Privacy Notice
Last updated: February 22, 2026
This notice describes how DRTV Attribution handles personal data when organizations use the platform for analytics, governance, and operational reporting.
1. Data Controller and Contact
The customer organization is the primary controller for campaign and donation data uploaded to the platform. The platform provider acts as processor for hosted services.
Privacy requests: privacy@example.org
2. Categories of Data
Uploaded datasets may include operational campaign data, transaction timestamps, campaign identifiers, donation amounts, and user account metadata (name, role, authentication events).
3. Purposes and Lawful Basis
Data is processed to provide attribution analytics, secure access control, auditability, and service reliability. Typical legal bases are contract performance and legitimate interests in service security and fraud prevention.
4. Retention
Retention periods are defined by customer policy and contractual settings. Audit and governance records may be retained longer where required for compliance, financial accountability, or dispute resolution.
5. Security Controls
Controls include role-based access, authentication, rate limiting, security headers, signed audit exports, and operational monitoring. Customers are responsible for access governance in their own tenant.
6. International Transfers
Where data is transferred across jurisdictions, contractual and technical safeguards must be applied by the customer and provider according to applicable law.
7. Data Subject Rights
Depending on jurisdiction, individuals may request access, correction, deletion, restriction, portability, or objection. Requests should be directed to the customer organization first, then to the provider where processor support is required.
8. Subprocessors
Hosting and infrastructure subprocessors may be used to provide runtime services, monitoring, and backup. Customers should maintain an approved subprocessor register in procurement records.
9. Incident Response
Security incidents are handled under documented runbooks. Material incidents affecting personal data are escalated and notified according to contractual and legal obligations.
10. Policy Updates
This notice can be updated to reflect legal, operational, or architectural changes. Material changes should be reviewed with legal and compliance stakeholders before release.