

• Secure data transmission using HTTPS/TLS encryption.
• Data hashing using SHA-256 prior to transmission to advertising platforms.
• Access controls, firewalls, and network segmentation.

8. Data Subject Rights

You have the right to:

• Request access to personal data we hold.
• Request correction of inaccurate or incomplete data.
• Request deletion of personal data.
• Object to processing of data under certain circumstances.

9. International Data Transfers

We may transfer data to platforms or data centers outside the country of origin. In such cases, we implement safeguards to ensure data protection, including encryption and hashing of sensitive data before transmission.

10. Changes to This Policy

This Privacy Policy is current as of the "last updated" date shown at the top of this page. We may modify this Privacy Policy from time to time. When changes are made, they will become immediately effective when published in a revised Privacy Policy, notice of which may be communicated through our website or by direct email notification.

This Privacy Policy is current as of the "last updated" date shown at the top of this page. We may modify this Privacy Policy from time to time. When changes are made, they will become immediately effective when published in a revised Privacy Policy, notice of which may be communicated through our website or by direct email notification.

11. Contact Information

For questions or concerns regarding this policy or our data processing practices, contact us at:

• Address: Attention: Privacy Officer
• Email: privacy@riostack.com