Privacy Policy
Effective Date: January 14, 2026
Last Updated: January 14, 2026
Introduction
Mobana ("we," "us," or "our") operates a mobile app attribution and analytics service (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service.
We are committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy applies to:
- Customers ("you" or "Customer"): Businesses and individuals who create accounts to use our attribution services for their mobile applications.
- End Users: Individuals who interact with our Customers' mobile applications that use our Service.
By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.
1. Definitions
- "Customer" means a business or individual who has registered for an account to use our Service.
- "Customer Data" means any data, content, or information provided by Customers through their use of the Service.
- "End User" means an individual who uses a Customer's mobile application that integrates with our Service.
- "End User Data" means information collected from or about End Users through our Service.
- "Personal Data" or "Personal Information" means any information that identifies, relates to, describes, or could reasonably be linked to an individual.
- "Service" means the Mobana platform, website, APIs, SDKs, and related services.
2. Information We Collect
2.1 Information from Customers
When you register for and use our Service, we collect:
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Email address, name, company name | Account creation and management |
| Authentication Data | Password (hashed), OAuth tokens | Account security |
| Billing Information | Payment card details (processed by Stripe), billing address | Payment processing |
| Usage Data | Features used, analytics viewed, session activity | Service improvement |
| Communication Data | Support requests, feedback | Customer support |
| Technical Data | IP address, browser type, device information | Security and troubleshooting |
2.2 Information from End Users
When End Users interact with a Customer's mobile application that uses our Service, we collect:
| Category | Storage | Retention | Purpose |
|---|---|---|---|
| IP Address | Temporary | 6 hours | Attribution matching |
| Device Timezone | Temporary | 6 hours | Attribution matching |
| Screen Dimensions | Temporary | 6 hours | Attribution matching |
| Device Language | Temporary | 6 hours | Attribution matching |
| User Agent String | Temporary | 6 hours | Platform detection |
| Country Code | Permanent | Until deletion | Aggregate analytics |
| Platform Type | Permanent | Until deletion | Analytics |
| UTM Parameters | Permanent | Until deletion | Attribution analytics |
| Referring Domain | Permanent | Until deletion | Attribution analytics |
| Install Identifier | Permanent | Until deletion | Conversion tracking |
Important Notes on End User Data
- • We do not collect device advertising identifiers (IDFA, GAID, or similar).
- • IP addresses are never stored permanently. They are used only for attribution matching and automatically deleted after 6 hours.
- • We do not perform cross-app tracking. Attribution is limited to linking an ad click to an install within the same Customer's application.
- • Country codes are derived from IP addresses at the time of collection using local GeoIP database. The original IP address is not retained.
- • Referring domain is stored as domain only (e.g., "facebook.com"). The full referrer URL path and query string are never stored.
2.3 Information Collected Automatically
When you visit our website or use our Service, we automatically collect:
- Log data (IP address, browser type, pages visited, time spent)
- Session information for authentication purposes
- Performance and error data
3. How We Use Information
3.1 Customer Information
We use Customer information to:
- Provide and maintain the Service, including account management and customer support
- Process payments and manage subscriptions
- Send service-related communications, such as updates, security alerts, and account notifications
- Improve and develop our Service based on usage patterns
- Ensure security and prevent fraud
- Comply with legal obligations
3.2 End User Information
We use End User information solely to:
- Perform attribution matching to link ad clicks to app installs
- Provide analytics to our Customers about their marketing campaigns
- Track conversions as configured by our Customers
- Generate aggregate statistics (e.g., installs by country, platform distribution)
We Do NOT
- • Sell End User data
- • Use End User data for our own advertising purposes
- • Build profiles of End Users across different Customers' applications
- • Share End User data with third parties for their own purposes
4. Legal Basis for Processing
We process Personal Data based on the following legal grounds:
| Legal Basis | When Applied |
|---|---|
| Contract Performance | Processing Customer data necessary to provide our Service |
| Legitimate Interests | Attribution matching, security, fraud prevention, service improvement |
| Legal Obligation | Compliance with applicable laws and regulations |
| Consent | Where required by law for specific processing activities |
For End User data, our Customers (as data controllers) establish the legal basis for collection. We act as a data processor on their behalf.
5. Information Sharing and Disclosure
5.1 Service Providers (Sub-processors)
We share information with trusted third-party service providers who assist us in operating our Service:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure hosting | All service data | EU (Germany) |
| Stripe, Inc. | Payment processing | Billing information | United States |
| Twilio Inc. (SendGrid) | Transactional email delivery | Email addresses, names | United States |
| Google LLC | OAuth authentication (optional) | Email, name (if used) | United States |
All service providers are bound by data processing agreements that require them to protect your data and use it only for the purposes specified.
5.2 Legal Requirements
We may disclose information when required by law, such as:
- To comply with a subpoena, court order, or other legal process
- To respond to a government request
- To protect the rights, property, or safety of Mobana, our Customers, or others
- To enforce our Terms of Service
5.3 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership.
5.4 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
6. Data Retention
6.1 Customer Data
We retain Customer account data for as long as your account is active. After account deletion:
- Account information is permanently deleted immediately
- Associated app data, click records, and conversion data are permanently deleted immediately
- Backups are purged within 30 days
6.2 End User Data
| Data Type | Retention Period |
|---|---|
| IP addresses and device signals | Automatically deleted after 6 hours |
| Attribution records (UTM, referrer domain, platform, country) | Retained until Customer deletes the account |
| Conversion events | Retained until Customer deletes the account |
6.3 Ephemeral Data Design
Our system is designed with privacy by default. All personally identifiable End User information (IP addresses, device characteristics) is:
- Stored only in temporary memory
- Automatically and irrevocably deleted after 6 hours
- Never written to permanent storage
7. Data Security
We implement appropriate technical and organizational measures to protect your data:
7.1 Technical Measures
- Encryption in transit: All data transmitted to and from our Service is encrypted using TLS 1.2 or higher
- Encryption at rest: Data stored in our databases is encrypted
- Password security: Customer passwords are hashed using industry-standard algorithms (scrypt)
- Access controls: Access to production systems is restricted and logged
- Network security: Firewalls, intrusion detection, and regular security audits
7.2 Organizational Measures
- Incident response procedures
- Regular security reviews
- Vendor security assessments
7.3 Breach Notification
In the event of a data breach affecting your Personal Data, we will:
- Notify affected Customers within 72 hours of becoming aware of the breach
- Provide information about the nature of the breach and affected data
- Describe the measures taken to address the breach
- Cooperate with any regulatory investigations
8. International Data Transfers
8.1 Data Location
Our primary data processing infrastructure is located in the European Union (Hetzner, Germany).
8.2 Transfers Outside the EU
For service providers located outside the EU (Stripe, SendGrid, Google), we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Provider participation in recognized data protection frameworks
- Data Processing Agreements with each provider
8.3 Canadian Operations
Mobana is based in Canada. Canada has received an adequacy decision from the European Commission, recognizing that Canadian law provides adequate protection for personal data.
9. Your Rights and Choices
9.1 For Customers
You have the right to:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of your Personal Data | Contact [email protected] |
| Rectification | Correct inaccurate data | Update in account settings or contact us |
| Erasure | Delete your account and data | Use the "Delete Account" feature in settings |
| Data Portability | Receive your data in a structured format | Contact [email protected] |
| Restriction | Limit how we process your data | Contact [email protected] |
| Objection | Object to processing based on legitimate interests | Contact [email protected] |
| Withdraw Consent | Withdraw previously given consent | Contact [email protected] |
9.2 For End Users
If you are an End User of a mobile application that uses our Service:
- Contact the app developer first. Our Customers (app developers) are the data controllers for your data. They can instruct us to delete your data.
- Automatic deletion. Your personally identifiable data (IP address, device signals) is automatically deleted within 6 hours.
- Limited permanent data. We do not store End User names, email addresses, or device advertising identifiers. The only permanent data is aggregate/anonymous (country codes, platform type, marketing campaign identifiers).
To exercise rights regarding any permanent data, please contact the app developer or reach out to us at [email protected] with the app name and approximate date of use.
10. Children's Privacy
Our Service is designed for business use and is not directed at children under the age of 13 (or 16 in some jurisdictions).
For Customers
- You must not use our Service in connection with applications directed at children under 13 without ensuring full compliance with the Children's Online Privacy Protection Act (COPPA) and similar laws.
- Our Terms of Service prohibit the use of our Service for applications targeting children without appropriate compliance measures.
Data Collection
- We do not knowingly collect Personal Data from children under 13.
- If we become aware that we have collected Personal Data from a child under 13 without verification of parental consent, we will take steps to delete that information.
If you believe we have inadvertently collected data from a child, please contact us at [email protected].
11. Third-Party Services
Our Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to:
- Third-party websites linked from our Service
- Customer mobile applications that use our SDK
- App stores (Apple App Store, Google Play Store)
- Payment processors (Stripe) for detailed payment processing
Please review the privacy policies of any third-party services you use.
13. California Privacy Rights (CCPA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):
13.1 Right to Know
You have the right to request disclosure of:
- Categories of Personal Information collected
- Sources of Personal Information
- Business purposes for collection
- Categories of third parties with whom we share Personal Information
- Specific pieces of Personal Information collected about you
13.2 Right to Delete
You have the right to request deletion of your Personal Information, subject to certain exceptions.
13.3 Right to Opt-Out of Sale
We do not sell Personal Information. Therefore, there is no need to opt out of sale.
13.4 Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights.
13.5 Categories of Information Collected
In the preceding 12 months, we have collected the following categories of Personal Information:
| Category | Collected | Sold | Disclosed for Business Purpose |
|---|---|---|---|
| Identifiers (name, email, IP address) | Yes | No | Yes (service providers) |
| Commercial information (subscription data) | Yes | No | Yes (payment processor) |
| Internet activity (usage data) | Yes | No | No |
| Geolocation (country code) | Yes | No | No |
13.6 Exercising Your Rights
To exercise your CCPA rights, contact us at:
- Email: [email protected]
- Response time: Within 45 days of receiving a verifiable request
14. European Privacy Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):
14.1 Data Controller and Processor Roles
- For Customer data: Mobana is the data controller.
- For End User data: Our Customers are the data controllers, and we are a data processor acting on their instructions.
14.2 Your Rights
You have the right to:
- Access your Personal Data
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing
- Data portability
- Object to processing
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority
14.3 Data Processing Agreement (Article 28)
When processing End User data on behalf of our Customers, we comply with GDPR Article 28 requirements. We:
- Process Personal Data only on documented instructions from the Customer
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Take all measures required pursuant to Article 32 (security of processing)
- Respect the conditions for engaging sub-processors
- Assist Customers in responding to data subject requests
- Assist Customers with their obligations under Articles 32-36 (security, breach notification, impact assessments)
- Delete or return all Personal Data at the end of the service relationship
- Make available all information necessary to demonstrate compliance
Enterprise customers requiring a formal Data Processing Agreement may contact [email protected].
14.4 Data Protection Officer
For GDPR-related inquiries, contact us at [email protected].
14.5 Supervisory Authority
If you are unsatisfied with our response to your privacy concerns, you have the right to lodge a complaint with your local data protection authority.
15. Canadian Privacy Rights (PIPEDA)
If you are a Canadian resident, your Personal Information is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA):
15.1 Your Rights
You have the right to:
- Access your Personal Information held by us
- Challenge the accuracy of your information and have it corrected
- Know how your information is being used
- Withdraw consent to the collection, use, or disclosure of your information (subject to legal or contractual restrictions)
15.2 Accountability
Mobana is responsible for Personal Information under its control. Questions or concerns should be directed to:
15.3 Complaints
If you have a complaint about our privacy practices, you may also contact the Office of the Privacy Commissioner of Canada.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws.
16.1 Notification of Changes
- Material changes: We will notify you by email and/or prominent notice on our Service at least 30 days before the changes take effect.
- Non-material changes: We will update the "Last Updated" date at the top of this policy.
16.2 Continued Use
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
17. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Mobana
Privacy Inquiries: [email protected]
General Support: [email protected]
Location:
Vancouver, BC, Canada
We aim to respond to all inquiries within 30 days.
Appendix A: Sub-processor List
The following is the current list of sub-processors used by Mobana:
| Sub-processor | Service | Location | Data Processed |
|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure | Germany (EU) | All service data |
| Stripe, Inc. | Payment processing | United States | Billing data only |
| Twilio Inc. (SendGrid) | Email delivery | United States | Email addresses, names |
| Google LLC | Authentication (optional) | United States | Email, name (OAuth users only) |
| DB-IP | GeoIP database (local) | N/A - processed locally | IP to country mapping |
We will provide at least 30 days' notice before adding new sub-processors. Customers may object to new sub-processors by contacting [email protected].
Last updated: January 14, 2026