Privacy Policy

Last Updated: October 25, 2025

This Privacy Policy explains how Earn Coupon d.o.o. ("we," "us," or "our") collects, uses, shares, and protects your information when you use our LTV SaaS platform and services ("Service"). We are registered at 75 Vodovodska street, Belgrade, Serbia (Tax ID: 107955125).

We are committed to protecting your privacy and being transparent about our data practices. This policy complies with the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Information We Collect

1.1 Account Information You Provide

When you register for LTV SaaS, you provide:

• Contact Details: Email address, name, company name
• Authentication: Password (hashed and salted)
• Team Information: Team member names and roles (for team accounts)
• Billing Details: Processed by Lemon Squeezy (we do not store credit card information)

1.2 Third-Party Platform Connections

When you connect advertising and billing platforms through our Service:

• Google Ads OAuth: We receive OAuth access tokens and refresh tokens to send conversion data on your behalf. We access your customer account ID to identify which account to send conversions to. We do NOT access your campaign data, ad creative, or spend information.
• TikTok OAuth: We receive OAuth access tokens and refresh tokens to send conversion events. We access your advertiser ID and available ad accounts. We do NOT access campaign settings or ad creative.
• Meta Business: You provide a System User access token to send events to Meta Conversions API. We do NOT access your Meta Business account data.
• LinkedIn Ads: You authorize via OAuth. We only SEND conversion events, we do NOT read your campaign data.
• Billing Platforms (Stripe, Paddle, Lemon Squeezy): We receive webhook events containing subscription data. We process webhook signatures to verify authenticity.

1.3 Customer End-User Tracking Data

Our tracking script, deployed by you on your website, collects:

• Attribution IDs: GCLID (Google Ads), FBCLID/FBP (Meta/Facebook), TTCLID (TikTok) — these are NOT personally identifiable information
• UTM Parameters: Campaign tracking parameters from URLs
• Page URLs: Where the tracking code is deployed
• Customer Identifiers: IDs you provide (user_id, organization_id, etc.) to link attribution to subscriptions
• Hashed PII: SHA-256 hashes of email/phone (if provided) for customer matching

Important: We process this data on your behalf as a data processor. YOU are the data controller and responsible for obtaining consent from your end-users.

1.4 Subscription Event Data

From your billing provider webhooks, we collect:

• Subscription status (started, renewed, upgraded, cancelled)
• Subscription amount and currency
• Customer identifier (as configured by you)
• Timestamps and event metadata

1.5 Technical & Usage Data

• IP addresses (for security and fraud prevention)
• Browser type and version
• Device information
• Usage patterns within the platform
• API call logs (for debugging and support)

2. How We Use Your Information

2.1 Service Delivery

• Process and send conversion events to connected ad platforms
• Match attribution data (click IDs) to subscription events
• Generate attribution analytics and reports
• Manage OAuth connections and token refresh
• Process billing provider webhooks

2.2 Platform Operation

• Create and manage your account
• Process payments via Lemon Squeezy
• Send transactional emails (account notifications, billing)
• Enforce plan limits based on MRR tracked
• Provide customer support

2.3 System Improvements

• Analyze aggregated, anonymized usage patterns
• Improve attribution algorithms
• Monitor system performance and errors
• Detect and prevent fraud

3. OAuth Token Management

3.1 Google Ads OAuth

When you connect Google Ads:

• We redirect you to Google's OAuth consent screen
• Google issues access tokens (1-hour lifespan) and refresh tokens
• We store tokens encrypted with AES-256
• We automatically refresh tokens every 6 hours
• Tokens are used ONLY to send conversion data to YOUR Google Ads account
• You can revoke access anytime in your Google Account settings

3.2 TikTok OAuth

When you connect TikTok:

• We redirect you to TikTok's OAuth consent screen
• TikTok issues access tokens (24-hour lifespan) and refresh tokens (365-day lifespan)
• We store tokens encrypted with AES-256
• We automatically refresh tokens daily using rolling refresh (new refresh token on each refresh)
• This enables indefinite access without re-authentication
• Tokens are used ONLY to send conversion events to YOUR TikTok ad account
• You can revoke access anytime in your TikTok Ads Manager

3.3 Token Security

• All OAuth tokens encrypted at rest using AES-256-GCM
• Tokens transmitted only over TLS 1.3
• Access restricted via Row Level Security (RLS)
• Audit logs for all token operations
• Automatic token rotation for security

4. Data Sharing & Third Parties

4.1 Sub-processors

We use the following sub-processors to deliver our Service:

• Supabase (Database & Authentication) — EU/US — Stores all customer data with encryption
• Vercel (Application Hosting) — US — Hosts the web application and serverless functions
• Resend (Transactional Email) — US — Sends account notifications and billing emails
• Lemon Squeezy (Payment Processing) — US — Processes subscription payments (PCI-DSS compliant)

See our Sub-processors List for complete details including data protection safeguards.

4.2 Advertising Platforms (Data Recipients)

We send conversion data TO the following platforms on your behalf:

• Google Ads — Conversion events with GCLID attribution
• Meta Conversions API — Conversion events with FBCLID/FBP attribution
• TikTok Events API — Conversion events with TTCLID attribution
• LinkedIn Ads — B2B conversion events with LinkedIn tracking UUID

Important: We ONLY send conversion data TO these platforms. We do NOT receive or access data FROM them (except during OAuth authorization to get account IDs).

4.3 No Data Selling

We do NOT sell, rent, or trade your personal information or your customers' data to third parties. Under CCPA, we do not "sell" personal information as defined by California law.

5. Data Storage & Security

5.1 Encryption

• At Rest: AES-256 encryption for sensitive data (API keys, OAuth tokens, billing webhooks)
• In Transit: TLS 1.3 for all API communications
• Database: PostgreSQL with Row Level Security (RLS) ensuring data isolation between accounts

5.2 Access Controls

• Multi-factor authentication (MFA) support
• Role-based access control (team permissions)
• Audit logs for all configuration changes
• OAuth state validation (CSRF protection)

5.3 Data Retention

• Active accounts: Data retained while subscription active
• Job logs: 30 days (for debugging)
• Attribution analytics: 90 days (for reporting)
• Audit logs: 1 year (for security)
• After termination: Data deleted within 30 days (backups within 90 days)

5.4 Data Location

• Primary database: Supabase (EU or US regions)
• Application: Vercel Edge Network (globally distributed)
• Backups: Same region as primary database

6. Cookies & Tracking Technologies

6.1 Cookies We Set on ltvsaas.com

• Authentication cookies (Essential) — Keep you logged in
• Session cookies (Essential) — Remember your preferences
• Analytics (Optional) — Privacy-friendly analytics (no personal data)

6.2 Third-Party Cookies We Read

Our tracking code (deployed on YOUR website) reads cookies set by advertising platforms for attribution matching:

• _gcl_aw (Google Ads) — Extracts GCLID for attribution (90-day expiry set by Google)
• _fbc (Meta/Facebook) — Extracts FBCLID for attribution (90-day expiry set by Meta)
• _ttclid (TikTok) — Extracts TTCLID for attribution (28-day expiry set by TikTok)

Purpose: Link subscription events to original ad clicks. These cookies are set by ad platforms, not by us. We only read them for attribution purposes.

Your Responsibility: YOU must obtain consent from your end-users before deploying our tracking code. We provide the technology; you handle consent management.

See our Cookie Policy for complete details.

7. Your Rights Under GDPR

If you are in the European Economic Area (EEA), you have the following rights:

7.1 Right to Access

Request a copy of all personal data we hold about you.

7.2 Right to Rectification

Correct inaccurate personal data in your account settings or by contacting us.

7.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data. We will delete within 30 days unless legally required to retain.

7.4 Right to Data Portability

Export your data in machine-readable format (JSON) via our dashboard.

7.5 Right to Object

Object to processing based on legitimate interests. We will stop unless we have compelling grounds.

7.6 Right to Restrict Processing

Request temporary suspension of data processing in certain circumstances.

7.7 Right to Withdraw Consent

Withdraw consent for data processing anytime by disconnecting integrations or deleting your account.

How to Exercise Rights: Email admin@ltvsaas.com with your request. We respond within 30 days.

8. Your Rights Under CCPA (California Residents)

8.1 Right to Know

Request disclosure of personal information collected, used, and shared in the last 12 months.

8.2 Right to Delete

Request deletion of personal information we collected from you.

8.3 Right to Opt-Out of Sale

We do NOT sell personal information. We never have and never will sell your data to third parties.

8.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

How to Exercise Rights: Email admin@ltvsaas.com. We respond within 45 days.

9. Data Processing Role

9.1 When We Are a Data Controller

For your account information (email, name, company), we are the data controller.

9.2 When We Are a Data Processor

For your customer tracking data (click IDs, subscription events), we are a data processor. YOU are the data controller and responsible for:

• Obtaining consent from your end-users for tracking
• Providing privacy notices to your end-users
• Handling data subject requests from your end-users
• Complying with applicable data protection laws

See our Data Processing Agreement for detailed processor obligations.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence:

• EU to US transfers: Protected by Standard Contractual Clauses (SCCs) with Supabase and Vercel
• Adequacy decisions: We rely on EU Commission adequacy decisions where available
• Your OAuth tokens: Stored in region of your choice (EU or US Supabase instance)

11. Children's Privacy

LTV SaaS is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 16, we will delete it immediately.

12. Data Breach Notification

In the event of a personal data breach:

• We will notify affected customers within 72 hours
• We will notify supervisory authorities as required by GDPR
• We will provide details about the breach and mitigation steps
• We maintain cyber insurance for data breach incidents

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Last Updated" date at the top
• We will notify you via email (for significant changes)
• We will post a notice in the dashboard
• Continued use after changes constitutes acceptance

14. Contact & Data Protection Officer

For privacy-related questions or to exercise your rights:

Earn Coupon d.o.o.
Data Protection Officer
75 Vodovodska street
Belgrade, Serbia
Tax ID (PIB): 107955125
Email: admin@ltvsaas.com

For GDPR concerns, you also have the right to lodge a complaint with your local supervisory authority.

15. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service
• Legitimate Interests (Art. 6(1)(f)): Fraud prevention, system security, service improvement
• Legal Obligation (Art. 6(1)(c)): Tax compliance, regulatory requirements
• Consent (Art. 6(1)(a)): Where explicitly obtained (e.g., marketing emails)

16. Your Customer's Data

Important Clarification: When we process data about your customers (end-users of your SaaS):

• YOU are the data controller
• WE are the data processor acting on your instructions
• YOU must provide privacy notices to your end-users
• YOU must obtain consent for tracking (where required)
• WE process data only as necessary to provide the Service to you
• See our Data Processing Agreement for processor obligations

17. California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing. We do NOT share personal information with third parties for their direct marketing purposes.

18. Do Not Track Signals

Our Service does not currently respond to Do Not Track (DNT) browser signals. We collect minimal tracking data necessary for service functionality only.

Disclaimer: This Privacy Policy is designed to comply with GDPR, CCPA, and other major data protection laws. However, you should consult with legal counsel to ensure compliance with all applicable laws in your specific jurisdictions.