This Privacy Policy explains how ApnaKey Ltd ("we", "us", "our") collects, uses, and protects your personal data when you use Trace UTM (the "Service"), available at utm8.lovable.app and any related domains.
We are the data controller of personal data processed via the Service.
1. Who we are
ApnaKey Ltd is a company registered in England and Wales.
- Company number: 13405148
- Registered office: 71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ
- Contact: info@apnakey.com
2. Data we collect
Account data: email address, name (if provided), and authentication identifiers from your chosen sign-in method (Google account ID, email).
Subscription and billing data: if you subscribe to a paid plan, Stripe processes your payment details. We do not store full card numbers. We receive limited billing information from Stripe (last 4 digits of card, billing country, subscription status, invoices).
Service usage data: the UTM campaigns you create and save, workspace settings, templates, and product activity (logins, feature usage).
Google Analytics data (only if you connect a GA4 property): OAuth tokens that allow us to query your GA4 data on your behalf, and the GA4 metrics we display in the Service. See section 6 below for our Limited Use commitments.
AI assistant inputs: if you use the AI campaign assistant, the campaign descriptions you submit are sent to a third-party large language model provider to generate suggestions.
Technical data: IP address, device and browser type, pages visited, and behavioural data collected by Google Analytics and Microsoft Clarity where you have consented (see our Cookie Policy).
Communications: messages you send us at info@apnakey.com or via support channels.
3. How we use your data and the lawful basis under UK GDPR
| Purpose | Lawful basis |
|---|---|
| Provide the Service (accounts, campaigns, GA4 integration) | Performance of contract |
| Process payments and manage subscriptions | Performance of contract |
| Respond to support enquiries | Legitimate interest |
| Improve the Service (analytics, session replay) | Consent (you can withdraw at any time) |
| Comply with legal obligations (tax records, fraud prevention) | Legal obligation / legitimate interest |
| Send service-related emails (billing notifications, security alerts) | Performance of contract |
| Send marketing emails | Consent (opt-in only) |
4. Who we share your data with
We use the following third-party processors:
| Provider | Purpose | Location |
|---|---|---|
| Lovable / Supabase | Application hosting and authentication | UK / US |
| Stripe | Payment processing | EU / US |
| Google (Analytics, OAuth) | GA4 integration where you connect your account | EU / US |
| Microsoft Clarity | Session analytics (subject to your consent) | US |
| OpenAI | AI campaign assistant features | US |
We do not sell your personal data.
5. International data transfers
Some of our providers are located outside the UK and EEA, primarily in the United States. Where data is transferred internationally, we rely on one or more of the following safeguards:
- The UK-US Data Bridge / EU-US Data Privacy Framework, where the provider is certified
- Standard Contractual Clauses with the UK addendum
- Other appropriate safeguards under Article 46 of UK GDPR
6. Google API user data (Limited Use)
When you connect a Google Analytics 4 property to Trace UTM, we receive an OAuth token allowing us to query your GA4 data on your behalf.
Trace UTM's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide and improve user-facing features that are prominent in the Service — specifically, displaying GA4 metrics next to your saved UTM campaigns.
- We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with your explicit consent.
- We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising.
- We do not allow humans to read Google user data, unless we have your explicit consent for specific data, it is necessary for security purposes such as investigating abuse, to comply with applicable law, or the data has been aggregated and anonymised for internal operations.
- We do not use Google user data to train or improve generalised machine learning models.
We do not store your GA4 metric data on our servers. It is fetched live from Google's API and displayed to you in real time. We store only the OAuth tokens needed to make these requests.
You can disconnect your Google account at any time from your account settings or via your Google Account permissions page. Disconnection revokes our access immediately.
7. Cookies and tracking technologies
See our Cookie Policy for full details. Analytics and session-replay tools (Google Analytics, Microsoft Clarity) only load after you give consent via the cookie banner.
8. Data retention
| Data type | Retention period |
|---|---|
| Account data and saved campaigns | For the life of your account, plus 30 days after deletion |
| Payment and tax records | 6 years (UK HMRC requirement) |
| Server backups | Rolled over within 90 days |
| Support communications | 2 years after last contact |
| Marketing consent records | Until you withdraw consent, plus 2 years |
| GA4 OAuth tokens | Until you disconnect, or 6 months of inactivity |
GA4 data displayed via the Service is not stored by us. Retention of that data is governed by your own GA4 property's retention settings within your Google account.
9. Your rights
Under UK GDPR and equivalent laws (including EU GDPR and CCPA/CPRA in California), you have the following rights:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate or incomplete data
- Erasure — ask us to delete your personal data ("right to be forgotten")
- Restriction — ask us to limit our processing of your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest, and to direct marketing at any time
- Withdraw consent — where processing is based on consent, withdraw it at any time
- Lodge a complaint — with your local supervisory authority (in the UK, the ICO)
California residents have additional rights under the CCPA/CPRA, including the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of any sale or sharing. We do not sell or share personal information as defined under the CCPA.
To exercise any of these rights, contact info@apnakey.com. We will respond within one month.
10. Children
The Service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe we have, contact info@apnakey.com and we will delete it.
11. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. No system is completely secure, and we cannot guarantee absolute security.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified to you by email or via the Service. The "Last updated" date at the top reflects the most recent version.
13. Contact
Questions about this policy or your data: info@apnakey.com.