1. Who we are
Decisa is an advertising operating system with two modules — Attribution and Campaign Management. This policy covers both. Where behaviour differs between modules, it's called out.
2. Account data
When you register or use the dashboard we store:
- Your name and email for sign-in and account communication.
- Your password hashed with bcrypt — we never see the plaintext.
- Workspace metadata — name, slug, capability flags (attribution enabled? campaign management enabled? agency mode?).
- Billing details if you subscribe — handled by Stripe; we keep the customer ID and subscription state, never the card number.
3. Attribution data — the pixel and /collect
If you install pixel.js on your site, every page load sets a first-party cookie named dcs_vid in your visitor's browser. The cookie expires 12 months after the last visit. The pixel sends one POST to /collect per click with:
- Page URL (path + query string with utm_* and gclid/fbclid/ttclid)
- Referrer URL
- User-Agent string
- The
dcs_vidcookie value - The visitor's IP address, which we immediately hash with a per-workspace salt before storage
We do not fingerprint. No canvas hashing, no font probe, no IP+UA matching. dcs_vid is the only identifier.
4. Conversion data — /v1/conversions
When your backend POSTs to /v1/conversions, we accept an external_id, optional visitor_id, optional customer_email, and optional revenue value. Before anything lands in the database:
- Email is SHA256-hashed. We never store the raw email.
- IP is hashed with a per-workspace salt. Rainbow-table attacks across workspaces don't work.
- Raw payload is stored verbatim in JSONB for debugging and backfills. We don't rewrite history — if our mapping logic changes, we create a new derived row rather than overwriting the old one.
5. Connected ad accounts (Campaign Management module)
If you OAuth into Google Ads, Meta, TikTok, or X, we receive an access token and refresh token from that platform. Tokens are encrypted at rest with app-level encryption.
We request the minimum scopes needed for the current product phase. With those tokens we read:
- Campaign, ad group, ad, and keyword names and settings
- Performance metrics (impressions, clicks, conversions, spend)
- Account ID and currency
We do not read end-user personal data from those platforms beyond what the platform exposes to standard advertiser tools.
6. CAPI pushback — data we send back
If you enable the Conversions API pushback feature, Decisa forwards your attributed conversions to Meta, Google, or TikTok. What we send:
- SHA256-hashed customer email (never raw)
- Conversion timestamp, event type, value, currency
- A platform-side event ID we generate for dedupe
You can disable CAPI pushback per integration at any time from workspace settings. No conversion data is forwarded if the feature is off.
7. Checkout webhooks (Shopify, Stripe, Kiwify)
Every webhook receiver verifies the platform's HMAC signature before any DB write. Raw payloads are stored verbatim and immutable. Mapping versions are stored on each conversion row so historic results stay reproducible.
8. Cookies we set
dcs_vid— first-party visitor identifier set bypixel.js. 12-month rolling expiry. Required for attribution to work.dcs_consent— your cookie banner choice (necessary / analytics / marketing categories, plus a policy-version stamp so we know when to re-ask). Stored in your browser's localStorage and mirrored as a first-party cookie so the server can honor your choice on every request. Not shared with anyone.- Laravel session cookie — when you're signed in to the dashboard. Secure, HTTP-only, SameSite=Lax.
Analytics and marketing cookies are off by default. You decide on the banner, and you can change your mind any time:
9. Retention
- Workspace deletion soft-deletes for 30 days, then hard-deletes everything.
- Audit logs may be retained for compliance as required by law.
- Aggregate analytics (no PII, no email hashes) may be retained for product improvement.
- Database backups follow a 14-day rolling rotation.
Request immediate hard-delete (skip the 30-day window) by emailing [email protected].
10. Your rights
- Access — request a copy of your data
- Correction — request fixes to inaccurate data
- Deletion — request hard-delete
- Portability — export as CSV / JSON
- Disconnect — revoke OAuth on any connected ad platform at any time from settings
Exercise any of these by emailing [email protected]. We respond within 30 days.
11. Sub-processors
We use these third parties to run Decisa:
- Hetzner / Dokploy — application + database hosting
- Stripe — billing and subscription management
- Resend — transactional email delivery
- Sentry — error tracking (no PII; user IDs only)
12. International transfers
Data is processed in the EU (Hetzner). Sub-processors may transfer data to other jurisdictions under standard contractual clauses.
13. Children
Decisa is not for users under 18. We don't knowingly collect data from children.
14. Changes
Material changes will land in the changelog and bump the date at the top of this page. Continued use after a change means acceptance.
15. Contact
Privacy questions → [email protected]. General questions → [email protected].