Privacy Policy

Ripples (together with its affiliated companies – "Ripples", "we", "our" or "us") collects, stores, uses and discloses personal data regarding individuals ("you") who: (i) visit or otherwise interact with our websites ("Visitors"), available at ripples.sh or any other website, webpage, e-mail, text message or online ad under our control (collectively – "Sites"); (ii) sign up for and use our web and product analytics and marketing-attribution platform, whether as an account holder or an authorized member of an account ("Customers"); or (iii) visit or interact with a website or application operated by one of our Customers that has installed our analytics tracker ("End Users"). Our Sites, platform, dashboards, APIs, tracker script and related services are collectively referred to as the "Service".

Your privacy is important to us, and we are strongly committed to making our practices regarding your personal data transparent and fair.

Please read this Privacy Policy carefully and make sure that you fully understand and agree to it.

You are not legally required to provide us with any Personal Data (defined below), and may do so (or avoid doing so) at your own free will.

If you do not wish to provide us with such Personal Data, or to have it processed by us or any of our service providers (such as our hosting, infrastructure and payment providers), please simply do not enter our Sites or use our Service. You may also choose not to provide us with "optional" Personal Data, but please keep in mind that without it we may not be able to provide you with the full range of our services or with the best user experience when using our Service.

This Privacy Policy pertains to Ripples's practices as a "data controller", where we determine the means and purposes for processing personal data — for example, the account data of our Customers and the data we collect through our own Sites. Where we collect and process data about End Users through the analytics tracker that a Customer has installed on its own website or application, we act as that Customer's "data processor" (or "service provider"), processing such data on the Customer's behalf and in accordance with its instructions. If you are an End User and have questions or requests regarding data collected about you on a Customer's website or application, we suggest that you contact that Customer — the operator of the site or app you visited — as they control that data.

This Privacy Policy forms part of our Terms and Conditions and our Customer Subscription Terms (collectively, the "Terms"). Any capitalized but undefined term in this Privacy Policy shall have the meaning given to it in the Terms applicable to your use.

1. Data Collection

We collect several categories of data: (a) data about our Customers — the businesses and individuals who sign up for and use the Service; (b) data about Visitors to our own Sites; and (c) data about End Users, which we collect on behalf of our Customers through the analytics tracker they install on their own websites and applications. Such data is collected directly from you, generated automatically through interaction with the Service, or received from third-party integrations you choose to connect.

Specifically, we collect the following categories of data (which, to the extent it relates to an identified or identifiable individual, is deemed "Personal Data"):

Customer account data received from you: When you sign up for the Service, create an account, or contact us, you provide us with Personal Data. This includes your first and last name, e-mail address, and account login credentials (your password is stored only in hashed form). If you choose to sign up or log in using your Google account, we receive your name, e-mail address, Google account identifier and profile photo. You may also provide account preferences such as locale, timezone and notification settings. We do not request, and do not intend to collect, special categories of sensitive data (such as government-issued identifiers, financial account numbers, health data or biometric data) from our Customers.

Billing and subscription data: If you subscribe to a paid plan, our payment processors (such as Stripe) collect and process your payment details on our behalf. We do not store full payment card numbers on our own systems; we retain billing-related identifiers such as your payment-processor customer ID, subscription status, plan, billing interval and amount.

Project and configuration data: When you create a project in the Service, we store configuration data such as your project name, website domain, timezone, reporting currency, and the public and secret keys used to authenticate your tracker script and API requests.

Analytics data collected about End Users (on behalf of our Customers): When a Customer installs our tracker script on its website or application, we collect, on that Customer's behalf, data about the End Users who visit it. This data is generated automatically as End Users interact with the Customer's website or application, and may include:

  • Online identifiers: a randomly generated visitor identifier and session identifier stored in first-party cookies and/or local storage on the End User's device, and — only if the Customer chooses to identify a user via our identify API — a user identifier supplied by the Customer.
  • Page and usage data: page URLs, paths, hostnames and page titles, the pages visited and timestamps of visits, clicks, sessions, custom events defined by the Customer, and basic web-performance metrics.
  • Referral and marketing-attribution data: the referring URL and domain, UTM campaign parameters, and advertising click identifiers (such as Google's gclid and equivalent identifiers from other advertising platforms) present in the page URL.
  • Device and technical data: IP address, browser type and version, operating system, device type, screen and viewport dimensions, and an approximate geographic location (such as country, region and city) derived from the IP address by our infrastructure provider.
  • Customer-supplied traits and events: if the Customer chooses to send them through our identify or track APIs, additional attributes about an End User — which may include the End User's e-mail address, name, plan, or revenue and transaction details — as configured by that Customer.

The nature and extent of the data collected about End Users is determined by each Customer through its configuration of the tracker and its use of our APIs. Customers are responsible for providing appropriate notice to, and obtaining any consent required from, their End Users, and for ensuring they have a lawful basis to collect this data and to have us process it on their behalf.

Data automatically collected about your use of our own Sites: When you visit or use our own Sites, we (and analytics tools we ourselves use) collect technical and usage data such as your IP address and general location, device and browser information, date and time stamps, and the pages and features you interact with, including through first-party cookies and similar technologies.

Data received from third-party integrations you connect: If you choose to connect a third-party service to your account — such as a payment processor (Stripe, Paddle, Dodo Payments or RevenueCat) or an advertising platform (such as Google Ads) — we receive data from that service as needed to provide the relevant feature, for example subscription and revenue data from a payment processor, or campaign spend, clicks and impressions from an advertising platform. Connecting an integration is optional and is initiated by you, and we do not receive or store your passwords for these third-party services. Our access to Google user data is described in the "Google User Data and Google API Services" section below.

2. Data Uses

We use Personal Data as necessary to provide and operate the Service; to comply with our legal and contractual obligations; and to support our legitimate interests in maintaining, securing and improving the Service, providing customer support, and marketing and selling our own Service. Where we process data about End Users, we do so only on behalf of, and in accordance with the instructions of, the relevant Customer, as described above.

If you reside or are using the Service in a territory governed by privacy laws under which "consent" is the only or most appropriate legal basis for processing Personal Data (in general, or specifically with respect to the types of Personal Data you choose to share via the Service), your acceptance of our Terms and of this Privacy Policy will be deemed as your consent to the processing of your Personal Data for the purposes detailed in this Privacy Policy. If you wish to revoke such consent, please contact us by email at [email protected].

Specifically, we use Personal Data for the following purposes:

  • To facilitate, operate, provide and maintain the Service, including generating the analytics dashboards, reports, and attribution and payback insights that are the core of the Service;
  • To create and administer your account, authenticate Customers, and allow access to the Service;
  • To verify and carry out billing and financial transactions in relation to payments for the Service;
  • To provide our Visitors, Customers and End Users with assistance and support, and to send service-related communications and, where permitted, product updates and offers relating to our own Service;
  • To understand how the Service is used and to develop, improve, and secure our products, offerings and overall performance;
  • To create aggregated, de-identified or anonymized statistics and insights that no longer identify any individual, which we may use to operate and improve the Service;
  • To support and enhance our data security measures, and to prevent, detect and mitigate the risks of fraud, error or any illegal or prohibited activity, and to comply with applicable law.

3. Data Security

We take the security of your Personal Data seriously and maintain a range of technical, administrative and organizational measures designed to protect it against unauthorized or unlawful access, alteration, disclosure, loss or destruction. We apply these safeguards to all Personal Data we process, and we apply heightened protections to more sensitive data — such as authentication credentials and OAuth access tokens, payment- and revenue-related data, and any personal attributes that a Customer chooses to send us about its End Users. Our safeguards include:

  • Encryption in transit: All data exchanged between your device and our Service, and between our Service and third-party services such as the Google APIs, is transmitted over encrypted connections using industry-standard TLS (HTTPS). We do not accept unencrypted connections to the Service.
  • Encryption at rest: Personal Data — including sensitive Personal Data and any credentials or OAuth authorization tokens (such as those obtained when you connect Google Ads) — is stored encrypted at rest in our databases and storage systems.
  • Credential and token protection: Account passwords are stored only in hashed (one-way encrypted) form and are never stored or logged in plaintext. Third-party access tokens are stored encrypted, are never exposed to other users, and can be revoked by you at any time.
  • Access controls and least privilege: Access to Personal Data is restricted to authorized personnel and systems that require it to operate, support or improve the Service, and is governed by role-based access controls, strong authentication and the principle of least privilege. Sensitive data is subject to additional access restrictions.
  • Network and infrastructure security: The Service is hosted with reputable cloud infrastructure providers in secured environments protected by firewalls, network segmentation and continuous monitoring, and we keep our systems patched and up to date.
  • Data minimization and retention limits: We collect only the data needed for the purposes described in this Privacy Policy and retain it only for as long as necessary. When data is no longer needed, it is deleted or irreversibly anonymized.
  • Monitoring, logging and testing: We log and monitor access to our systems and periodically review and test our security controls to identify and remediate vulnerabilities.
  • Incident response: We maintain procedures to detect and respond to security incidents and, where legally required, to notify affected individuals and the relevant authorities of any personal data breach.

While we strive to protect your Personal Data using the measures described above, no method of transmission over the Internet or method of electronic storage is completely secure. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately at [email protected].

Google User Data and Google API Services

This section explains how Ripples accesses, uses, stores, and shares data obtained through Google APIs, including the Google Ads API. Connecting a Google account is entirely optional and is only ever initiated by you.

How we obtain access. If you choose to connect Google Ads, we use Google OAuth 2.0 to ask for your explicit consent. We request read-only access to your Google Ads data using the https://www.googleapis.com/auth/adwords scope. We never receive or store your Google account password, and you can revoke our access at any time from your Google Account security settings or by disconnecting the integration inside Ripples.

What Google user data we access. Through the Google Ads API we access read-only reporting data from the Google Ads account(s) you choose to connect — specifically the list of Google Ads accounts you can manage, your campaign names and identifiers, and campaign performance metrics such as daily cost/spend, clicks, and impressions.

How we use this data. We use this data solely to provide the core features of our Service to you: importing your daily advertising spend and combining it with the revenue and conversion data already tracked in your account so that we can calculate your return on ad spend (ROAS) and show how long each marketing channel takes to pay back. This data is presented only within your own private Ripples dashboard.

What we do not do. We do not create, edit, pause, or delete your Google Ads campaigns. We do not access your Customer Match lists or any customer contact information stored in Google Ads. We do not sell, rent, or share your Google user data with third parties, and we do not use it for advertising, or to develop, improve, or train generalized or non-personalized artificial intelligence and/or machine learning models.

Storage and retention. Google Ads data we import — together with the OAuth authorization tokens used to access it — is stored securely, encrypted both in transit and at rest, with access restricted to authorized systems and personnel in accordance with our Data Security measures described in Section 3 above. It is retained only for as long as your integration remains connected and as needed to provide the Service. When you disconnect the integration or delete your account, we delete the associated Google Ads data and revoke the stored authorization. You may also request deletion at any time by emailing [email protected].

Limited Use. Ripples's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.