Legal

Privacy Policy

Last updated: 31 March 2026
Contents
  1. Introduction
  2. Information We Collect
  3. How We Use Your Information
  4. Legal Basis for Processing
  5. Data Sharing & Third Parties
  6. Cookies & Tracking Technologies
  7. Data Retention
  8. Data Security
  9. Your Rights
  10. International Data Transfers
  11. Children's Privacy
  12. Third-Party Integrations
  13. AI-Powered SMS Communications
  14. Google Ads API Data
  15. Changes to This Policy
  16. Contact Us

1. Introduction

DataDriven ("we", "us", "our") operates the DataDriven platform at datadriven.so and app.datadriven.so, including all associated services, APIs, and subdomains (collectively, the "Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. We are committed to protecting your privacy and handling your data in an open and transparent manner.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: When you create an account, we collect your name, email address, password, and role within your organisation.
  • Business Information: Business name, domain, industry, services offered, target audience, unique selling propositions, contact details (phone, email, address), and business hours provided during onboarding or account configuration.
  • Payment Information: Billing details processed through our third-party payment processor. We do not store full credit card numbers on our servers.
  • Communications: Any messages, feedback, or support requests you send to us.
  • Assessment Data: Responses to our marketing readiness assessment, including information about your current marketing setup, response times, and business operations.

2.2 Information Collected Automatically

  • Usage Data: Pages visited, features used, time spent on pages, click patterns, scroll depth, and navigation paths within the dashboard.
  • Device Information: Browser type and version, operating system, device type, screen resolution, and language preferences.
  • Log Data: IP address, access times, referring URLs, and server response times.
  • Analytics Data: Aggregated and anonymised performance metrics from websites served through our platform, including pageviews, bounce rates, conversion rates, and A/B test results.

2.3 Information From Third-Party Integrations

  • GoHighLevel (GHL): When you connect your GHL account, we access contact data, calendar information, and custom field values as authorised through OAuth.
  • Google Ads: When you connect your Google Ads account, we access campaign data, keyword performance, ad copy, cost metrics, and conversion data through the Google Ads API. We adhere to the Google Ads API Terms of Service and the Google Ads Data Policy.
  • Google Analytics: When you provide your Google Analytics measurement ID, we may access aggregated website performance data.
  • Microsoft Clarity: Session recording and heatmap data when configured for your account.
  • Search Atlas OTTO: SEO performance data and optimisation signals when configured.

2.4 Information From End Users of Client Websites

When we serve websites on behalf of our clients through our Cloudflare Workers infrastructure, we collect from website visitors:

  • Anonymised visitor identifiers (via first-party cookies)
  • Pageview events, click events, scroll depth, and time on page
  • Browser and device information
  • A/B test variant assignment (deterministic, based on anonymised visitor ID)

This data is used exclusively to improve website performance and conversion rates for the client account. We do not sell, share, or use this data for cross-site tracking or advertising purposes.

3. How We Use Your Information

We use collected information for the following purposes:

  • Service Delivery: To operate, maintain, and improve the DataDriven platform, including AI-powered website generation, Google Ads management, and SMS lead conversion.
  • AI Website Optimisation: To generate, test, and improve website variants using machine learning, including A/B testing, conversion rate optimisation, and automated copy improvements.
  • Advertising Management: To manage, optimise, and report on Google Ads campaigns, including keyword management, bid adjustments, ad copy testing, and competitor intelligence.
  • SMS Communications: To send AI-generated SMS messages to leads on behalf of our clients, including lead qualification, appointment booking, and follow-up sequences.
  • Analytics & Reporting: To provide dashboards, reports, and insights to clients about their marketing performance.
  • Account Management: To manage your account, authenticate your identity, and process transactions.
  • Communication: To send service-related notices, updates, security alerts, and support messages.
  • Security: To detect, prevent, and address fraud, abuse, security risks, and technical issues.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

We process personal data on the following legal bases:

  • Contract Performance: Processing necessary to fulfill our contractual obligations to you, including providing the Service.
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our Service, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
  • Consent: Where you have given explicit consent for specific processing activities, such as receiving marketing communications or enabling specific integrations.
  • Legal Obligation: Processing necessary to comply with applicable laws and regulations.

5. Data Sharing & Third Parties

We do not sell your personal information. We may share your data with the following categories of recipients:

  • Service Providers: Third-party vendors who assist in operating our Service, including:
    • Supabase — Database hosting and authentication
    • Vercel — Application hosting and deployment
    • Cloudflare — CDN, edge computing, and website delivery
    • Anthropic (via OpenRouter) — AI model provider for website generation and SMS conversations
    • Firecrawl — Website scraping for base-site analysis
    • GoHighLevel — CRM and calendar integration
    • Google — Google Ads API and Google Analytics
    • Microsoft — Clarity analytics
    • Search Atlas — OTTO SEO integration
  • Client Data Sharing: Account administrators can view data for accounts they manage. We do not share data between unrelated client accounts.
  • Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.

6. Cookies & Tracking Technologies

We use the following cookies and tracking technologies:

6.1 Essential Cookies

  • Authentication cookies — Required for login sessions on app.datadriven.so
  • View preference cookies — Store admin/client view toggle state

6.2 Analytics Cookies (Client Websites)

  • dd_vid — A first-party visitor identifier cookie set on websites served through our platform. Used for A/B test consistency and anonymous analytics. Contains a randomly generated UUID. Expires after 365 days.

6.3 Third-Party Analytics

When configured by account administrators, client websites may include:

  • Google Analytics (GA4) tracking scripts
  • Google Tag Manager containers
  • Microsoft Clarity session recording
  • HotJar heatmap and feedback tools

Each third-party service is governed by its own privacy policy. We inject these scripts only when explicitly configured by the account administrator.

6.4 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may affect your ability to use the Service. For client-served websites, visitors can manage third-party analytics cookies through their browser or through opt-out mechanisms provided by each analytics provider.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specific retention periods:

  • Account data: Retained for the duration of the account, plus 90 days after deletion to allow for reactivation.
  • Analytics data: Aggregated analytics (pageviews, conversion rates, A/B test results) are retained for 24 months. Raw event data is retained for 12 months.
  • SMS conversation logs: Retained for 12 months after the last message in a conversation.
  • Sync and audit logs: Retained for 12 months.
  • Google Ads data: Retained in accordance with the Google Ads API Terms of Service. Data is deleted within 30 days of account disconnection or upon user request.
  • Website variants: Active and archived variants are retained for the duration of the account. Draft variants unused for 90 days may be automatically removed.

When data is no longer required, we securely delete or anonymise it.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Row-level security (RLS) policies ensuring strict data isolation between accounts
  • OAuth 2.0 for third-party integrations with token encryption
  • Role-based access control (admin, owner, member, viewer)
  • Regular security audits and vulnerability assessments
  • Automatic token refresh and expiry management for API integrations
  • Secure webhook verification for inbound integrations

While we strive to use commercially acceptable means to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@datadriven.so. We will respond within 30 days.

9.1 Google Ads Data Rights

You may revoke DataDriven's access to your Google Ads data at any time by:

Upon revocation, we will delete your Google Ads data within 30 days.

9.2 SMS Opt-Out

Recipients of SMS messages sent through our platform can opt out at any time by replying STOP. We honour all opt-out requests immediately and maintain a suppression list to prevent future messages.

10. International Data Transfers

Our Service uses infrastructure located in multiple regions. Your data may be transferred to and processed in countries other than your own, including the United States and Australia. We ensure appropriate safeguards are in place for such transfers, including:

  • Standard Contractual Clauses (SCCs) where required
  • Data Processing Agreements with all sub-processors
  • Compliance with applicable data protection frameworks

11. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@datadriven.so.

12. Third-Party Integrations

The Service integrates with third-party platforms. When you enable an integration, you authorise us to access and process data from that platform in accordance with the permissions you grant. Each integration is governed by:

  • The third party's own terms of service and privacy policy
  • The specific scopes and permissions you authorise during the OAuth flow
  • This Privacy Policy, which governs how we handle data once received

We only request the minimum permissions necessary to provide the Service. You can revoke integration access at any time from your account settings.

13. AI-Powered SMS Communications

Our Service includes AI-powered SMS agents that communicate with leads on behalf of our clients. Important disclosures:

  • SMS messages are generated by artificial intelligence, not humans. Recipients are informed of this.
  • Conversations are logged and stored as described in our data retention policy.
  • AI agents operate within client-defined personas, company context, and value propositions.
  • All SMS communications comply with applicable telecommunications regulations, including TCPA (US), Spam Act 2003 (Australia), and equivalent local laws.
  • We maintain a do-not-contact list and honour all opt-out requests immediately.
  • Clients are responsible for ensuring they have appropriate consent to contact leads via SMS.

Our use of the Google Ads API is subject to additional requirements:

  • We access Google Ads data only with your explicit authorisation via OAuth 2.0.
  • Data obtained through the Google Ads API is used solely to manage and optimise your advertising campaigns within our platform.
  • We do not combine Google Ads data with data from other sources for the purpose of tracking or profiling individual users.
  • We comply with the Google Ads API Terms of Service, including all data handling requirements.
  • You may request deletion of all Google Ads data associated with your account at any time.
  • Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page with a revised "Last updated" date
  • Sending an email notification for significant changes
  • Displaying a notice in the dashboard

Continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at:

DataDriven
Email: privacy@datadriven.so
Website: datadriven.so

For data protection enquiries, you may also contact your local data protection authority.