Convertss
CONVERTS's
Privacy is a feature

Privacy Policy

Last updated: November 14, 2026

Convertss helps marketing teams capture ad-click IDs, run an embeddable AI chatbot, and push closed deals back to ad platforms. That work involves data — this page explains, in plain English, exactly what we collect, why, how we protect it, and what control you have over it.

1. Overview

This Privacy Policy describes how Convertss (“Convertss”, “we”, “us”) handles information when you (a) sign up for the dashboard, (b) embed our chatbot widget or forms on your website, or (c) use Convertss to track offline conversions and push them to Google Ads, Meta, TikTok, or Microsoft Advertising.

Two distinct “data subjects” show up in this policy:

  • Convertss customers — the businesses signing up for our dashboard.
  • Visitors — the end-users who interact with a customer's website (filling forms or chatting).

For visitor data, the Convertss customer is the data controller and we are the data processor.

2. What we collect

From Convertss customers (account holders)

  • Name, work email, company name, country, industry, website URL.
  • Password (stored as a bcrypt hash; we cannot see your password).
  • Ad-platform credentials you provide — customer IDs, developer tokens, conversion-action IDs.
  • Billing and subscription metadata once you upgrade to a paid plan.

From visitors to your website

  • Click IDs — gclid, gbraid, wbraid, fbclid, ttclid, msclkid, li_fat_id, twclid, epik, yclid, ScCid and ad-pixel cookies (_fbp, _fbc, _ttp, _ga). Captured automatically when present in the URL or on the visitor's browser.
  • Form submissions (name, email, phone, custom fields) and chat messages you exchange with our AI widget.
  • IP address, approximate geo (city / region / country), timezone, browser user-agent.
  • UTM parameters and the landing-page URL.

We do not set third-party advertising cookies. We never sell visitor data.

3. How we use it

  • To run the dashboard you signed up for — auth, billing, alerts.
  • To match visitor clicks to leads, qualify them via the chatbot, and (with your permission) push closed-deal events to the ad platform that sent the click.
  • To generate AI replies in the chatbot using your own knowledge base (vector-search retrieval). Visitor questions are sent to our LLM provider only for the purpose of producing that reply.
  • To run a one-time AI spam classification on each form submission; the result is cached forever and never re-runs unless you manually force it.
  • To send transactional emails — sign-up, lead alerts, billing, security.

4. Sending data to ad platforms

When you enable an ad platform in the dashboard, Convertss sends specific conversion events back to it:

  • Google Ads — gclid + conversion timestamp + value via the Google Ads API.
  • Meta CAPI v19 — fbclid / fbp / fbc + SHA-256 hashed email and phone + value.
  • TikTok Events API v1.3 — ttclid + SHA-256 hashed email and phone + value.
  • Microsoft Advertising — msclkid via CSV export you upload manually.

We send the minimum data those APIs require to match a conversion. Each platform's policy applies to data once it leaves us — see their respective policies for details.

5. How we protect PII

  • Emails and phones are normalised (lowercased, trimmed) then SHA-256 hashed before any send to Meta or TikTok APIs.
  • Passwords stored as bcrypt with a salt of 10 rounds.
  • All HTTP traffic is TLS 1.3.
  • Auth tokens (JWT) are stored as httpOnly + sameSite=strict cookies; the dashboard never exposes them to JavaScript.
  • Multi-tenant isolation — every database query is scoped by ownerId server-side; one customer cannot read another's data.

6. Cookies & tracking

The Convertss widgets we provide use these cookies / storage entries on the visitor side:

  • cvss_chat_visitor_*, cvss_chat_conv_*, cvss_chat_open_* — chatbot session state, scoped to the embedding slug.
  • convertss_click_ids — persisted click IDs (90-day TTL) so attribution survives across page navigations.

These are first-party to your website (the embed runs in your origin via Shadow DOM). They do not enable third-party advertising tracking and are not shared across our customers' sites.

7. Where data lives

Data is stored in MongoDB Atlas (cloud cluster) and processed in the regions Atlas exposes to your deployment. Cloudinary stores blog images you upload as a Convertss customer. Email alerts pass through our SMTP provider on a per-event basis and are not retained server-side.

We retain operational data for as long as your account is active, plus a 30-day grace period after cancellation.

8. Who we share with

  • Sub-processors strictly required to run the service — MongoDB Atlas, Cloudinary, our SMTP provider, OpenRouter (LLM), and the ad platforms you enable.
  • Authorities, where compelled by valid legal process and only the narrow scope required.

We do not sell data. We never share visitor data with marketers other than the customer that captured it.

9. Your rights

If you are a Convertss customer, you can edit or delete your profile and account data from the dashboard at any time. If you are a visitor on a Convertss customer's site, please contact that customer first — they are the data controller. We will support them in fulfilling your request promptly.

Depending on where you live (EU/UK, California, India under DPDP, and similar regimes), you have rights to access, rectify, delete, restrict, and port your data. Reach us at hello@convertss.com to exercise any of these.

10. Children

Convertss is a business product. We do not intentionally collect data from children under 16. If you believe a minor has signed up, contact us and we will remove their data.

11. Policy updates

We'll update this page when the platform changes in ways that affect data handling. Material changes get an in-dashboard banner and an email to account owners 14 days before they take effect.

12. Contact

Questions, requests, security reports, or DPA copies: hello@convertss.com. We reply to every email; expect a real human within one business day.