Legal
Privacy Policy
This Privacy Policy explains how Nitoriq collects, uses, stores, discloses, and protects information through our websites, hosted application, APIs, tracking tools, integrations, support channels, and related services.
Nitoriq is built for business users who manage traffic, attribution, reporting, conversion APIs, ecommerce data, and connected ad platforms. The information we process depends on the features your workspace enables and the third-party services you connect.
Nitoriq is operated by ByteAssembly. References to "Nitoriq," "we," "us," and "our" mean ByteAssembly operating the Nitoriq service.
In short, Nitoriq uses account data to run your workspace, tracking and integration data to provide attribution and reporting, and connected-platform data only for the features you choose to enable. We do not sell customer workspace data or use connected ad-platform data to build advertising profiles for Nitoriq.
1. Scope and roles
This policy applies to personal information we process for our own business purposes and to personal information we process on behalf of customers through the Nitoriq service.
- For account, billing, security, support, website, and sales information, Nitoriq generally acts as the controller or business responsible for deciding how that information is processed.
- For tracking events, campaign data, ecommerce data, conversion data, uploaded files, provider imports, and similar workspace data submitted by or for a customer, Nitoriq generally acts as a processor or service provider and processes that information according to the customer's instructions, the Terms of Service, and any applicable data processing agreement.
- Customers are responsible for their own privacy notices, consent flows, legal bases, and platform-policy obligations for websites, apps, landing pages, campaigns, and stores where they use Nitoriq.
Where required, customer processing of Customer Data may be governed by a Data Processing Agreement or similar data protection terms that describe processing instructions, subprocessors, security measures, international transfers, and assistance with privacy requests.
Nitoriq is not designed for collecting sensitive personal information such as health information, government identification numbers, precise financial account credentials, children's data, or other highly sensitive categories unless we expressly support that use case and the customer has the required authority, notices, consents, and legal basis.
2. Information we collect
We may collect or process these categories of information:
- Account and profile data, such as name, email address, password hash, avatar URL, email verification state, login timestamps, and authentication method.
- Signup and onboarding data, such as workspace name, phone number, preferred contact method, monthly ad spend range, how you heard about Nitoriq, role, and operator category.
- Authentication and session data, such as session identifiers, remember-me preferences, IP address, user agent, device and browser details, and last-seen timestamps.
- Workspace and team data, such as workspace names, slugs, timezone and currency settings, memberships, invitations, roles, permissions, and account ownership relationships.
- Tracking and attribution data, such as click IDs, visitor IDs, visit IDs, tracking-domain hostnames, raw tracking parameters, referrers, IP addresses, user agents, language, device, browser, operating system, connection, and geo-derived fields such as country, region, city, continent, timezone, ZIP code, ISP, and ASN when available.
- Campaign, asset, and configuration data, such as campaign names, public codes, flows, offers, landers, traffic sources, affiliate networks, token mappings, custom conversions, routing rules, and reporting settings.
- Conversion, cost, and revenue data, including uploaded files, imported rows, transaction identifiers, order or conversion parameters, payout or revenue amounts, cost amounts, and reporting metadata.
- Ecommerce integration data, including Shopify shop domain, installation status, Web Pixel configuration, storefront events, checkout or cart tokens, order IDs, order status, timestamps, currency, revenue, refunds, tax, shipping, discounts, product and variant data, attribution evidence, and webhook metadata.
- Connected-platform data, such as OAuth profile details, connected account references, ad account IDs, customer IDs, page or business account IDs, scopes, API keys, token hashes, secret metadata, account status, campaign identifiers, reporting rows, and connection logs.
- Billing data, such as plan, subscription status, billing interval, provider customer or subscription identifiers, invoice events, tax-related metadata, and payment provider webhook payloads.
- Support, audit, and security data, such as support-access policy settings, approvals, support session records, ticket references, request metadata, IP addresses, user agents, audit trails, error logs, and abuse-prevention signals.
- Marketing and communications data, such as name, work email, company, role, message or notes, monthly spend range, primary use case, demo requests, sales communications, and UTM parameters submitted through our site forms.
- Copilot and AI feature data, such as prompts, selected report context, tool traces, generated responses, feedback, and approval decisions when you use AI-assisted reporting or MCP workflows.
3. How we collect information
We collect information in several ways:
- Directly from you when you register, log in, configure a workspace, connect an integration, upload a file, submit a form, request support, or communicate with us.
- Automatically when you use the service, including request metadata, sessions, security logs, audit events, tracking events, and reporting activity.
- From third-party services you connect, such as ad platforms, affiliate networks, ecommerce systems, OAuth providers, payment providers, support tools, and related business tools.
- From team members, account owners, customers, merchants, or partners who invite users, configure resources, create shared reports, or send data to Nitoriq.
4. How we use information
We use information to:
- Create, secure, and administer accounts, workspaces, roles, invitations, authentication, sessions, and permissions.
- Operate tracking, attribution, traffic routing, reporting, shared reports, cost imports, revenue imports, conversion APIs, automation, and API functionality.
- Connect Shopify commerce activity and other ecommerce data to campaign traffic when customers enable those integrations.
- Import, normalize, reconcile, and display campaign, account, conversion, spend, revenue, and performance data from connected platforms.
- Send conversion, event, and match-key data to ad platforms or customer-selected destinations when configured by a customer.
- Provide AI-assisted reporting, report-state validation, recommendations, summaries, and approval-backed actions when you use Copilot or MCP features.
- Provide support, including controlled support-access workflows, customer approvals, and related audit history.
- Process subscriptions, enforce plan limits, manage trials, maintain billing records, and prevent payment abuse.
- Troubleshoot issues, monitor reliability, maintain security, detect abuse, prevent fraud, and improve product quality.
- Respond to inquiries, schedule demos, send service communications, and follow up on sales or marketing requests.
- Comply with legal obligations, enforce agreements, protect rights and safety, and respond to lawful requests.
You can opt out of marketing emails by using the unsubscribe link in those emails or by contacting us. We may still send transactional or service messages about your account, security, billing, support, or product use.
5. Cookies and similar technologies
Nitoriq uses cookies, local storage, pixels, tags, and similar technologies to maintain sessions, apply CSRF protection, remember login choices, support secure operation, measure service activity, and provide tracking and reporting workflows that customers enable.
Customers who deploy Nitoriq tracking, pixels, scripts, direct tracking, postbacks, or conversion APIs are responsible for providing required notices, cookie banners, consent choices, and opt-out mechanisms for their own websites, apps, stores, and landing pages.
Customers decide where Nitoriq tracking is deployed, which events are collected, which destinations receive conversion data, and whether consent is required before tags, pixels, scripts, or server-side events run. Customers are responsible for configuring Nitoriq and their own websites, stores, apps, landing pages, and consent tools in compliance with applicable law and platform rules.
6. Connected accounts and platform data
When you connect a third-party account, you authorize Nitoriq to access and process information from that account within the scopes you approve and the features you enable. We use connected platform data to provide the requested integration, such as account connection, account selection, campaign reporting, cost import, conversion delivery, revenue allocation, diagnostics, integration health, and related integration workflows.
For connected advertising, analytics, ecommerce, and social platforms, Nitoriq accesses only the scopes, accounts, and data types authorized by the user or workspace. We do not sell connected-platform data, use it for surveillance, or use it for unrelated advertising profiles. We do not transfer connected-platform data except as needed to provide the service, comply with law, protect the service, or as directed by the customer.
If you connect Google accounts, Nitoriq's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data only to provide or improve user-facing Nitoriq features that you request, such as account connection, campaign reporting, cost import, conversion delivery, diagnostics, and related integration workflows. We do not use Google user data for generalized advertising, unrelated profiling, credit-worthiness, lending, or other purposes not requested by the user.
Workspace owners and authorized admins can disconnect supported integrations from Nitoriq. Disconnecting an integration stops new imports or deliveries for that connection and removes or invalidates stored access credentials, subject to retention needed for security, audit, billing, legal, or dispute purposes.
7. AI-assisted features
Nitoriq may use third-party AI service providers to power Copilot, report analysis, summarization, and related workflows. We send only the information needed to provide the requested feature, such as the user's prompt, selected report context, schema, tool traces, and recent conversation state.
AI responses may be incomplete or incorrect, and customers remain responsible for reviewing recommendations, approving proposed actions, and deciding how to use outputs. Approval flows and audit records are used where the product supports customer-controlled mutations or sharing.
8. When we disclose information
We may disclose information:
- To service providers and subprocessors that help us host, secure, operate, support, bill, monitor, analyze, or improve Nitoriq.
- To third-party platforms, APIs, and destinations that you choose to connect or instruct us to use.
- To payment providers, tax providers, and billing tools to support subscriptions, invoices, payment methods, taxes, renewals, refunds, or billing support.
- To authorized account users, workspace members, service principals, API clients, support users, or recipients of shared reports according to the settings your team applies.
- To professional advisors, auditors, insurers, and potential transaction counterparties in connection with business, security, financing, merger, acquisition, or similar events.
- When required by law, subpoena, court order, legal process, or governmental request, or to protect rights, safety, security, users, customers, or the service.
We do not sell personal information in the ordinary meaning of that term. We also do not share Customer Data for cross-context behavioral advertising by Nitoriq unless we provide any required notice and choice under applicable law.
We may publish additional information about service providers and subprocessors on a dedicated subprocessors page.
9. Customer instructions and end-user requests
If we process personal information on behalf of a customer, we usually respond to end-user privacy requests by asking the requester to contact the relevant customer directly, or by helping the customer fulfill the request. This is because the customer controls the campaign, store, landing page, tracking setup, or integration that caused the data to be processed.
If you are an end user of a Nitoriq customer and want access, correction, deletion, or opt-out for data collected through that customer's use of Nitoriq, you may contact the customer directly or email us at [email protected] so we can route the request.
10. Deletion and platform removal requests
Workspace owners and admins can update, export, delete, deactivate, rotate, or disconnect many records through the product. You can also request deletion by contacting [email protected].
If you remove a connected third-party app or request deletion through a platform such as Meta, Google, TikTok, Snapchat, Pinterest, Reddit, or Shopify, Nitoriq will delete or disconnect the relevant account data where required, subject to identity verification, customer instructions, technical feasibility, and legal retention obligations.
Our public deletion instructions are available at /data-deletion.
11. Shopify privacy webhooks
For Shopify integrations, Nitoriq supports Shopify's mandatory privacy webhooks for customer data requests, customer redaction, and shop redaction where applicable to the app installation. We process Shopify privacy webhook requests according to Shopify's requirements and applicable law.
If a Shopify shop redaction webhook is received, Nitoriq deletes stored Shopify connection records, pixel configuration, storefront event records, webhook payloads, order records, order-line records, attribution links, attribution evidence, diagnostics, report mappings, and Shopify commerce facts tied to that shop, except where retention is required by law or needed for security, fraud prevention, or dispute records.
We aim to complete applicable Shopify redaction requests within the period required by Shopify and applicable law, unless retention is legally required.
12. Support access
If your account enables support access, authorized Nitoriq personnel may access account data in read-only, assisted-write, or approved impersonation modes depending on your account settings and the support workflow used.
Nitoriq records support approvals, session details, and audit events so customers can review access history and related changes. Customers are responsible for configuring support access in a way that fits their compliance needs.
13. Shared reports and external sharing
If your team creates shared reports, data exposed through those links may be accessible to anyone with the relevant link, token, or credentials until the report expires, is disabled, or is otherwise restricted by your settings.
You are responsible for choosing appropriate report-sharing settings and recipients for your business and data.
14. Retention
We retain information for as long as needed to provide the service, comply with legal obligations, resolve disputes, enforce agreements, maintain security records, support business operations, and follow customer instructions.
Retention periods differ across data types. Active account records, billing records, support audit trails, access logs, integration tokens, uploaded files, tracking events, reporting datasets, and raw webhook payloads may be retained for different periods based on product, operational, security, legal, and customer needs.
- Account and workspace records are generally kept while the account or workspace remains active.
- Connected-platform credentials are generally kept until the integration is disconnected, the workspace is deleted, or retention is no longer needed.
- Tracking, attribution, reporting, import, and event data are retained based on workspace settings, plan limits, product needs, or customer instructions.
- Billing, tax, audit, security, and abuse-prevention records may be retained longer where required for legal, accounting, security, or dispute purposes.
- Backups may retain deleted data for a limited period before they are overwritten or removed through normal backup cycles.
We may retain aggregated, de-identified, or anonymized information that no longer identifies a person or customer end user.
15. Security
We use reasonable administrative, technical, and organizational measures designed to protect information, including access controls, token protection, audit logging, encryption in transit, secret handling, monitoring, and backup and recovery controls appropriate to the service.
No service is completely secure. You are also responsible for protecting your credentials, API keys, integration access, tracking domains, support settings, and workspace permissions.
16. International transfers
Nitoriq may process information in countries other than the one where you or your end users are located. Where required, we use appropriate transfer mechanisms or contractual terms for international transfers.
17. Regional privacy rights
Depending on your location and applicable law, you may have rights to access, correct, delete, port, restrict, or object to certain processing of personal information. You may also have rights to withdraw consent, appeal a decision, or opt out of certain sales, sharing, targeted advertising, or profiling.
To make a request, contact [email protected]. We may need to verify your identity and may route requests concerning Customer Data to the relevant customer.
18. Children
Nitoriq is intended for business use and is not directed to children. Customers may not use Nitoriq to knowingly collect children's personal information unless they have all required authority, notices, consents, and platform permissions.
19. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we may provide notice through the service, the marketing site, or by email. The updated version becomes effective when posted unless it says otherwise.
20. Contact
Questions or privacy requests can be sent to [email protected]. General support requests can be sent to [email protected].