Start free Log in
Legal

GDPR Compliance

Last updated: April 11, 2026

This page explains how OCT complies with the EU General Data Protection Regulation (GDPR) and the UK GDPR. If you are an EEA or UK resident and have questions about your data rights, email hello@offlineconversionstracking.com.

Data controller

For personal data processed in connection with your OCT account (name, email, billing information), OCT acts as the data controller.

Data controller contact:
Offline Conversions Tracking
Email: hello@offlineconversionstracking.com

Data processor

For personal data captured from your website visitors by the OCT tracking script (form fields, click IDs, etc.), you are the data controller and OCT acts as the data processor on your behalf. As the data controller you are responsible for:

  • Ensuring you have a valid lawful basis to collect and process your visitors' personal data.
  • Informing your visitors about the tracking in your privacy policy.
  • Obtaining any necessary consents (particularly if required by national implementations of the ePrivacy Directive).
  • Responding to data subject access and deletion requests relating to their data in your OCT dashboard.

Lawful basis for processing

Account data

Contractual necessity (Article 6(1)(b)) — processing your name, email, and session data is necessary to provide the OCT service under our Terms of Service.

Transactional emails (OTP, notifications)

Contractual necessity (Article 6(1)(b)) — sending account verification and service notification emails is necessary to deliver the service.

Lead data (your visitors' data)

Legitimate interests (Article 6(1)(f)) — processing lead data on your behalf to enable conversion tracking is our legitimate interest as a data processor, as instructed by you (the controller). As the controller, you must have your own lawful basis for the original collection.

International data transfers

OCT is built on Cloudflare's infrastructure. Cloudflare may store and process data in data centres outside the EEA, including in the United States. Cloudflare is certified under the EU-US Data Privacy Framework and provides Standard Contractual Clauses (SCCs) as a transfer mechanism for EU data.

Transactional emails are sent via ZeptoMail (Zoho Corporation). Zoho is certified under applicable data transfer frameworks and processes data in compliance with GDPR.

Data subject rights

If you are an EEA or UK resident, you have the following rights under GDPR:

Right of access
Request a copy of personal data we hold about you.
Right to rectification
Request correction of inaccurate or incomplete data.
Right to erasure
Request deletion of your account and all associated data.
Right to restriction
Request that we limit how we process your data.
Right to portability
Receive your data in a structured, machine-readable format.
Right to object
Object to processing based on legitimate interests.

To exercise any of these rights, email hello@offlineconversionstracking.com with the subject line "GDPR Request". We will respond within 30 days. In most cases we will need to verify your identity before processing the request.

You also have the right to lodge a complaint with your national data protection authority (e.g., the ICO in the UK, or your local EU supervisory authority).

Data Processing Agreement (DPA)

If you are an EU- or UK-based business that requires a Data Processing Agreement with OCT (as your data processor for lead data), please email us at hello@offlineconversionstracking.com with the subject "DPA Request". We will provide a standard DPA based on the EU Standard Contractual Clauses.

Data retention

See Section 6 of our Privacy Policy for full data retention periods per plan. In summary:

  • Starter plan: lead data retained for 30 days.
  • Growth plan: lead data retained for 1 year.
  • Agency plan: lead data retained indefinitely while the account is active.
  • Account data deleted within 30 days of account deletion.

Security measures

We implement the following technical and organisational measures (TOMs) to protect personal data:

  • All data in transit encrypted via TLS 1.2 or higher.
  • Passwords hashed using bcrypt (never stored in plaintext).
  • Session tokens stored as HttpOnly, Secure cookies.
  • Access to production data restricted to authorised personnel.
  • API endpoints rate-limited to prevent abuse.
  • Password fields explicitly excluded from form data capture.

Contact

For GDPR enquiries: hello@offlineconversionstracking.com

Please also review our Privacy Policy and Cookie Policy for full details.