Privacy Policy

This Privacy Policy explains how Inceptly LLC, doing business as Bratrax ("Bratrax," "we," "us," or "our"), collects, uses, discloses, and protects information when you visit bratrax.com (the "Site") or use the Bratrax attribution analytics service (the "Service").

If you do not agree with this Privacy Policy, please do not use the Site or the Service.

1. Who This Policy Applies To

This Privacy Policy applies to:

• Visitors to bratrax.com and related subdomains.
• Customers who sign up for a Bratrax subscription (Lite or Clear Vision).
• Authorized users of a customer account.
• Prospects who provide contact information through forms on the Site.

It does not apply to third-party websites or services you reach through links from the Site, or to data processed by LLM providers you connect to Bratrax through the Model Context Protocol.

2. Information We Collect

2.1 Information you provide to us

• Account information: name, email address, password (hashed), company name, and role.
• Billing information: Bratrax does not store payment card details. All billing is handled by our payment processor, Lemon Squeezy. We receive limited billing metadata from Lemon Squeezy (e.g., plan, status, country of billing) but not your full card number.
• Communications: messages you send us via support email, contact forms, or other channels.

2.2 Information we collect from connected platforms

When you connect a third-party platform to Bratrax through OAuth, we collect the data required to deliver the Service. Supported platforms at launch include:

• Shopify: store metadata, orders, customers, products, and revenue data.
• Meta (Facebook and Instagram Ads): ad account information, campaign structure, spend, impressions, clicks, and conversion events.
• Google Ads: account information, campaign structure, spend, impressions, clicks, and conversion events.
• Additional platforms (including TikTok Ads and Klaviyo) may be supported in the future.

We store OAuth tokens in encrypted form and use them only to access the data you have authorized. You can revoke access at any time from the source platform.

2.3 Information collected automatically

• Usage data: pages you view on the Site, features you use in the Service, timestamps, and actions taken. We use this to operate, secure, and improve the Service.
• Device and connection data: IP address, browser type and version, operating system, referring URL, and similar technical data.
• Bratrax pixel data: If you are visiting a site that has installed the Bratrax pixel (including bratrax.com itself), the pixel may record visit metadata such as page URL, referrer, UTM parameters, and a session identifier. The pixel may set one or more first-party cookies for session stitching and attribution purposes.

2.4 Information we do not collect

Bratrax is not designed to process sensitive personal information. We do not collect or use "sensitive personal information" as defined by the California Privacy Rights Act (CPRA) or equivalent state privacy laws. We do not knowingly collect health information subject to HIPAA, government identifiers (Social Security numbers, passport numbers), precise geolocation, or information about children under 16. Do not upload or connect data sources containing these categories.

3. How We Use Information

We use information for the following purposes:

1. Deliver the Service. Authenticate you, connect your data sources, build your dashboards, run attribution models, and respond to your queries.
2. Operate our business. Bill you, provide customer support, send Service-related notices, and enforce our Terms of Service.
3. Improve the Service. Analyze usage patterns and aggregated customer data to refine attribution models, build new features, and fix defects.
4. Publish aggregated benchmarks. We may publish industry benchmarks (for example, "median customer acquisition cost across supplement brands") using aggregated and de-identified data. No single customer is identifiable in our benchmark outputs. You may opt out of inclusion in public benchmarks by emailing legal@bratrax.com; opting out does not affect your use of the Service.
5. Marketing our own product. We may reference aggregated, anonymized customer outcomes in our own marketing (for example, "Bratrax customers average X ROAS improvement"). We do not identify individual customers in marketing without their express written permission.
6. Security, fraud prevention, and legal compliance. Detect abuse, enforce our terms, comply with applicable law, and respond to lawful requests from authorities.

3.1 Legal bases (EU/UK customers)

For customers and users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:

• Performance of a contract: to deliver the Service you have signed up for.
• Legitimate interests: to secure and improve the Service, publish aggregated benchmarks, market our product, and defend our legal interests. We balance these interests against your rights and will not rely on legitimate interests where your interests override ours.
• Consent: where required by applicable law (for example, for non-essential cookies). You may withdraw consent at any time without affecting processing that occurred before withdrawal.
• Legal obligation: to comply with laws and lawful orders.

4. How We Share Information

We share information only as described below.

4.1 Subprocessors

We use the following third-party vendors ("subprocessors") to help us operate the Service. Each is bound by contractual obligations to protect your data.

Additional subprocessors may be engaged for transactional email, error monitoring, internal product analytics, and other operational functions. The list above will be updated as material subprocessors are added.

We will update this list and provide notice of material changes as required by applicable law.

4.2 LLM providers (customer-initiated)

If you connect an AI provider to Bratrax through the Model Context Protocol (MCP) — for example, Anthropic's Claude or OpenAI's ChatGPT — any data you query flows directly from Bratrax to that provider under your contract with that provider. Bratrax is not a subprocessor in that data flow. We do not send your data to any LLM unless you initiate the connection. The provider's own privacy terms govern what they do with the data. We are not responsible for their data practices.

4.3 Other disclosures

We may also share information:

• With your consent or at your direction.
• With your authorized users within your customer account.
• With professional advisors (auditors, lawyers, accountants) under duties of confidentiality.
• In connection with a business transfer (merger, acquisition, asset sale). We will notify you before your information becomes subject to a different privacy policy.
• To comply with law or respond to lawful requests from public authorities, including to meet national security or law enforcement requirements.
• To protect our rights, property, or safety, or those of our customers or the public.

4.4 What we do not do

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not commingle one customer's data with another's — each customer's data is logically isolated in its own storage.

5. Data Storage and International Transfers

Customer Data is primarily hosted in the European Union (Hetzner data center, Finland). Bratrax personnel access Customer Data from the United States to operate and support the Service, which constitutes an international transfer of personal data from the EEA to the United States.

For transfers out of the EEA, UK, or Switzerland to a country that does not provide an equivalent level of protection, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses, and supplement them with technical and organizational measures where required.

Additional operational infrastructure (for example, marketing site hosting and administrative tooling) may run on Google Cloud or other providers in other regions. These systems do not host Customer Data pulled from your Connected Platforms.

6. How Long We Keep Your Information

• Active customer data: for as long as your subscription is active.
• After cancellation or termination: we retain customer data for up to 180 days, structured as (i) a 30-day self-serve export window during which you retain access to your dashboards and ClickHouse instance, followed by (ii) up to 150 additional days of cold retention, during which your data is not accessible to you but can be restored on written request. After 180 days, we permanently delete customer data.
• Billing records: retained as required by applicable tax and accounting law.
• Marketing and prospect data: retained until you unsubscribe or request deletion.
• Backups: regular backups are taken and retained in accordance with industry-standard practices.

If you request deletion under applicable privacy law (see Section 10), we will honor the request within 30 days, subject to narrow exceptions where we are legally required to retain certain records.

7. How We Protect Your Information

We use technical and organizational measures designed to protect your data, including:

• Encryption of data in transit (TLS) and at rest.
• Encrypted storage of OAuth tokens and account credentials.
• Access controls and least-privilege permissions for Bratrax personnel.
• Per-customer data isolation — we maintain logical and access-control separation between customers' data and do not commingle one customer's data with another's.
• Regular review of security practices and subprocessors.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify affected customers without undue delay and consistent with applicable law.

8. Cookies and Similar Technologies

Bratrax uses its own attribution pixel on bratrax.com to measure site engagement. The pixel may set one or more first-party cookies for session stitching and attribution purposes.

We may also use cookies or similar technologies for authentication, security, and essential site functionality.

Where required by applicable law, we will obtain consent before setting non-essential cookies through a cookie consent banner.

You can control cookies through your browser settings. If you disable cookies, some parts of the Site or Service may not function properly.

We do not respond to Do Not Track signals at this time because no consistent industry standard has been adopted.

9. Communications and Marketing

• Service communications. We send transactional emails (billing, security, account notices). You cannot opt out of these while you have an active account.
• Marketing communications. We may send product updates, newsletters, or promotional emails. You can unsubscribe from any marketing email at any time using the unsubscribe link in the email, or by emailing support@bratrax.com.

10. Your Privacy Rights

Subject to applicable law, you have the following rights with respect to your personal information:

• Access: to know what personal information we hold about you.
• Correction: to correct inaccurate or incomplete information.
• Deletion: to request deletion of your personal information.
• Portability: to receive your data in a portable, machine-readable format.
• Objection and restriction: to object to or restrict certain processing.
• Withdrawal of consent: where we rely on consent, you may withdraw it at any time.
• Non-discrimination: we will not discriminate against you for exercising any of these rights.

To exercise any of these rights, email legal@bratrax.com. We may need to verify your identity before acting on your request.

Response timelines:

• Under the GDPR and UK GDPR, we will respond within 30 days of receiving your request, extendable by up to 60 days for complex requests with notice to you.
• Under the CCPA, CPRA, and similar U.S. state privacy laws, we will acknowledge your request within 10 business days and provide a substantive response within 45 calendar days, extendable by an additional 45 days with notice to you.

If you are unhappy with our response, you have the right to lodge a complaint with a data protection authority in your jurisdiction.

11. Our Role: Controller and Processor

For information we collect about visitors, prospects, and account administrators (for example, names and email addresses of people who sign up for Bratrax), we act as a controller.

For data you connect to Bratrax from your store, ad platforms, or other third-party sources, we act as a processor on your behalf. You are the controller of that data. Our Terms of Service (Section on Customer Data) governs our processing of that data. On request from EU/UK customers, we will execute a Data Processing Agreement containing Standard Contractual Clauses.

12. Notice to California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

• The right to know what personal information we have collected, the sources, purposes, and categories of third parties with whom it is shared.
• The right to request deletion of personal information.
• The right to correct inaccurate personal information.
• The right to opt out of the "sale" or "sharing" of personal information (for cross-context behavioral advertising).
• The right to limit the use of sensitive personal information.
• The right not to be discriminated against for exercising these rights.

We do not sell or share personal information as those terms are defined under the CCPA/CPRA. We have not sold or shared personal information in the preceding 12 months and have no plans to do so.

To exercise your California rights, email legal@bratrax.com. You may designate an authorized agent to act on your behalf.

13. Notice to Residents of Other U.S. States

Residents of states including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana have rights under their respective state privacy laws similar to those described in Section 12. To exercise those rights, email legal@bratrax.com. We do not engage in "targeted advertising," "sale" of personal information, or "profiling" that produces legally significant effects, as those terms are defined under applicable state law.

Right to appeal. If we deny your request in whole or in part, you have the right to appeal our decision by emailing legal@bratrax.com with the subject line "Privacy Request Appeal." We will respond to your appeal within 60 days. If we deny your appeal, we will inform you of your right to contact your state attorney general.

14. Notice to Residents of the European Economic Area, United Kingdom, and Switzerland

In addition to the rights described in Section 10, you have the right to lodge a complaint with your local data protection authority.

The controller of your personal information is Inceptly LLC, 131 Morninghill Drive, Columbia, SC 29210, USA. You can contact our privacy team at legal@bratrax.com.

To the extent required by Article 27 of the GDPR or the UK GDPR, Bratrax will appoint an EU or UK representative and update this Policy accordingly.

15. Children's Privacy

Bratrax is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact legal@bratrax.com and we will delete it.

16. Links to External Sites

The Site and Service may contain links to third-party websites and services that are not operated by us. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by prominent notice in the Service before the changes take effect. The "Effective date" at the top of this policy indicates when it was last revised. Your continued use of the Service after an update means you accept the updated policy.

18. Contact Us

Questions about this Privacy Policy or our data practices:

Email: legal@bratrax.com
Mail: Inceptly LLC, 131 Morninghill Drive, Columbia, SC 29210, USA