Privacy and Security

What is Trackingplan

Overview

The Trackingplan Way

Automonitoring

EventsPropertiesUser AttributesPagesAcquisitionPlatform Metrics

Automated Alert System

Warnings & UpdatesPixel MonitoringPrivacy MonitoringNaming Conventions MonitoringDiscover ReleasesData ValidationDigests

Getting Started

Installing Trackingplan

For WebsitesWebhooksFor AppsFor ssGTM

Post-Install Warm-Up

Inside Trackingplan

Dashboard

SearchHealth SummaryStarred ItemsReports

Data ExplorerTracks ExplorerRoot Cause AnalysisPresence MapAdvanced ReportsSession Finder

Privacy ReportChange HistorySettings & Members

Destinations

How to…

Manage Warnings

Mute WarningsDebug WarningsAttributionCustomize Warnings

Ensure Privacy

Privacy Report

Consent Mode Privacy by Design

Marketing Observability

Campaign ValidationPixels Summary

Enhance Collaboration

SharingNotes & LabelsPersonalized Digests

Extend detection

TagsChrome ExtensionData Layer Audit Explore your Data

Catch pre-launch errors

EnvironmentsRegression Testing

Multi-Account Management

Plans OverviewJSON Export/ImportSplit Destinations

Others

Google Spreadsheet App

Trackingplan Public API

Supported Trackers

SDK Update

Release Notes

Privacy and Security

Privacy and Security

At Trackingplan, protecting personal data is not a feature—it is a founding principle. We build every component with the European tradition of strong privacy safeguards in mind and treat the GDPR as a starting point, not a finish line. Three core values guide our engineering decisions: privacy by design, security in depth and transparent compliance. We prevent personal data from leaving the user’s device thanks to advanced on‑device masking, operate exclusively on hardened AWS PaaS services, and define least‑privilege access so each service can do only what is strictly necessary. We hold ourselves accountable through rigorous peer review, continuous monitoring and an on‑call culture that responds to issues before they become incidents. The pages that follow describe how these values translate into concrete safeguards. If you have questions, please reach out to [email protected].

Our SDK forwards only anonymized events required for anomaly detection and never collects more data than our clients already send to analytics providers.

Client data stays encrypted and isolated. Running entirely on hardened AWS PaaS services, we encrypt data in transit and at rest, enforce least‑privilege access via granular IAM roles and resource-level permissions, and automatically destroys customer data after 90 days

People, process, and compliance are built‑in. Every change is peer‑reviewed and CI/CD‑deployed; we enforce 2FA, audit logs, on‑call coverage, and 24/7 monitoring guard availability, while GDPR principles and an optional DPA establish legal obligations.

Trackingplan offer includes Privacy Audit. It monitors your sites and apps for accidental private‑data leaks to other vendors. Watches outbound traffic, flags personal information sent to third‑party vendors, checks consent signals and helps with compliance.

Overview: how Trackingplan handles data

The Trackingplan SDK inspects only the requests client sites or apps already sends to third‑party services, processes them locally, and forwards to our backend only the events—already anonymized—needed for anomaly detection.

• The SDK runs inside our clients’ users’ browsers and mobile apps.
• It observes only the requests that are already being sent to third‑party services selected by our clients (e.g. Google Analytics, HubSpot, Mixpanel, Google Ads).
• On the device it parses those requests locally and applies anonymization or masking where necessary.
• Only the processed and already anonymized events are sent to Trackingplan’s servers.
• On our servers the events are parsed and modeled, then monitored for anomalies that may reveal implementation errors by the client or third‑party tools.
• A web interface lets our clients inspect the detected data schema, alerts, and sample events for debugging.

On‑device anonymization and masking

Personal data is removed on the user’s device, so no identifying information leaves the origin.

• Trackingplan identifies most of the private data using a broad range of patterns and vendor‑specific rules.
• Private fields are masked on‑device, so no personal data leaves the user’s device. We use masking instead of hashing to avoid cross‑request user identification.
• Clients can extend the PII rules to match your specific use case.
• This behavior is optionally enabled in our SDK.

No extra data collection

Trackingplan sees only the data clients already share with other vendors and strips any extra identifiers.

• Even with masking is turned off, the SDK transmits only the data already sent to third‑party services.
• Trackingplan does not identify users.
• It does not store data that could be used for identification or fingerprinting (e.g., IP addresses); these are stripped before processing.
• The Privacy Audit feature highlights any private data being forwarded to third parties so clients can shut it off.

Helps with PII and consent compliance

Trackingplan Privacy Audit feature monitors accidental sharing of personal data with other third‑party vendors.

• Trackingplan is used by our clients to audit the privacy compliance of their integrations with other vendors.
• It continuously scans every request and flags any private data sent to analytics, advertising or CRM vendors, pinpointing the exact field, page and destination.
• It allows veryfing that no data is sent when users opt out via Consent Mode or similar mechanisms and alerts whenever a vendor receives data that contravenes user choice.
• It provides legal and DPO teams with actionable evidence to stop the transfer of disallowed data and restore compliance.

Infrastructure and data security

Hosted on AWS, all data is encrypted in transit and at rest and retained for a maximum of 90 days under strict access controls.

• All data is encrypted in transit (TLS 1.2+).
• All workloads run on hardened AWS accounts isolated by environment, and we favour managed Platform‑as‑a‑Service (PaaS) offerings to reduce patching overhead and attack surface.
• Stored data is encrypted with AES‑256.
• All public endpoints are shielded by AWS WAF, which blocks common web‑layer attacks and abusive traffic.
• Each component requires explicit, least‑privilege permissions—defined in Terraform—to communicate with any other component.
• Our only sub‑processors are AWS and ClickHouse Cloud, both covered by signed DPAs referenced in our Privacy Policy.
• Customer data is automatically deleted after 90 days.

Application security

Granular roles, strong authentication, and a self‑service deletion workflow keep customers in full control.

• Dashboards use a role‑based system (administrator, editor, viewer) that clients manage per workspace.
• Every access requires OAuth 2 authentication (AWS Cognito) and is accessible only by the customer; the Trackingplan team may obtain audited support access when requested.
• Clients can trigger complete account deletion at any time; after legal retention periods all data is irreversibly wiped.
• Sessions expiration after inactivity and are protected against CSRF and session‑fixation attacks.
• SSO is available for enterprise accounts.

Process and team security

Every employee uses 2FA; access is logged, and a dedicated security team manages backups, compliance and security standards.

• Company‑wide Two‑Factor Authentication is enforced.
• All staff receive annual security training and sign confidentiality agreements; access to production systems is logged via audit logs.
• A dedicated DevOps and Security team oversees infrastructure, backups, and incident response and serves as the red team during penetration tests.
• We use point-in-time backups that are retained for 30 days before automatic deletion.
• Each code change is peer‑reviewed, automatically tested pre- and post-merge, deployed to staging, and monitored after production release.
• When changes affect infrastructure, including new API endpoints, the DevOps and Security team performs an additional code review, test and monitoring validation before they reach production.
• A 24/7 on‑call rotation responds to alerts.

GDPR compliance

Trackingplan meets all GDPR principles: data minimization, strong encryption, optional DPA, and clear processes for data‑subject rights and breach notifications.

• Role and contract: We act as a processor and provide an optional DPA if a client needs to send unmasked personal data.
• Lawfulness and purpose: Data is processed solely to monitor implementations and detect anomalies; it is never resold or used for marketing.
• Minimization and retention: Only the fields required for monitoring are processed, anonymized at source, and automatically deleted after 90 days.
• Security: Encryption in transit (TLS 1.2+) and at rest (AES‑256), role‑based access and 2FA, EU/US data centers chosen by the client with SCCs when needed.
• Rights and breaches: We honor data‑subject requests and notify any breach within 72 hours.
• Governance: We keep a processing record and have an assigned DPO ([email protected]).

Company profile

Independent, well‑funded, and trusted by global brands.

• Founded in 2021 by former Oracle, CaixaBank, and Google employees.
• Backed by tier‑1 investors on both sides of the Atlantic, including Y Combinator and Nauta Capital.
• Over 200 companies—from billion‑dollar enterprises to high‑growth startups—use Trackingplan in production.
• Trackingplan operates through two legal entities to comply with clients' regional regulations: Trackingplan, Inc. in the US and Trackingplan Europe S.L. in the EU.

On this page

• Privacy and Security
• Overview: how Trackingplan handles data
• On‑device anonymization and masking
• No extra data collection
• Helps with PII and consent compliance
• Infrastructure and data security
• Application security
• Process and team security
• GDPR compliance
• Company profile