SegMetrics' Privacy Policy

Updated: May 26, 2026

This Privacy Policy describes how SegMetrics, Inc. (“SegMetrics,” “we,” “our,” or “us”) collects, uses, and discloses Personal Information in connection with our websites, our marketing analytics platform, and our related services (together, the “Services”). It also explains the rights individuals have in relation to that Personal Information and how to exercise them.

This Privacy Policy applies to:

segmetrics.io and our other public-facing websites (the “Sites”);
app.segmetrics.io and the SegMetrics application (the “Platform”); and
support, sales, and marketing communications we send.

This Privacy Policy replaces our prior Privacy Policy (last revised September 14, 2023) and our prior CCPA Privacy Policy (last revised February 27, 2023) in full.

For questions about this Privacy Policy, contact privacy@segmetrics.io.

1. Our two roles: Controller and Processor

SegMetrics handles two distinct categories of Personal Information, and the rules that apply differ depending on which category is involved.

When we act as a Controller. For Personal Information about visitors to our Sites, prospective customers, and the individuals who hold or administer SegMetrics accounts on behalf of our business customers (each, an “Account Holder”), SegMetrics is the controller. This Privacy Policy describes our practices in that role and the rights you have against us directly.

When we act as a Processor. SegMetrics is a marketing attribution and analytics platform. Our business customers (“Customers”) use the Platform to analyze data about their end users, leads, and contacts. When a Customer uploads, imports, or transmits Personal Information about its end users through the Platform (“Customer Personal Data”), the Customer is the controller of that information and SegMetrics is its processor. Our processing of Customer Personal Data is governed by our Data Processing Agreement (“DPA”) with the Customer, available at segmetrics.io/dpa/, and not primarily by this Privacy Policy.

If you are an end user, lead, contact, or customer of a SegMetrics Customer and you have questions about how your Personal Information is processed in the Platform, you should contact that Customer directly. The Customer is responsible, as controller, for providing you with notice, obtaining any required consents, and responding to your data subject requests. SegMetrics will assist Customers in responding to those requests but generally will not respond to them directly.

2. Personal Information we collect

2.1 Personal Information collected from Site visitors

When you visit our Sites, we automatically collect:

Device and browser information: IP address, browser type and version, operating system, device type, language preference, and time zone;
Usage information: pages viewed, referring URL, links clicked, session timing, search terms entered on our Sites, and similar interaction data;
Marketing attribution information: UTM parameters, ad-click identifiers, and referrer data captured when you arrive from one of our advertisements or marketing campaigns; and
Cookie and similar identifiers: as described in Section 5.

If you voluntarily submit information through a Site form (for example, to book a demo, download a resource, subscribe to our newsletter, or contact us), we collect what you provide — typically your name, business email, company name, role, and any free-text content you include.

2.2 Personal Information collected from Account Holders

When an individual creates or uses a SegMetrics account on behalf of a Customer, we collect:

Account registration information: name, work email, password (hashed), company name, and role;
Billing information: billing contact details, billing address, and tax information. Payment-card details are entered directly into our payment processor (Stripe) and are not stored on SegMetrics systems;
Support information: the content of support requests and any information voluntarily provided to our support team; and
Platform usage information: features used, configurations set, integrations enabled, dashboards viewed, query activity, and similar logs needed to operate, secure, and improve the Platform.

2.3 Customer Personal Data (processed on behalf of Customers)

In our role as processor, we receive and process Personal Information about our Customers’ end users and contacts. The categories depend on each Customer’s configuration and integrations and are described in Section 4 of our DPA. They typically include:

identifying and contact data (names, email addresses, phone numbers);
customer and registration data;
booking and purchase data;
behavioural and analytics data, including IP addresses and device metadata;
marketing attribution data, including ad clicks, campaign identifiers, and multi-touch journey data;
communication metadata (the fact of an email being sent, opened, or clicked — not the content of the communication, unless a Customer explicitly enables an integration that transmits content); and
segments, scores, and attribution outputs generated by the Platform on the Customer’s behalf.

We do not control what information Customers choose to transmit through the Platform. Our handling of Customer Personal Data is governed by the DPA.

2.4 Sources of Personal Information

We collect Personal Information:

directly from you, when you fill in a form, create an account, or contact us;
automatically, through cookies and similar technologies when you use our Sites or the Platform;
from our Customers, when they upload, import, or transmit data through the Platform (in our processor role);
from integrations you authorize — for example, ad platforms, email service providers, customer relationship management systems, and e-commerce platforms that a Customer connects to the Platform; and
from service providers — for example, our payment processor, our email delivery vendor, and our analytics providers.

3. How we use Personal Information

3.1 As controller (Site visitors and Account Holders)

We use Personal Information about Site visitors and Account Holders to:

provide, operate, secure, and improve the Sites and the Platform;
create and manage SegMetrics accounts;
process payments and manage billing;
respond to support and sales inquiries;
send transactional and account communications (for example, security alerts, billing notices, and product updates relevant to your account);
send marketing communications, where permitted, with an unsubscribe mechanism in every message;
conduct analytics about how our Sites and Platform are used, so we can improve them;
detect, prevent, and investigate fraud, abuse, security incidents, and violations of our Terms of Service;
comply with our legal obligations, respond to lawful requests from public authorities, and enforce or defend our legal rights.

3.2 As processor (Customer Personal Data)

We use Customer Personal Data only:

to provide the Services to the Customer in accordance with the DPA and the Customer’s documented instructions;
to comply with applicable legal obligations; and
to secure the Platform and detect, prevent, and respond to security incidents.

We do not use Customer Personal Data for our own commercial purposes outside the scope of the Services.

4. What we do not do with Personal Information

We make the following commitments. These apply across both our controller and processor roles unless otherwise specified.

We do not sell Personal Information. We do not exchange Personal Information for monetary consideration. Section 9 explains how we treat “sale” and “sharing” under California law specifically, including a narrow disclosure relating to advertising cookies on our Sites.
We do not share Customer Personal Data for cross-context behavioral advertising. Personal Information that flows through the Platform is never disclosed to advertising networks for retargeting or interest-based advertising.
We do not use Personal Information to train artificial intelligence or machine learning models. This applies to Customer Personal Data, Site visitor information, and Account Holder information. Where we use third-party AI services to deliver specific features (see Section 7), we use providers that contractually commit not to train on API data.
We do not enrich Customer Personal Data for the benefit of any party other than the Customer. Attribution outputs, segments, and scores generated by the Platform are produced for the Customer that owns them.
We do not engage in profiling that produces legal or similarly significant effects on data subjects within the meaning of Article 22 of the EU and UK GDPR. The attribution modelling, lead scoring, and segmentation performed within the Platform are carried out on the Customer’s instructions, on the Customer’s data, and solely to deliver the Services to the Customer.
We do not disclose Customer Personal Data to third parties other than the subprocessors listed at segmetrics.io/subprocessors/, and only as needed to provide the Services.

5. Cookies and similar technologies

5.1 What we use

We use cookies and similar technologies on our Sites and, in a more limited way, in the Platform. We use the following categories:

Strictly necessary cookies are required for the Sites and the Platform to function — for example, to authenticate Account Holders, maintain session state, and protect against fraud. These cannot be disabled through this Privacy Policy.
Functional cookies remember your preferences (for example, language).
Analytics cookies help us understand how the Sites are used so we can improve them.
Advertising cookies are set on our Sites by us and by advertising partners to measure the performance of our marketing campaigns and to deliver advertisements to you on third-party platforms.

The specific third-party services we currently use that involve cookies or similar tracking are:

Service	Provider	Purpose	Category
Google Tag Manager	Google LLC	Tag management on our Sites	Strictly necessary (loader); other categories depending on tags loaded
Google Analytics	Google LLC	Site usage analytics	Analytics
Meta Business Suite (Meta Pixel)	Meta Platforms, Inc.	Campaign measurement and audience-building for our advertising on Meta-owned platforms	Advertising
ActiveCampaign	ActiveCampaign, LLC	Marketing automation and product communications to Account Holders and prospects	Functional / Analytics
Stripe	Stripe, Inc.	Payment processing and fraud prevention for subscription billing	Strictly necessary

The Platform itself uses only strictly necessary cookies for authentication and session management; it does not deploy advertising or third-party analytics cookies on logged-in Account Holders.

5.2 Your choices

You can manage cookies in several ways:

Browser controls: most browsers allow you to block or delete cookies through their settings. Doing so may break parts of the Sites or the Platform.
Google Analytics opt-out: tools.google.com/dlpage/gaoptout.
Meta advertising preferences: through the ad-settings controls in your Facebook or Instagram account.
Network-level advertising opt-outs: Digital Advertising Alliance at optout.aboutads.info, Network Advertising Initiative at networkadvertising.org/choices, and European Digital Advertising Alliance at youronlinechoices.com.
Global Privacy Control (GPC): we honor browser-level GPC signals as a valid opt-out of “sale” and “sharing” under California law (see Section 9).

6. Legal bases for processing (EU, UK, and Swiss residents)

Where the EU GDPR, UK GDPR, or Swiss FADP applies to our processing of your Personal Information as a controller, we rely on the following legal bases:

Performance of a contract: to provide the Services and meet our contractual obligations to Account Holders and Customers.
Legitimate interests: to operate, secure, and improve our Sites and Platform; to communicate with you about your account; to prevent fraud and abuse; to conduct internal analytics; and to pursue our direct marketing where permitted by law. Where we rely on legitimate interests, we have considered and balanced these against your rights and interests.
Consent: for non-essential cookies, certain direct marketing, and any processing that requires consent under applicable law. You may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
Compliance with legal obligations: to meet our obligations under tax, accounting, and other applicable laws.

For Customer Personal Data, the Customer is responsible for identifying and maintaining the lawful basis under Article 6 GDPR (and Article 9, where applicable) for our processing on its behalf.

7. AI features and third-party AI processing

Certain Platform features use third-party artificial intelligence services to generate insights or summaries from Customer data. The current AI feature is AI Insights, which uses OpenAI, LLC as a subprocessor.

The following applies to AI features:

AI features are opt-in and operate only when a Customer explicitly enables them.
Data is sent to the third-party AI provider only at the moment a Customer uses an AI-enabled feature and is limited to the data in the report being processed.
We use AI providers that contractually commit not to use API data for training their models or improving their services. OpenAI’s API processing terms reflect this commitment.
SegMetrics does not use Customer Personal Data, Site visitor data, or Account Holder data to train SegMetrics’ own AI or machine-learning models.

AI outputs may contain errors. Customers and Account Holders should evaluate AI-generated outputs before relying on them.

We share Personal Information only as follows.

Subprocessors. We engage subprocessors to provide infrastructure, application services, and operational support. The current list — including each subprocessor’s function, location, and certifications — is published at segmetrics.io/subprocessors/ and incorporated by reference into our DPA. We impose data-protection obligations on each subprocessor consistent with applicable law and remain responsible to our Customers for their performance.

Service providers and business partners. We share Personal Information with service providers that perform services on our behalf and that are contractually limited to using Personal Information only for the services we direct. Examples include payment processing (Stripe), transactional email (Mailgun), marketing automation directed at Account Holders (ActiveCampaign), error monitoring (Sentry), and customer support (Help Scout).

Legal disclosures. We may disclose Personal Information when required by law, in response to a lawful request from a public authority, or where necessary to protect our rights, safety, property, or the rights, safety, or property of others. Where we are legally permitted to do so, we will notify affected Customers before disclosing Customer Personal Data.

Business transfers. If SegMetrics is involved in a merger, acquisition, financing, or sale of assets, Personal Information may be transferred to the counterparty subject to confidentiality obligations and to this Privacy Policy (or a successor policy that provides equivalent protections). We will notify affected individuals if their Personal Information becomes subject to a materially different privacy policy as a result.

With your consent or at your direction. We share Personal Information in any other case only with your consent or at your direction.

We do not sell Personal Information. We do not share Customer Personal Data for cross-context behavioral advertising. The narrow application of California’s “sharing” definition to our Sites is described in Section 9.

9. International data transfers

SegMetrics is based in the United States, and our Platform infrastructure is operated in the United States by our subprocessors. When you use the Sites or the Platform from outside the United States, your Personal Information will be transferred to, stored in, and processed in the United States and other countries where our subprocessors operate.

When Personal Information is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognised by the relevant authority as providing adequate protection, we rely on the following transfer mechanisms:

For transfers from the EEA, the EU Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914.
For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs, or the UK International Data Transfer Agreement (IDTA) where elected.
For transfers from Switzerland, the EU SCCs with the Swiss-specific amendments published by the Swiss Federal Data Protection and Information Commissioner.

The transfer mechanisms applicable to Customer Personal Data are set out in Annexes I and II of our DPA. To request a copy of the relevant transfer mechanism for Personal Information we process about you in our controller role, contact us at privacy@segmetrics.io.

10. Data retention and deletion

We retain Personal Information only for as long as necessary for the purposes described in this Privacy Policy, or as required by applicable law.

Site visitor information collected through cookies and analytics is retained for the lifetime of the relevant cookie (up to a maximum of 24 months) or as configured in the relevant analytics service. Anonymised or aggregated data may be retained for longer.
Inquiry and form-fill information submitted through the Sites is retained for as long as needed to respond to your inquiry and, where applicable, for the duration of the subsequent customer relationship, plus a reasonable period afterward for legal and record-keeping purposes.
Account Holder information is retained for the duration of the SegMetrics account and for a reasonable period afterward for legal, tax, security, and accounting purposes.
Customer Personal Data is retained in accordance with Section 14 of the DPA. In summary: Customer Personal Data is retained for the duration of the Customer’s agreement; Customer-deleted records are removed from active systems within 14 days; following termination, data remains in active systems for a 14-day grace period and is then deleted, with encrypted daily backups expiring on a rolling 30-day schedule.
Encrypted backups of Platform data expire on a rolling 30-day schedule. Encrypted backups are not selectively editable; data cannot be removed from individual backups before their scheduled expiration.

You can request deletion of Personal Information we hold about you in our controller role by contacting privacy@segmetrics.io. We will honor your request to the extent required by applicable law, subject to legal exceptions (for example, where retention is required for legal, tax, accounting, security, or fraud-prevention reasons).

For Customer Personal Data (information about you that a Customer transmits through the Platform), deletion requests must be directed to the Customer that controls the data.

11. Security

We maintain administrative, technical, and physical safeguards designed to protect Personal Information against unauthorised access, use, alteration, and destruction. Our technical and organisational measures, current security attestations, and the process for requesting documentation under NDA are described in our Security Policy at segmetrics.io/security/ and, for Customer Personal Data, in Annex IV of the DPA.

No method of transmission or storage is completely secure. While we work to protect your Personal Information, we cannot guarantee absolute security.

12. Data breach notification

If we become aware of a personal data breach affecting your Personal Information, we will notify you and any relevant authorities in accordance with applicable law and without undue delay.

For Customer Personal Data, our breach notification commitments to the Customer are set out in Section 13 of the DPA.

13. Your rights

Depending on where you live and the role we play in relation to your Personal Information, you may have the following rights:

Access: to obtain confirmation of whether we process your Personal Information and a copy of that information.
Correction: to have inaccurate Personal Information corrected.
Deletion: to have your Personal Information deleted, subject to applicable exceptions.
Portability: to receive your Personal Information in a structured, commonly used, machine-readable format.
Restriction or objection: to restrict or object to certain processing, including processing based on legitimate interests and processing for direct marketing.
Withdraw consent: where processing is based on consent, you can withdraw that consent at any time, without affecting prior processing.
Lodge a complaint: with a supervisory authority in your jurisdiction.
Non-discrimination: we will not discriminate against you for exercising any of these rights.

To exercise a right, contact privacy@segmetrics.io. We will verify your request by reference to information already in our possession before responding. If you make a request through an authorized agent, we will require proof of authorization. We will respond within the timeframes required by applicable law.

If you are an end user, lead, contact, or customer of a SegMetrics Customer (and your Personal Information is in the Platform because of that Customer’s use of our Services), you must direct your request to that Customer. The Customer is the controller of that information.

14. EU, UK, and Swiss residents

If you are in the EEA, the UK, or Switzerland, the rights in Section 13 are guaranteed by the EU GDPR, the UK GDPR, or the Swiss FADP, as applicable. You also have the right to lodge a complaint with a supervisory authority:

in the EEA, the supervisory authority of the Member State where you live, work, or where the alleged infringement took place;
in the UK, the Information Commissioner’s Office (ico.org.uk); or
in Switzerland, the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

We encourage you to contact us first so we can try to resolve the issue.

15. United States state privacy rights

Several U.S. states have enacted comprehensive privacy laws that provide residents of those states with specific rights. This section explains how those rights apply to Personal Information we process about you in our controller role. For Personal Information we process about you in our processor role (Customer Personal Data), direct your requests to the relevant Customer.

15.1 States covered

The rights described in this section are provided to residents of states with comprehensive privacy laws in effect at the date of this Privacy Policy, including:

California (California Consumer Privacy Act, as amended by the California Privacy Rights Act — “CCPA/CPRA”);
Virginia (Virginia Consumer Data Protection Act — “VCDPA”);
Colorado (Colorado Privacy Act — “CPA”);
Connecticut (Connecticut Data Privacy Act — “CTDPA”);
Utah (Utah Consumer Privacy Act — “UCPA”);
Texas (Texas Data Privacy and Security Act — “TDPSA”);
Oregon (Oregon Consumer Privacy Act); and
Montana (Montana Consumer Data Privacy Act).

We extend these rights to residents of other U.S. states that enact comparable laws as those laws come into force.

15.2 Your rights

Subject to applicable exceptions and verification, you have the following rights:

the right to know or access what Personal Information we have collected, used, disclosed, and (where applicable) sold or shared about you;
the right to correct inaccurate Personal Information we hold about you;
the right to delete Personal Information we hold about you;
the right to data portability — to obtain a copy of your Personal Information in a portable format;
the right to opt out of “sale” or “sharing” of Personal Information and to opt out of processing for purposes of targeted advertising and certain profiling;
the right to limit the use and disclosure of Sensitive Personal Information (California);
the right to non-discrimination for exercising any of these rights; and
in states that provide it, the right to appeal a decision we make about your request.

15.3 How to submit a request

Submit a request by emailing privacy@segmetrics.io. To opt out of “sale” or “sharing,” you can also enable the Global Privacy Control (GPC) in your browser; we honor GPC signals as a valid opt-out under California law. We will respond within the timeframes required by the law of your state.

We will verify your identity using information already in our possession before responding to access, correction, or deletion requests. If you submit a request through an authorized agent, we will require proof that the agent is authorized to act on your behalf.

If we deny your request, you may appeal by replying to our denial. We will respond to appeals within the timeframe required by applicable law and, where required, explain how to contact the relevant attorney general or supervisory authority.

15.4 California-specific disclosures

The following disclosures supplement the information above and apply specifically to California residents.

Categories of Personal Information collected in the last 12 months. In our controller role we have collected the following CCPA categories of Personal Information: identifiers (Category A); information described in California Customer Records (Category B); commercial information (Category D); internet or other electronic network activity information (Category F); and inferences drawn to create a profile about a consumer’s preferences (Category K, limited to inferences derived from the use of our Sites and Platform). We have not collected Sensitive Personal Information as that term is defined in the CCPA, beyond account credentials used to access the Platform.

Sources. Directly from you, automatically through your use of the Sites and Platform, from our service providers, and from integration partners you authorize.

Business and commercial purposes for use. The purposes described in Section 3 of this Privacy Policy.

Categories of recipients. Service providers and subprocessors performing services on our behalf (as described in Section 8); advertising partners (in the narrow context described below); legal and regulatory authorities where required; and parties involved in a business transfer.

Sale of Personal Information. We have not sold Personal Information for monetary consideration in the preceding 12 months and do not do so.

Sharing of Personal Information for cross-context behavioral advertising. In the preceding 12 months, our use of the Meta Pixel and similar advertising cookies on our Sites involved “sharing” of Personal Information as defined by the CPRA — specifically, disclosure of cookie identifiers, IP address, and pages visited to advertising partners (including Meta) for purposes of measuring and optimizing our marketing campaigns and reaching similar audiences. We do not share Customer Personal Data (data processed in the Platform on behalf of a Customer) for any advertising purpose.

To opt out of “sharing,” use the opt-out mechanisms described in Section 5.2, enable the Global Privacy Control in your browser, or email privacy@segmetrics.io.

Sensitive Personal Information. We do not use or disclose Sensitive Personal Information for purposes that would trigger your right to limit such use under CPRA. To the extent we collect account credentials, we use them only to authenticate your access to the Platform.

Retention. The categories of Personal Information we collect are retained for the periods described in Section 10.

Minors. We do not knowingly sell or share the Personal Information of consumers under 16 years of age.

Shine the Light. California Civil Code Section 1798.83 permits California residents to request information about disclosures of Personal Information to third parties for direct-marketing purposes. We do not share Personal Information with third parties for their own direct-marketing purposes.

16. Children’s privacy

Our Services are not directed to children. The Platform is sold to businesses for use by their employees, and the Sites are intended for an adult professional audience. We do not knowingly collect Personal Information from children under the age of 16 in our controller role.

If you believe we have collected Personal Information from a child under 16 without appropriate consent, contact privacy@segmetrics.io and we will take reasonable steps to delete the information.

If Customer Personal Data transmitted through the Platform relates to children, the Customer is responsible for any required parental consent and for compliance with COPPA and other applicable laws.

17. HIPAA

The Platform is not currently configured to receive, store, or process Protected Health Information (“PHI”) as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). SegMetrics is not currently operating as a HIPAA Business Associate and does not have any active Business Associate Agreements (“BAAs”) in place.

If your intended use of the Platform involves PHI, contact us before transmitting any such information. We are willing to consider entering into a BAA on a case-by-case basis where appropriate; however, no Customer may transmit PHI through the Platform without a BAA executed in advance with SegMetrics.

18. Marketing communications and opt-out

If you have opted in to marketing communications, or have provided your business contact information in connection with a sales or product inquiry, we may send you marketing emails about SegMetrics, our Services, and related content. You can opt out at any time by clicking the unsubscribe link in any such email or by emailing privacy@segmetrics.io. Opting out of marketing emails does not opt you out of transactional communications about your account.

19. Third-party sites and integrations

The Sites and Platform may contain links to third-party websites and may integrate with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy practices of any third party before providing them with Personal Information or authorizing them to access data through our integrations.

20. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The “Updated” date at the top reflects the most recent revision. Where a change is material, we will provide additional notice — for example, by email to Account Holders or by posting a prominent notice on the Sites — before the change takes effect. Your continued use of the Services after the effective date of an updated Privacy Policy constitutes your acceptance of the changes.

21. Governing law

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to its conflict-of-law principles, except where applicable mandatory law (including the data-protection law of the jurisdiction in which you reside) provides otherwise.

22. Contact us

For questions about this Privacy Policy, to exercise your rights, or to request a copy of a transfer mechanism or other document referenced here, contact:

SegMetrics, Inc.
Attention: Privacy Team
Email: privacy@segmetrics.io

For matters arising under our DPA, contact privacy@segmetrics.io and reference your account.

SegMetrics’ Privacy Policy