Privacy Policy

Last updated: 15 July 2026

Pipeline Signals ("we", "us") provides advertising attribution and conversion-measurement software for businesses and marketing agencies using the HighLevel platform. This policy explains what we process, why, and your rights.

Who we are

Pipeline Signals is operated from the United Kingdom. Contact: jdxmediauk@gmail.com.

Two roles: controller and processor

For data about our own customers (agency account holders, billing, support), we act as a data controller. For data about our customers' leads and contacts processed through the product, we act as a data processor on the documented instructions of the business that installed the app — that business is the controller. A Data Processing Agreement is available on request.

What we process as a processor

Where it goes

On the controller's instruction, we transmit conversion events (hashed identifiers, click IDs, event names and values) to the advertising platforms the controller has connected: Meta Platforms, Google, and/or TikTok, under those platforms' data terms. We support platform mechanisms for restricted processing (e.g. Meta Limited Data Use, Google consent signals).

Sub-processors

Cloudflare (network/CDN), Railway (application hosting and database), and the ad platforms named above when instructed. A current list is available on request.

Cookies and the capture script

Our capture script stores ad click identifiers in first-party storage (a cookie and localStorage) on our customers' websites for up to 90 days, solely for attribution. It sets no third-party cookies and does no cross-site tracking. Obtaining any legally required consent for this storage is the responsibility of the website operator (the controller), and our script can be loaded conditionally on consent.

Retention

Attribution records are retained while the customer's subscription is active and deleted within 90 days of uninstall or on verified request. Event delivery logs are retained for 13 months for troubleshooting and audit.

Security

Data in transit is encrypted with TLS. Credentials and API tokens are encrypted at rest with AES-256-GCM. Access is limited to personnel who need it to operate the service.

Your rights

If you are a lead or contact of one of our customers, please direct requests (access, deletion, objection) to that business; we will assist them as processor. If you are our direct customer, contact us at the address above. UK/EU residents may lodge complaints with their supervisory authority (in the UK, the ICO).

Changes

We will post updates to this page and note the revision date above.