Privacy Policy
Last updated: 15 July 2026
Pipeline Signals ("we", "us") provides advertising attribution and conversion-measurement software for businesses and marketing agencies using the HighLevel platform. This policy explains what we process, why, and your rights.
Who we are
Pipeline Signals is operated from the United Kingdom. Contact: jdxmediauk@gmail.com.
Two roles: controller and processor
For data about our own customers (agency account holders, billing, support), we act as a data controller. For data about our customers' leads and contacts processed through the product, we act as a data processor on the documented instructions of the business that installed the app — that business is the controller. A Data Processing Agreement is available on request.
What we process as a processor
- Ad click identifiers (e.g. fbclid, gclid, wbraid, gbraid, ttclid, msclkid) and UTM parameters captured on our customers' marketing pages.
- Hashed contact identifiers: email addresses and phone numbers are normalized and SHA-256 hashed before storage. We do not store raw emails or phone numbers in our attribution database.
- CRM pipeline events: stage names, deal values and timestamps from the customer's HighLevel account.
- Consent state supplied by the controller, which we forward with every event.
Where it goes
On the controller's instruction, we transmit conversion events (hashed identifiers, click IDs, event names and values) to the advertising platforms the controller has connected: Meta Platforms, Google, and/or TikTok, under those platforms' data terms. We support platform mechanisms for restricted processing (e.g. Meta Limited Data Use, Google consent signals).
Sub-processors
Cloudflare (network/CDN), Railway (application hosting and database), and the ad platforms named above when instructed. A current list is available on request.
Cookies and the capture script
Our capture script stores ad click identifiers in first-party storage (a cookie and localStorage) on our customers' websites for up to 90 days, solely for attribution. It sets no third-party cookies and does no cross-site tracking. Obtaining any legally required consent for this storage is the responsibility of the website operator (the controller), and our script can be loaded conditionally on consent.
Retention
Attribution records are retained while the customer's subscription is active and deleted within 90 days of uninstall or on verified request. Event delivery logs are retained for 13 months for troubleshooting and audit.
Security
Data in transit is encrypted with TLS. Credentials and API tokens are encrypted at rest with AES-256-GCM. Access is limited to personnel who need it to operate the service.
Your rights
If you are a lead or contact of one of our customers, please direct requests (access, deletion, objection) to that business; we will assist them as processor. If you are our direct customer, contact us at the address above. UK/EU residents may lodge complaints with their supervisory authority (in the UK, the ICO).
Changes
We will post updates to this page and note the revision date above.