1. Identity of the data controller
For data collected through the tag installed on our clients’ websites, the data controller is the client itself (the site publisher). Walityk acts as a processor within the meaning of Article 28 GDPR — see the Data Processing Agreement (DPA).
For data relating to user accounts of the Walityk platform itself (sign-up, billing, support), the data controller is:
- Impulse Analytics — publisher of the Walityk service
- GDPR contact: privacy@walityk.com
2. Data processed
2.1 Data collected via the tag (on behalf of the client)
- Navigation events: page URL (truncated to 2 KB, sensitive parameters stripped), referrer, event type (page view, add to cart, purchase, etc.), timestamp.
- Pseudonymous identifiers:
uid(HMAC-signed first-party cookie, 13-month lifetime),sid(session, 30-minute lifetime). - Attribution data: click IDs (gclid, fbclid, ttclid, msclkid, gbraid, wbraid) and UTMs extracted from the URL — removed if
ad_storageis denied. - Country-level geolocation only (derived from IP; the raw IP is never logged — only a SHA-256 hash is retained for 24-hour deduplication).
- For conversions: hashed email (SHA-256) and hashed phone (SHA-256) where provided by the site, transmitted to marketing destinations (GA4, Meta CAPI, Google Ads, TikTok Events) in compliance with Consent Mode v2. Plaintext values are never persisted in our databases.
2.2 Platform account data
- Business email (magic link / Google OAuth authentication).
- Organisation name, declared sites, destination configurations.
- Billing data: email, Stripe customer ID (card numbers never transit through our servers).
- Technical logs: IP addresses of admin sessions, user agent.
3. Purposes & legal bases
| Purpose | Legal basis | Retention |
|---|---|---|
| Exempted audience measurement (anonymised) | Legitimate interest + CNIL guidelines | 13 months |
| Advertising measurement (CAPI, Ads conversions) | Explicit consent (Consent Mode v2) | 13 months |
| Real-time debugging (live tail) | Client’s legitimate interest | 24 hours (automatic hourly purge) |
| Authentication & account management | Performance of the contract | Contract term + 3 years |
| Billing | Legal obligation | 10 years (accounting obligations) |
4. Recipients
Data is accessible to authorised Walityk staff and to our sub-processors listed on the Sub-processors page. No data is ever sold or used for cross-client profiling.
5. Data location
Analytics data is stored in Supabase (Postgres, Frankfurt region, European Union). The tag and the ingestion workers run on Cloudflare; Cloudflare Workers execute code close to the end user, but no raw data is persisted in Edge/KV/Queues beyond the time strictly necessary for processing (24-hour deduplication, forwarding queue <1h).
No transfer outside the EU takes place for analytics data. Payment data transits through Stripe (United States) under Standard Contractual Clauses and the EU-US Data Privacy Framework.
6. Security
- TLS 1.2+ encryption for all network communications.
- At-rest encryption of Supabase databases (AES-256).
- Strict Postgres RLS: tenant isolation via the
tenant_idpolicy. - HMAC on first-party cookies, no plaintext PII stored on the DB side.
- Logged admin access, mandatory MFA for Walityk operators, principle of least privilege.
- Breach notification: 24 hours to inform the client (within the statutory 72-hour deadline for the controller to notify the supervisory authority).
7. Data subject rights
In accordance with Articles 15 to 22 GDPR, every data subject has the rights of access, rectification, erasure, restriction, objection and portability.
Requests addressed directly to Walityk concerning data collected through a client’s tag are relayed to the data controller (the client). For platform account data, contact privacy@walityk.com. Response within 30 days.
You may lodge a complaint with the CNIL (cnil.fr/en/plaintes) or your local supervisory authority.
8. Data obtained through Google APIs (OAuth)
When you connect your Google account to Walityk, we request the following permissions, solely to provide the service:
- Google Analytics (
analytics.edit): list your GA4 properties and automatically create a Measurement Protocol API secret and custom dimensions on the property you select. - Google Ads (
adwords): list your Google Ads accounts, create the conversion actions you configure and import your server-side conversions into your account.
Walityk’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements: this data is used exclusively for the features described above. It is never sold, never used for Walityk’s own advertising purposes, and never transferred to third parties outside the destinations you configure yourself. No human accesses it, except for legal obligations, security incidents or at your explicit request (support).
The Google access token (refresh token) is stored encrypted (AES-GCM) in our European database and is never exposed to the browser. You can revoke access at any time by removing the connection in Walityk or from myaccount.google.com/permissions; the token is then deleted from our systems.
9. Data Protection Officer
Walityk is not required to appoint a statutory DPO (Article 37 GDPR not triggered at this stage). A GDPR officer is nevertheless appointed internally and reachable at privacy@walityk.com.