observix logo
observix logo

Privacy Policy

Last updated: March 1, 2026

Our Commitment to Your Privacy

At ObserviX ("ObserviX", "we", "us", or "our"), we are committed to protecting your privacy and ensuring the security of your personal data. We NEVER sell your data to anyone.

This Privacy Policy explains how ObserviX processes personal data collected through our marketing analytics and attribution platform, our website https://observix.ai, and other services we provide (collectively, the "Services").

1. Who We Are

ObserviX, Inc. is a bootstrapped SaaS company that provides advanced marketing analytics and multi-touch attribution solutions. We specialize in helping businesses track visitor behavior, visualize customer journeys, and connect marketing efforts to real business outcomes like ROI, ROAS, and profit margins.

Data Controller Information:

  • Company: ObserviX, Inc.
  • Founded: January 1, 2025
  • Address: 20 N Wacker Dr, Suite 1200, Chicago, IL 60606, USA
  • Email: info@observix.ai
  • Phone: +1-626-866-1457

2. Information We Collect

2.1 Information You Provide Directly

When you interact with our Services, we may collect:

Account Information:

  • Full name, email address, phone number
  • Company name, job title, department, seniority level
  • Billing information (processed securely through our payment provider)
  • Login credentials and authentication data
  • Subscription tier selection (Basic, Professional, Enterprise)

Communication Data:

  • Information provided when you contact us for support
  • Feedback, survey responses, and feature requests
  • Demo requests and sales inquiries
  • Onboarding form responses

Integration Data:

  • API keys and credentials for third-party services you connect
  • CRM integration settings (HubSpot, Salesforce, etc.)
  • Configuration settings for your tracking setup
  • Custom event definitions in Event Manager

Google Analytics Data (via OAuth 2.0):

When you connect your Google Analytics account, we access your GA4 property data using the analytics.readonly OAuth scope. Specifically, we collect:

  • Property metadata (property name, ID, and configuration) via the Google Analytics Admin API
  • Report data via the Google Analytics Data API, including: sessions, page views, active users, new users, conversions, bounce rate, session duration, engagement rate, traffic sources, geographic summaries, device categories, and campaign performance metrics
  • We do NOT modify, write to, or delete any data in your Google Analytics account
  • This data is stored in your isolated tenant database and used exclusively to power your ObserviX analytics dashboard
  • You may disconnect your Google Analytics integration at any time through your account settings, after which stored GA4 data will be deleted within 30 days

Google Ads Data (via OAuth 2.0):

When you connect your Google Ads account, we access your advertising data using the https://www.googleapis.com/auth/adwords OAuth scope. Specifically, we collect:

  • Campaign performance data (impressions, clicks, cost, conversions, ROAS) via the Google Ads API
  • Ad group and keyword performance metrics for multi-touch attribution analysis
  • Account and customer hierarchy metadata (customer ID, account name)
  • We do NOT create, modify, pause, or delete any campaigns, ad groups, ads, keywords, or settings in your Google Ads account
  • This data is stored in your isolated tenant database and used exclusively to power your ObserviX ads attribution dashboard
  • You may disconnect your Google Ads integration at any time through your account settings, after which stored Google Ads data will be deleted within 30 days

Google Search Console Data (via OAuth 2.0):

When you connect your Google Search Console account, we access your search performance data using the https://www.googleapis.com/auth/webmasters.readonly OAuth scope. Specifically, we collect:

  • Search analytics data (clicks, impressions, CTR, average position) segmented by query, page, country, and device
  • Property listing (verified sites registered in your Search Console account)
  • We do NOT modify, write to, or delete any data, settings, or configurations in your Google Search Console account
  • This data is stored in your isolated tenant database and used exclusively to power your ObserviX SEO analytics dashboard
  • Note: Google Search Console data has a 2–3 day processing delay; data displayed in ObserviX reflects this latency
  • You may disconnect your Google Search Console integration at any time through your account settings, after which stored data will be deleted within 30 days

Google Tag Manager Data (via OAuth 2.0):

When you use the ObserviX one-click pixel installation feature, we access your Google Tag Manager account using the https://www.googleapis.com/auth/tagmanager.readonly, https://www.googleapis.com/auth/tagmanager.edit.containers, and https://www.googleapis.com/auth/tagmanager.publish OAuth scopes. Specifically:

  • We read your GTM account and container list solely to identify where to install the ObserviX Pixel
  • We create a single Custom HTML tag containing the ObserviX Pixel snippet and an "All Pages" trigger in a new workspace
  • We publish the workspace to activate the Pixel on your website
  • All GTM operations are performed at your explicit direction during the pixel installation flow; no changes are made without your confirmation
  • We do NOT create, modify, or delete any existing tags, triggers, variables, containers, or workspaces beyond the ObserviX Pixel installation
  • GTM account access is used solely for this pixel installation purpose and for any subsequent updates you explicitly request
  • You may revoke Google Tag Manager access at any time; this does not automatically remove the installed Pixel tag (manual removal in GTM is required if desired)

2.2 Information We Collect Automatically

Usage Data:

  • IP address (processed during session for geo-location, deleted before storage)
  • Device information (type, operating system, browser, language)
  • Pages visited, features used, time spent
  • Referral source and exit pages
  • Pixel script implementation status

Tracking Data (for our own website):

  • Unique visitor IDs and session identifiers
  • Session fingerprints for cross-device tracking
  • UTM parameters and campaign data
  • Channel attribution data (Paid Search, Organic Social, Direct, etc.)
  • Conversion events and full customer journey data
  • Multi-touch attribution touchpoints

Platform Analytics Data:

  • Feature usage patterns within ObserviX dashboard
  • API call volumes and endpoint usage
  • Token consumption metrics
  • Attribution model preferences

2.3 Information from Third Parties

We may receive information from:

  • OAuth providers (Google, Microsoft, LinkedIn, X) for authentication
  • Google Analytics (GA4 property reports and metadata, accessed via OAuth 2.0 with the analytics.readonly scope at your direction)
  • Google Ads (campaign performance data, accessed via OAuth 2.0 with the adwords scope at your direction)
  • Google Search Console (search analytics data, accessed via OAuth 2.0 with the webmasters.readonly scope at your direction)
  • Google Tag Manager (container access for one-click pixel installation, accessed via OAuth 2.0 at your explicit direction)
  • CRM systems you integrate for offline conversion tracking
  • Ad platforms (Meta, LinkedIn) for conversion syncing
  • Marketing partners for co-branded events or webinars

3. How We Use Your Information

We use your personal data to:

Provide Core Services:

  • Deploy and manage your ObserviX Pixel tracking
  • Process visitor sessions and attribution data
  • Generate multi-touch attribution insights
  • Create visual customer journey timelines
  • Calculate ROI, ROAS, and profit margin analytics
  • Manage your subscription and token allocation

Platform Operations:

  • Create and manage your tenant database
  • Configure multi-tenant isolation
  • Process real-time tracking events
  • Generate attribution reports and dashboards
  • Sync offline conversions to ad platforms

Enhance User Experience:

  • Personalize your attribution model preferences
  • Remember your dashboard configurations
  • Optimize platform performance based on usage
  • Provide intuitive, no-code event tracking

Communication:

  • Send service notifications and system alerts
  • Provide onboarding guidance and tutorials
  • Share product updates and new features
  • Notify about token usage and billing

Security and Compliance:

  • Detect and prevent tracking fraud
  • Ensure multi-tenant data isolation
  • Monitor for anomalous usage patterns
  • Comply with legal obligations

Product Development:

  • Improve attribution algorithms
  • Enhance customer journey visualization
  • Develop new integration capabilities
  • Optimize platform simplicity and usability

4. Legal Basis for Processing (EEA/UK Residents)

We process your personal data based on:

  • Contract Performance: To provide the ObserviX Services you've subscribed to
  • Legitimate Interests: For platform security, fraud prevention, and service improvements
  • Consent: For marketing communications and beta features
  • Legal Obligations: To comply with tax, data protection, and other legal requirements

5. How We Share Your Information

We do not sell, rent, or trade your personal data. We share information only:

With Service Providers:

  • Cloud infrastructure (Microsoft Azure - Container Apps, SQL, Redis, CDN)
  • Payment processing (Stripe - post-MVP implementation)
  • Email delivery services for transactional emails
  • Development and deployment tools (Azure DevOps)

For Platform Functionality:

  • Ad platforms for offline conversion syncing (with your authorization)
  • CRM systems for two-way data synchronization (with your consent)
  • Analytics services for our own website optimization

Google Analytics Data:

  • Data retrieved from your Google Analytics account via OAuth 2.0 is NOT shared with any third party
  • It is stored in your isolated tenant database and used solely to display analytics within your ObserviX dashboard
  • We do not use your Google Analytics data for advertising, profiling, or any purpose unrelated to providing the Service

Google Ads Data:

  • Data retrieved from your Google Ads account via OAuth 2.0 is NOT shared with any third party
  • It is stored in your isolated tenant database and used solely to display attribution and campaign performance data within your ObserviX dashboard
  • We do not use your Google Ads data for advertising, profiling, or any purpose unrelated to providing the Service

Google Search Console Data:

  • Data retrieved from your Google Search Console account via OAuth 2.0 is NOT shared with any third party
  • It is stored in your isolated tenant database and used solely to display SEO analytics within your ObserviX dashboard
  • We do not use your Search Console data for advertising, profiling, or any purpose unrelated to providing the Service

Google Tag Manager Data:

  • GTM account access credentials are used solely to install the ObserviX Pixel at your explicit request and are not retained after installation is complete
  • The ObserviX Pixel code installed via Google Tag Manager sends visitor analytics data exclusively to your ObserviX tenant; this data is not shared with any third party
  • We do not use your GTM account access for any purpose unrelated to installing or managing the ObserviX Pixel at your explicit request

For Legal Reasons:

  • To comply with legal obligations or court orders
  • To protect our rights, property, and safety
  • To investigate suspected fraud or security issues
  • In response to lawful requests from authorities

Business Transfers:

  • In connection with a merger, acquisition, or sale of assets
  • To investors or advisors under confidentiality agreements

6. Data Security

We implement enterprise-grade security measures:

Infrastructure Security:

  • Azure Container Apps with isolated environments
  • Multi-tenant database isolation with separate schemas
  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Azure CDN for secure Pixel script delivery

Access Controls:

  • Role-based access control (Admin, Analyst, Viewer)
  • Secure API endpoints with JWT token authentication
  • OAuth 2.0 for third-party integrations
  • Multi-factor authentication support

Operational Security:

  • Automated security scanning in CI/CD pipelines
  • Regular penetration testing and vulnerability assessments
  • 24/7 monitoring and alerting
  • Disaster recovery with geo-redundant backups

Data Protection:

  • Pixel authentication to prevent unauthorized tracking
  • Session data anonymization options
  • PII encryption for sensitive fields
  • Audit logs for all data access

7. Data Retention

We retain your data according to these policies:

  • Account Data: Active for subscription duration
  • Tracking Data: Based on your subscription tier and retention settings
  • Attribution Data: Preserved for historical analysis per your plan
  • Session Data: Automatically aggregated after 90 days
  • Deleted Accounts: Permanently removed after 30-day grace period
  • Backup Data: Retained for 30 days for disaster recovery
  • Legal Holds: Extended as required by law or legal proceedings

8. Your Privacy Rights

You have the following rights regarding your personal data:

Universal Rights:

  • Access: Download your personal data in JSON format
  • Rectification: Update incorrect information via your account settings
  • Deletion: Request account termination and data removal
  • Portability: Export your data in machine-readable formats
  • Object: Opt-out of marketing and non-essential processing
  • Restrict: Limit processing while disputes are resolved

Region-Specific Rights:

For EEA/UK Residents:

  • Withdraw consent without affecting prior processing
  • Lodge complaints with your local Data Protection Authority
  • Object to automated decision-making

For California Residents (CCPA/CPRA):

  • Know what personal information we collect and how it's used
  • Request deletion of personal information
  • Opt-out of any "sale" of personal information (we don't sell data)
  • Non-discrimination for exercising privacy rights

For Other US States:

  • Virginia (VCDPA), Colorado (CPA), and other state-specific rights

To exercise these rights, contact us at info@observix.ai.

9. Cookie and Tracking Policy

Essential Cookies:

  • Authentication tokens for secure login
  • Session management for platform access
  • Security cookies for CSRF protection
  • Load balancing for optimal performance

Analytics Cookies (with consent):

  • First-party analytics for website improvement
  • Attribution tracking for our own marketing
  • Feature usage analytics for product development

ObserviX Pixel Technology:

  • Our JavaScript Pixel uses first-party cookies only
  • Unique visitor identification via secure fingerprinting
  • Session tracking with automatic timeout
  • No third-party cookies or cross-site tracking

You can manage preferences via our cookie banner or browser settings.

10. International Data Transfers

As a global service provider operating from the United States, we ensure secure international data handling:

Data Location:

  • Primary processing in the United States
  • Future EU data centers planned for European customers
  • Real-time replication for business continuity

Transfer Safeguards:

  • Standard Contractual Clauses (SCCs) for EEA/UK/Swiss transfers
  • Binding Corporate Rules for intra-company transfers
  • Encryption for all cross-border data movement
  • Compliance with local data localization requirements

Regional Compliance:

  • GDPR compliance for European data subjects
  • CCPA/CPRA compliance for California residents
  • Adherence to sectoral requirements (HIPAA-ready infrastructure)

11. Children's Privacy

Our Services are designed for business use and not intended for individuals under 18. We do not knowingly collect data from children. If you believe we have inadvertently collected such data, please contact us immediately at info@observix.ai for prompt deletion.

12. Third-Party Services and Links

Integrated Services: Our platform integrates with various third-party services at your direction. Each integration is governed by that service's privacy policy:

  • Google services (Analytics, Ads, Search Console, Tag Manager) via OAuth 2.0
  • CRM systems (HubSpot, Salesforce)
  • Ad platforms (Meta Business, LinkedIn)
  • Payment processors (Stripe)

External Links: Our Services may contain links to third-party websites. We are not responsible for their privacy practices. Please review their policies before providing personal information.

13. Changes to This Policy

We may update this policy to reflect:

  • New features or services
  • Legal or regulatory changes
  • Security improvements
  • User feedback

Notification Methods:

  • Email to all registered users for material changes
  • In-app notifications for active users
  • Banner on our website
  • 30-day notice for significant changes

Continued use after the effective date constitutes acceptance.

14. Contact Us

For all privacy-related inquiries, requests, or concerns:

ObserviX, Inc. 20 N Wacker Dr, Suite 1200 Chicago, IL 60606 United States

Email: info@observix.ai Phone: +1-626-866-1457 Business Hours: Monday-Friday, 9 AM - 6 PM CST

Data Protection Officer: Igor Flyunt, Founder & CEO

Response Commitment:

  • Acknowledgment within 48 hours
  • Full response within 30 days
  • Expedited handling for urgent matters

15. Additional Provisions

15.1 Data Processing Agreement (DPA)

Enterprise customers may request a comprehensive DPA including:

  • Detailed data processing terms
  • Security addendum
  • Liability provisions
  • Audit rights

15.2 Privacy Shield and Frameworks

While Privacy Shield is no longer valid, we maintain equivalent protections and are prepared to adopt successor frameworks as they emerge.

15.3 Industry-Specific Compliance

We can accommodate industry-specific requirements:

  • HIPAA Business Associate Agreements (future)
  • Financial services compliance (SOC 2 planned)
  • Marketing industry standards (IAB Transparency)

15.4 Accessibility and Translations

  • This policy is available in accessible formats
  • Translations available upon request for Enterprise customers
  • Plain language summary available for non-legal audiences

15.5 Beta Features and Pilot Programs

Participation in beta features may involve:

  • Additional data collection for feature improvement
  • Separate consent requirements
  • Enhanced feedback mechanisms

Effective Date: This Privacy Policy is effective as of March 1, 2026.

Version: 1.2

Questions? For any questions about this Privacy Policy or ObserviX's data practices, please contact us at info@observix.ai or call +1-626-866-1457. We're committed to transparency and are here to help you understand how we protect your privacy.