Privacy Policy

1. Introduction

phoerbox is a server-side tracking and conversion attribution platform. We help merchants forward checkout events from their e-commerce platform (such as Hotmart, Shopify, or any provider that supports outbound webhooks) to advertising platforms like Meta (Facebook/Instagram Ads), Google Ads, and others through their official server-side APIs (such as Meta Conversions API).

This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have over your data. We aim to be exhaustively transparent. If anything here is unclear, email phoerboxemergency@gmail.com.

This policy covers two distinct kinds of users:

• Account holders — people who sign up to phoerbox to configure tracking for their own business.
• End consumers — people who interact with merchants' checkouts (buyers). phoerbox processes their data only as a data processor on behalf of the merchant; the merchant is the data controller.

2. Who we are

phoerbox is operated as an independent product in early-access stage. Formal legal entity details (company name, registration number, registered address) will be disclosed in this policy as soon as the operating entity is incorporated. Until then, contact and accountability flow through phoerboxemergency@gmail.com.

We operate from Brazil and store all data in Google Cloud's southamerica-east1 region (São Paulo).

3. Data we collect

3.1 Account data

When you sign up to phoerbox we collect:

• Your email address and name (via WorkOS authentication).
• A unique user identifier generated by our authentication provider (WorkOS).
• Timestamps of when you sign in and from which IP address.

3.2 Workspace and container configuration

• Names you give to your organizations, workspaces, and containers inside phoerbox.
• Custom domains you verify for first-party tracking (e.g., track.yourstore.com).
• Webhook tokens (random secrets, stored both as a one-way HMAC hash and as an encrypted ciphertext using AES-256-GCM via Google Cloud KMS).

3.3 Webhook event data (conversion events)

When your checkout provider sends an event to your phoerbox webhook URL, we receive and store the raw event payload. This payload may include personal data about your end customers, such as:

• Email address, phone number, full name
• Billing and shipping address
• Purchased products, amounts, currency
• Order IDs, transaction timestamps
• IP address and user agent of the buyer

We process this data solely to forward it to the advertising platforms you configure (e.g., Meta Conversions API). For Meta CAPI specifically, fields like email and phone number are hashed with SHA-256 before transmission, as required by Meta's specification.

We retain the raw webhook payload for 120 days for debugging and audit purposes, after which it is automatically deleted. Postgres metadata is partitioned by day and dropped on the same schedule.

3.4 Meta integration data

When you connect a Facebook account to a container in phoerbox, the following data is stored:

• Your Facebook user ID, name, and email (only what Meta returns in the /me endpoint with the granted scopes).
• A long-lived User Access Token issued by Meta, encrypted at rest using AES-256-GCM via Google Cloud KMS. The token is never logged, never returned to the browser, and only ever decrypted in-memory by our backend service when needed to call Meta's API on your behalf.
• The OAuth scopes you granted (see Section 5 for the full list).
• The list of Meta Ad Account IDs and Pixel/Dataset ID you select inside phoerbox to associate with each container.
• Token expiration and refresh timestamps (we automatically refresh tokens via Meta's fb_exchange_token endpoint a week before expiry).

3.5 Technical and audit data

• IP address and user agent recorded when you authenticate, view a webhook token, rotate a token, connect or disconnect a Meta account, or update your selection. This is kept in an append-only audit log inside our database.
• Application logs (timestamps, request paths, status codes, internal identifiers) emitted by our backend services for operational monitoring. These logs do not contain webhook payloads or tokens.

4. How we collect data

• Directly from you when you sign up, configure workspaces and containers, verify a domain, or connect Meta.
• Automatically when your checkout provider sends events to your phoerbox webhook URL.
• From Meta when you authorize the connection (Meta returns your profile and an access token).

We do not use cookies, pixels, fingerprinting, or any tracking on this website beyond what is strictly necessary to keep you logged in.

5. Meta integration — full disclosure

Because the Meta integration is a sensitive piece of our product, we provide additional detail here.

5.1 Permissions we request and why

• email — to display your Facebook account email in phoerbox so you can confirm which account is connected. Never used for marketing.
• public_profile — to display your Facebook name in phoerbox so you can confirm which account is connected.
• ads_management — required by Meta to send conversion events to a Pixel/Dataset via the Conversions API. We do not create, edit, pause, or delete your ad campaigns, ad sets, ads, or budgets. We only send conversion events.
• ads_read — to list the Ad Accounts your authenticated user has access to, so you can select which ones belong to a specific container in phoerbox.
• business_management — to list Pixels and Datasets available within the Business Managers you administer, so you can select which one receives conversion events for each container.

5.2 What we do with the access token

• The access token is encrypted with AES-256-GCM using a key managed by Google Cloud KMS (envelope encryption — the key never leaves Google's HSM). The encrypted ciphertext is what we store in our PostgreSQL database.
• The token is decrypted in-memory by our backend service only when needed to call Meta's Graph API on your behalf, then discarded.
• The token is never exposed to your browser, never included in URLs, never logged, and never shared with third parties.
• We refresh the token automatically using Meta's fb_exchange_token mechanism before expiration to maintain the connection without requiring you to re-authenticate.

5.3 How you can revoke the connection

You can revoke at any time, two ways:

• Inside phoerbox: open your container → Connections card → click "Desconectar". We soft-delete the connection immediately; the encrypted token becomes unreachable to our backend.
• Inside Facebook: go to Settings & Privacy → Settings → Apps and Websites → find "phoerbox" → Remove. Meta will revoke the token and our subsequent calls will fail (we then mark the connection as needing reconnection).

6. How we use your data

• To provide and operate the phoerbox service.
• To forward conversion events from your checkout provider to the advertising platforms you configured.
• To authenticate you and authorize your access.
• To debug operational issues (using non-personal logs).
• To send you transactional emails related to your account.

We do not use your data, your customers' data, your Meta tokens, or your conversion events for any other purpose — including (and especially) selling to third parties, advertising, building lookalike audiences for our own marketing, or training machine learning models.

7. Who we share data with

We share data only with:

• Google Cloud Platform — our infrastructure provider. All compute, storage, encryption, and database services run on GCP in the southamerica-east1 region. GCP processes data on our behalf under their Data Processing Addendum.
• WorkOS — our authentication provider. WorkOS handles your sign-in (email, name, session). WorkOS processes data on our behalf under their Data Processing Addendum.
• Meta (Facebook) — when you connect a Meta account and enable conversion forwarding, we transmit conversion events (with hashed PII fields as required by Meta) to graph.facebook.com via the Conversions API.
• Other advertising platforms you explicitly connect (currently planned: Google Ads, GA4 — not yet implemented). These would behave identically to Meta: only triggered when you enable the connection.

We do not sell, rent, lease, trade, or otherwise transfer your data to anyone else.

8. Where data is stored

All data is stored in Google Cloud Platform — São Paulo region (southamerica-east1). Backups remain in the same region. We do not transfer data outside Brazil unless explicitly required to deliver data to an integration you configured (e.g., Meta's graph.facebook.com endpoint).

9. Retention

• Webhook event payloads: 120 days, then automatically deleted (database partitions are dropped and object storage objects are removed by lifecycle policy).
• Account data: kept while your account is active. When you request deletion, removed within 30 days.
• Meta tokens: kept while the connection is active. Immediately unreachable when you disconnect.
• Audit logs: kept for the lifetime of the workspace for forensic purposes. Erased upon full account deletion.

10. Your rights

Under Brazil's LGPD (Lei Geral de Proteção de Dados, Federal Law 13.709/2018) and equivalent regulations like the EU GDPR, you have the right to:

• Confirm whether we process your data.
• Access the data we hold about you.
• Correct incomplete, inaccurate, or outdated data.
• Request anonymization, blocking, or deletion of unnecessary or excessively collected data.
• Request portability of your data to another service provider.
• Delete personal data processed with your consent (subject to legal retention requirements).
• Be informed about public and private entities with which we share your data.
• Revoke consent.

To exercise any of these rights, email phoerboxemergency@gmail.com with the subject "Data Request". We respond within 15 days.

11. Children

phoerbox is a B2B product and not directed to children under 18. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it promptly.

12. Security

• All data in transit uses TLS 1.2+ (terminated at Google Cloud Load Balancer with Google-managed certificates).
• Database (PostgreSQL on Cloud SQL Enterprise Plus) has encryption at rest enabled by default and is reachable only via private Cloud SQL connectors — never exposed to the public internet.
• Sensitive tokens (webhook tokens, Meta access tokens) are additionally encrypted with AES-256-GCM via Google Cloud KMS before being stored.
• Backend services run on Cloud Run with isolated service accounts; each service has only the minimum IAM permissions it needs.
• We never store passwords (authentication is delegated to WorkOS).

We do not currently hold formal certifications such as SOC 2 or ISO 27001. As the product matures, we plan to pursue them.

13. Cookies

phoerbox uses one session cookie (phoerbox_session) to keep you signed in. It is HttpOnly, Secure, SameSite=Lax, and not used for advertising, analytics, or tracking. We do not embed third-party trackers in our application.

14. Changes to this policy

We will update this policy as the product evolves. Significant changes will be notified via email to account holders at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the latest revision.

15. Contact

For privacy questions, data subject requests, or anything else covered by this policy, email phoerboxemergency@gmail.com.