Privacy Policy

1. Introduction and Scope

FunnelMob (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with our website, platform, and services (collectively, the “Services”).

This policy covers two distinct contexts:

• Platform Users: Visitors to funnelmob.com, users of the FunnelMob dashboard, account holders, and individuals who interact with us directly.
• End Users: Individuals who use mobile applications or websites that integrate the FunnelMob SDK. We process End User data on behalf of our Customers (app developers) as a Data Processor.

This Privacy Policy does not cover the data practices of our Customers' applications. End Users should refer to the privacy policy of the specific application they are using for information about that application's data practices.

2. Definitions

“Personal Data”

means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.

“Processing”

means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

“Data Controller”

means the entity that determines the purposes and means of Processing Personal Data.

“Data Processor”

means the entity that Processes Personal Data on behalf of the Data Controller.

“Platform Users”

means visitors to funnelmob.com and users of the FunnelMob dashboard and account services.

“End Users”

means individuals who use applications that integrate the FunnelMob SDK.

“Customer”

means the app developer or business that integrates the FunnelMob SDK into their application.

“Customer Data”

means all data submitted to or collected through the Services by a Customer, including End User Data.

“End User Data”

means data collected from or about End Users through the SDK or other integrations.

“Anonymized Data”

means data from which all personally identifiable information has been irreversibly removed.

“Aggregated Data”

means data combined from multiple sources such that no individual can be identified.

“Device Identifiers”

means identifiers associated with a device, including IDFA, IDFV, GAID, and Android ID.

“First-Party Data”

means data collected directly from End Users through the SDK within a Customer's application.

“Third-Party Data”

means data received from ad networks, attribution partners, and other external sources via server-to-server integrations.

3. Data Controller vs. Data Processor Roles

When FunnelMob Is a Data Controller

FunnelMob is the Data Controller for Personal Data collected from Platform Users—visitors to funnelmob.com, dashboard users, account holders, and individuals who contact us directly. In this capacity, FunnelMob determines the purposes and means of Processing.

When FunnelMob Is a Data Processor

FunnelMob is the Data Processor for End User Data collected through the SDK on behalf of our Customers. The Customer (app developer) is the Data Controller who determines why and how End User Data is collected. FunnelMob processes this data solely on the Customer's instructions pursuant to our Data Processing Addendum (DPA).

What This Means for End Users

End Users with questions about how their data is used within a specific application should contact the developer of that application directly. FunnelMob can assist with processor-level requests in accordance with its obligations under the DPA, but the Customer (app developer) is the primary point of contact for End User data rights.

4. Information We Collect as Controller (Platform Users)

Account Information: Name, email address, password (stored in hashed form), company name, and role or title.

Billing Information: Payment method details are processed by Stripe. FunnelMob does not store full credit card numbers or complete payment credentials.

Usage Data: Dashboard interactions, features used, pages viewed, session duration, login timestamps, and actions taken within the platform.

Communication Data: Support tickets, emails, feedback submissions, and chat messages exchanged with FunnelMob.

Device and Browser Data: IP address, browser type and version, operating system, device type, screen resolution, and referring URL.

Marketing Data: Email engagement metrics (opens, clicks), referral source, and campaign parameters (UTM codes).

5. Information Collected Through the SDK (End User Data)

The following data is collected by the FunnelMob SDK when integrated into a Customer Application. FunnelMob processes this data as a Data Processor on behalf of the Customer.

Auto-Collected by Default

• App install event and session data (start/end timestamps)
• Screen views
• Device model and manufacturer
• Operating system name and version
• App version and SDK version
• Language, locale, and timezone
• Network type (Wi-Fi or cellular)
• IDFV (iOS) or Android ID
• Carrier name

Collected Only When Configured by Customer

• IDFA (iOS, requires App Tracking Transparency consent from End User)
• Google Advertising ID (GAID)
• Custom event data and properties defined by the Customer
• In-app purchase events (amount, product identifier, currency)
• Subscription events (trial start, conversion, renewal, cancellation)
• Precise geolocation (requires End User device-level permission)
• Deep link referral data

Collected via Link Tracking

When an End User clicks a FunnelMob tracking link: IP address (used for geographic lookup, then hashed or discarded per Customer configuration), user agent string, click timestamp, referrer URL, and link parameters.

What the SDK Never Collects

• Names, email addresses, or phone numbers
• Contacts, photos, or messages
• Browsing history outside the Customer Application
• Health, medical, or biometric data
• Financial account details
• Microphone or camera data
• Contents of communications
• Keystroke data

IP Address Handling

IP addresses are received server-side during SDK communication. They are used for geographic location lookup (country, region, city), fraud detection, and network diagnostics. IP addresses are then hashed or discarded based on Customer configuration and compliance requirements. Raw IP addresses are not stored beyond twenty-four (24) hours.

6. Information from Third-Party Sources

Ad Network Partners: Campaign data, click and impression data, cost data, and creative metadata received via server-to-server integrations configured by the Customer.

App Store Data: When a Customer connects App Store Connect or Google Play Console—download data, revenue data, and review data.

Integration Partners: Data from Customer-configured integrations (e.g., RevenueCat for subscription data).

Third-party data is received based on Customer's configurations and is subject to those third parties' respective terms and data policies.

7. How We Use Information (Controller Purposes)

As a Data Controller for Platform User data, we use your information to:

• Provide, maintain, and improve the Services
• Process transactions and billing
• Authenticate users and maintain account security
• Send service-related communications (technical notices, updates, security alerts)
• Provide customer support
• Monitor and analyze usage patterns and trends to improve the platform
• Detect, prevent, and address fraud and security issues
• Develop new features and services
• Send marketing communications (with consent where required by law; opt-out always available)
• Comply with legal obligations
• Enforce our Terms of Service

8. How We Process End User Data (Processor Purposes)

FunnelMob processes End User Data solely as instructed by the Customer for the following purposes:

• Providing mobile attribution and analytics services
• Generating attribution reports
• Fraud detection and prevention
• Funnel analysis and conversion tracking
• AI-powered insights generation (when enabled by Customer)
• Link tracking and deep linking
• Remote configuration delivery

FunnelMob does NOT use End User Data for: its own advertising purposes, selling to third parties, profiling End Users for FunnelMob's own benefit, marketing to End Users, or any purpose other than providing the Services to the Customer.

9. Lawful Basis for Processing (GDPR)

Platform User Data (Controller)

• Contract performance: Processing necessary to provide the Services you have requested (account management, service delivery).
• Legitimate interests: Security, fraud prevention, service improvement, and analytics, where our interests are not overridden by your rights.
• Consent: Marketing communications and non-essential cookies, where we have obtained your explicit consent.
• Legal obligation: Processing required to comply with tax, accounting, or regulatory requirements.

End User Data (Processor)

FunnelMob processes End User Data on the Customer's documented instructions. The Customer, as Data Controller, is responsible for establishing and maintaining a valid lawful basis for all Processing of End User Data. FunnelMob's DPA documents the processing instructions and the Customer's obligations.

10. Cookie Policy

Cookies on funnelmob.com

SDK and Cookies

The FunnelMob SDK does not use browser cookies in native mobile applications. On web platforms, the SDK may use first-party cookies or localStorage for session tracking and attribution, as configured by the Customer.

Managing Cookies

You can control cookie preferences through your browser settings. Disabling strictly necessary cookies may affect the functionality of funnelmob.com. For information about managing cookies in specific browsers, refer to your browser's help documentation.

11. Data Sharing and Disclosure

Sub-Processors and Service Providers

We share data with sub-processors who assist in providing the Services, under contractual data protection obligations. See Section 12 for the full list.

Customer-Configured Sharing

End User Data may be shared with ad networks, attribution partners, and other third parties via server-to-server postbacks, data exports, and integration syncs as configured and controlled by the Customer.

Aggregated and Anonymized Data

We may share Aggregated and Anonymized Data for benchmarking, industry reports, and research. No individual or Customer can be identified from this data.

Legal Requirements

We may disclose information if required by law, legal process, or government request. We will notify the affected Customer where legally permitted before disclosing End User Data.

Business Transfers

In the event of a merger, acquisition, or sale of assets, data may be transferred to the successor entity. We will provide notice before data is transferred and becomes subject to a different privacy policy.

What We Never Do

We never sell Personal Data. We never disclose End User Data to other Customers. We never use End User Data for cross-customer tracking or profiling.

12. Sub-Processors

FunnelMob engages the following sub-processors to assist in providing the Services:

All sub-processors are bound by data protection obligations no less protective than those in our DPA.

We will provide thirty (30) days' advance notice before engaging a new sub-processor. Customers may object to a new sub-processor, and the parties will work in good faith to find a resolution. If no resolution can be reached, the Customer may terminate the affected Services.

The current sub-processor list is also available in our Data Processing Addendum.

13. International Data Transfers

FunnelMob is based in the United States. If you are located outside the United States, your data may be transferred to and processed in the United States and other countries where our sub-processors operate.

Transfer Mechanisms

• Standard Contractual Clauses (SCCs): Incorporated into our DPA for transfers of Personal Data from the EU/EEA, using the European Commission's standard contractual clauses (Commission Implementing Decision (EU) 2021/914).
• UK International Data Transfer Addendum: Applied for transfers from the United Kingdom.
• Swiss Data Protection: SCCs with Swiss-specific modifications for transfers from Switzerland.

Supplementary Measures

We implement supplementary technical and organizational measures including encryption of data in transit and at rest, strict access controls, and pseudonymization where feasible.

Customers on Scale plans may select data residency in the European Union where available.

14. Data Retention

Platform User Data

• Account data: Duration of account plus ninety (90) days after termination
• Usage analytics: Twenty-four (24) months
• Billing records: As required by tax and accounting law (typically seven years)
• Support tickets: Twenty-four (24) months after resolution

End User Data (Processed as Processor)

• Event data: Thirteen (13) months
• Attribution data: Twenty-four (24) months
• Link tracking data: Twenty-four (24) months
• AI Agent query logs: Ninety (90) days

Customers may configure shorter retention periods for End User Data through their dashboard settings.

Post-Termination

Upon account termination, Customer Data is available for export for thirty (30) days. Deletion occurs within ninety (90) days of the export window. Backup copies are purged within one hundred eighty (180) days.

Aggregated and Anonymized Data may be retained indefinitely as it does not constitute Personal Data. Data required to be retained by applicable law is retained for the required period.

15. Data Security

Technical Measures

• Encryption in transit (TLS 1.2 or higher)
• Encryption at rest (AES-256)
• Network firewalls and segmentation
• Intrusion detection and prevention systems
• Regular vulnerability scanning and penetration testing
• Secure software development lifecycle (SDLC)

Organizational Measures

• Role-based access controls with least-privilege principles
• Employee background checks
• Security awareness training
• Documented incident response plan
• Vendor security assessments

Certifications

FunnelMob is actively pursuing SOC 2 Type II and ISO 27001 certifications to further demonstrate our commitment to security best practices.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@funnelmob.com.

While we implement commercially reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents in accordance with our incident response plan and applicable law.

16. Your Rights as a Platform User

Depending on your location, you may have the following rights regarding your Personal Data:

• Right of Access (GDPR Art. 15): Request a copy of the Personal Data we hold about you.
• Right to Rectification (GDPR Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (GDPR Art. 17): Request deletion of your Personal Data (“right to be forgotten”).
• Right to Restriction (GDPR Art. 18): Request that we restrict Processing of your data in certain circumstances.
• Right to Data Portability (GDPR Art. 20): Request your data in a structured, commonly used, machine-readable format.
• Right to Object (GDPR Art. 21): Object to Processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent (GDPR Art. 7): Withdraw consent at any time where Processing is based on consent.
• Right Regarding Automated Decision-Making (GDPR Art. 22): Not be subject to decisions based solely on automated Processing that produce legal or similarly significant effects.

How to Exercise Your Rights

Contact us at privacy@funnelmob.com or use the self-service tools available in your dashboard settings. We may need to verify your identity before fulfilling requests.

We will respond within thirty (30) days of receiving a valid request. This period may be extended by up to sixty (60) additional days for complex requests, with prior notice.

You have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.

17. End User Rights

End Users whose data is collected through a Customer's application should first contact the Customer (app developer) directly. The Customer is the Data Controller and is the primary point of contact for data subject requests.

If FunnelMob receives a data subject request directly from an End User, FunnelMob will: (a) notify the relevant Customer promptly; (b) assist the Customer in fulfilling the request in accordance with the DPA; and (c) not fulfill the request directly without the Customer's instruction, except where legally required to do so.

FunnelMob provides Customers with tools to search for, export, delete, and restrict Processing of End User data through the dashboard and API.

18. CCPA/CPRA Compliance

FunnelMob as a Business (Platform Users)

For California residents who are Platform Users, the following applies under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

FunnelMob does not sell Personal Information. FunnelMob does not use or disclose Sensitive Personal Information for purposes other than those permitted under CCPA/CPRA.

California residents have the right to: know what PI is collected and how it is used; request deletion of PI; request correction of inaccurate PI; opt out of the sale or sharing of PI (not applicable as we do not sell PI); and non-discrimination for exercising privacy rights.

FunnelMob as a Service Provider (End User Data)

With respect to End User Data, FunnelMob acts as a “Service Provider” under the CCPA. FunnelMob:

• Does not retain, use, or disclose End User Personal Information for any purpose other than performing the Services for the Customer
• Does not sell or share End User Personal Information
• Does not combine End User Personal Information with Personal Information from other sources except as permitted by the CCPA
• Certifies that it understands and will comply with the restrictions set forth in the CCPA

To submit a CCPA request, contact privacy@funnelmob.com. Requests may also be submitted through an authorized agent with proper verification.

19. Other US State Privacy Laws

FunnelMob extends CCPA-equivalent rights to residents of states with comprehensive privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states that enact similar legislation.

FunnelMob does not engage in targeted advertising using Customer Data for its own purposes. Customers who use FunnelMob for ad attribution may be engaging in targeted advertising and are solely responsible for their own compliance with applicable state privacy laws.

Data protection impact assessments are available upon request for high-risk processing activities.

20. Children's Privacy (COPPA)

The FunnelMob Services are not directed at children under the age of thirteen (13). FunnelMob does not knowingly collect Personal Data from children under 13.

For Customers whose applications are directed at children or who have actual knowledge of child users:

• Customer MUST enable COPPA compliance mode in the SDK before any data collection from child users.
• In COPPA mode, the SDK: disables all persistent device identifiers; does not collect advertising IDs (IDFA, GAID); limits data collection to contextual and aggregated metrics; does not enable interest-based advertising postbacks.
• Customer is solely responsible for obtaining verifiable parental consent where required and for correctly implementing COPPA mode.

If FunnelMob discovers that it has collected Personal Data from a child under 13 without proper consent or configuration, FunnelMob will delete the data promptly and notify the Customer.

Parents or guardians may contact us at privacy@funnelmob.com regarding their child's data.

21. Do Not Track and Global Privacy Control

Website (funnelmob.com): FunnelMob honors Global Privacy Control (GPC) signals as an opt-out of sale or sharing of Personal Information where legally required.

SDK: The FunnelMob SDK does not independently respond to Do Not Track (DNT) or GPC signals. This is the Customer's responsibility as Data Controller. FunnelMob provides Compliance Mode toggles that Customers can wire to platform-level privacy signals such as ATT and Google consent mode.

22. Compliance Mode and SDK Privacy Controls

The FunnelMob SDK provides the following configurable privacy modes:

• Full Tracking Mode (default): All configured data points are collected. Appropriate when the Customer has obtained valid consent from the End User.
• Compliance Mode: Restricted data collection—no device identifiers, no IP address storage, aggregated session data only. Appropriate for End Users who have not consented or who have opted out.
• Custom Mode: Granular per-field control over which data points are collected and which are suppressed. Allows Customers to tailor data collection to specific regulatory requirements.

For detailed configuration instructions, refer to the SDK documentation at docs.funnelmob.com.

Platform Integration Helpers

The SDK provides helper methods for Apple's App Tracking Transparency (ATT) framework. When ATT consent is denied, IDFA is not collected. The SDK also supports Google's consent signals for Android.

FunnelMob provides these compliance tools, but the Customer is solely responsible for: determining which privacy mode applies per jurisdiction; enabling the correct mode based on each End User's consent status; wiring SDK privacy toggles to platform consent signals; and ensuring the appropriate mode is activated before data collection begins for opted-out or non-consenting End Users. FunnelMob bears no liability for Customer's failure to implement the correct privacy mode.

23. First-Party vs. Third-Party Data

First-Party Data

Data collected directly by the FunnelMob SDK from the End User's device within the Customer Application is First-Party Data. The Customer is the “first party” relative to their End Users. FunnelMob processes this data as a Data Processor.

Third-Party Data

Data received from ad networks, attribution partners, and other external sources via server-to-server integrations is Third-Party Data. This includes campaign metadata, click and impression logs, and cost data. Third-Party Data is subject to the originating party's terms and policies.

How They Interact

FunnelMob correlates First-Party SDK data with Third-Party attribution data to generate attribution reports. This correlation is performed on the Customer's behalf and per the Customer's configuration.

Customers must disclose in their own privacy policies both the First-Party data collection (via the SDK) and the Third-Party data received (via attribution integrations).

24. AI Agent and Automated Processing

The AI Insights Agent processes Customer Data to generate analytics insights, answer questions, and provide recommendations. These outputs are generated algorithmically and are informational only—they do not constitute professional, legal, financial, or business advice.

No automated decisions with legal or similarly significant effects are made about End Users by the AI Agent.

Customer Data processed by the AI Agent is not shared with other Customers. Anonymized and aggregated patterns may be used to improve AI models. Customers may opt out of model improvement through their dashboard settings.

AI Agent outputs may contain errors or inaccuracies. FunnelMob does not guarantee the accuracy, completeness, or fitness for any purpose of AI-generated outputs.

25. Third-Party Links and Integrations

The Services may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to third-party services. We are not responsible for the privacy practices of third-party websites or services.

We encourage you to review the privacy policies of any third-party services you access through or in connection with the FunnelMob Services.

26. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least thirty (30) days' advance notice via email to account holders and post a prominent notice on our website.

Non-material changes will be posted on this page with an updated “Last updated” date. Your continued use of the Services after the notice period constitutes acceptance of the updated policy.

Previous versions of this Privacy Policy are available upon request by contacting privacy@funnelmob.com.

27. Data Protection Officer / Representative

For data protection inquiries, contact our privacy lead at privacy@funnelmob.com.

If you are located in the EU/EEA and believe we are required to appoint a representative under GDPR Article 27, please contact us and we will provide the relevant representative's information.

If you are located in the United Kingdom, please contact us for our UK representative information.

28. Contact Information

For questions or requests regarding this Privacy Policy, please contact us:

• Privacy inquiries: privacy@funnelmob.com
• CCPA/state privacy requests: privacy@funnelmob.com
• Security concerns: security@funnelmob.com
• General support: support@funnelmob.com

Mailing address:
FunnelMob
1111B S Governors Ave #47902
Dover, DE 19904
United States

EU/EEA residents: You have the right to lodge a complaint with a supervisory authority. To find the appropriate authority, visit the European Data Protection Board member directory.