Privacy Policy

How Grizzly Signal — operated by Grizzly Digital Media — collects, uses, and protects information when you or your visitors interact with our service.

Who we are

Grizzly Signal is a server-side conversion infrastructure service operated by Grizzly Digital Media. We help advertisers improve the quality of conversion signals delivered to platforms like Meta. References to "we," "us," or "our" mean Grizzly Digital Media. References to "client" mean a business that has subscribed to Grizzly Signal. References to "visitor" mean an end user of a client's website where our pixel or webhook integration is installed.

What we collect

From client websites (visitor data)

• Pixel events — page views, scroll depth, clicks, form submissions, and similar interactions on pages where our pixel snippet is installed
• IP address and user agent — extracted from the request headers, used for identity matching with ad platforms
• Email and phone — collected only when explicitly passed by the client via the pixel's track() API or a server-side webhook. SHA-256 hashed in the browser before transmission and re-hashed server-side as a defensive measure
• UTM parameters — campaign, source, medium, content, term — read from the page URL
• Meta click identifiers — fbclid, fbc, fbp cookies — used for Meta's identity matching
• First-party cookie — grizzly_id, a randomly generated visitor identifier with a 365-day expiry

From clients (account data)

• Name, email, business name, platform
• Meta Pixel ID and Conversions API access token (encrypted at rest by Railway Postgres)
• Stripe customer ID and subscription state

How we use it

• To improve the quality and completeness of conversion signals our clients send to advertising platforms (primarily Meta Conversions API)
• To compute Event Match Quality (EMQ) scores and operational metrics for client dashboards
• To identify the same visitor across sessions and devices using the first-party grizzly_id cookie
• To detect and resolve service issues
• To bill clients via Stripe and send transactional emails

Data retention

• Visitor events — retained for 90 days in our database, then deleted
• Client account data — retained while the account is active. After cancellation we keep account records for up to 12 months for billing and audit purposes, then delete
• Hashed PII (email, phone, etc.) — never stored as raw values. Only SHA-256 hashes are written to the database

Third parties

We share data only with the third parties strictly necessary to deliver our service:

• Meta Platforms — receives whitelisted conversion events via Conversions API on behalf of each client, using each client's own Pixel ID and access token
• Stripe — handles all client payments. We never see card data
• Resend — sends transactional and operational emails (welcome, password reset, alerts)
• Railway — hosts our application servers and database
• Vercel — hosts our marketing and dashboard frontends

We do not sell, rent, or share data with advertisers, ad networks, or data brokers.

Cookies

The pixel sets a single first-party cookie, grizzly_id, on the client's domain (not ours). It contains a randomly generated identifier with no personal information and exists only to recognize repeat visitors so we can stitch their journey across sessions. Full details in our Cookie Policy.

Visitor rights

Because Grizzly Signal operates as a data processor on behalf of our clients (the data controllers), visitors who want to access, correct, or delete their data should contact the client whose website they visited. We will assist any client request to fulfill such requests within our 90-day retention window.

Security

• All connections are TLS-encrypted (HTTPS only)
• Passwords are hashed with bcryptjs (cost factor 10)
• Sessions are managed via signed JWTs delivered as HttpOnly; Secure; SameSite=Lax cookies
• API keys are scoped per-client and never logged in full
• Database is hosted in a private Railway network with no public ingress

Children's privacy

Our service is not directed to children under 13, and we do not knowingly collect data from them. If you believe a child has provided information through one of our clients' websites, contact the client and us at hello@grizzlysignal.com.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated to clients via email at least 30 days before they take effect. The current version is always available at grizzlysignal.com/privacy.

Contact

Questions or requests: hello@grizzlysignal.com