GTMStack

Privacy Policy

Last updated: March 17, 2026

1. Introduction

GTMStack, Inc. ("GTMStack," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you:

  • Visit our website at https://gtmstack.app (the "Website")
  • Use our cloud-hosted GTM Operations SaaS platform (the "Platform")
  • Deploy and use our self-hosted version of the Platform
  • Interact with us through forms, emails, support channels, or other communications

This policy applies to all website visitors, prospective customers, and paying customers regardless of location. It describes your privacy rights under the European Union General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable data protection laws.

By accessing or using our Website or Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

2. Information We Collect

We collect information through several channels. The categories of personal data we collect include:

2.1 Account Information

When you create an account or request a demo, we collect:

  • Full name and job title
  • Work email address
  • Company name, size, and industry
  • Phone number (if provided)
  • Billing and payment information (processed by our payment processor; we do not store full payment card details)
  • Account credentials (passwords are stored using one-way hashing)

2.2 Usage Data

When you use the Platform, we automatically collect:

  • Features accessed, workflows created, and actions performed
  • Frequency and duration of Platform usage sessions
  • Configuration settings and preferences
  • Error logs, crash reports, and performance metrics
  • Subscription tier and feature entitlements

2.3 Communication Data

When you interact with us, we collect:

  • Support tickets, chat messages, and email correspondence
  • Feedback, survey responses, and feature requests
  • Form submissions on our Website (including contact, demo request, and newsletter sign-up forms)
  • Records of your communication preferences and opt-in/opt-out choices

2.4 Technical Data

We automatically collect certain technical information when you visit our Website or use the Platform:

  • IP address (anonymized for analytics where possible)
  • Browser type and version
  • Operating system and device type
  • Screen resolution and viewport size
  • Referring URL and exit pages
  • Date, time, and duration of visits
  • Language and locale settings

2.5 Integration Data

When you connect third-party services to the Platform, we may receive:

  • CRM data (e.g., contacts, deals, pipeline information from Salesforce, HubSpot, etc.)
  • Marketing automation data (e.g., campaign performance, email engagement metrics)
  • Communication platform data (e.g., Slack workspace information, channel data)
  • Authentication tokens and API credentials necessary to maintain integrations

We access only the data necessary to provide the integration functionality you have configured. You can revoke integration access at any time through the Platform settings.

2.6 Analytics Data

We collect analytics data to understand how visitors interact with our Website and how users engage with our Platform:

  • Page views, scroll depth, and click patterns on the Website
  • Navigation paths and conversion funnel data
  • Product usage patterns, feature adoption, and engagement metrics within the Platform
  • A/B test participation and variant assignment data
  • Session recordings and heatmap data (with personally identifiable information masked)

3. Analytics Tools We Use

We use the following analytics services to understand usage patterns and improve our Website and Platform:

3.1 Google Analytics (GA4)

We use Google Analytics 4 (measurement ID: G-L9GPW2K9LL), a web analytics service provided by Google LLC. GA4 uses cookies and similar technologies to collect and analyze information about Website usage. Specifically:

  • GA4 collects data such as page views, session duration, traffic sources, geographic location (country/city level), device and browser information, and user interactions with Website elements.
  • GA4 uses an event-based data model rather than session-based tracking, which means individual interactions are captured as discrete events.
  • IP anonymization is enabled by default in GA4. Google does not log or store full IP addresses.
  • We have configured GA4 data retention to 14 months. After this period, user-level and event-level data is automatically deleted.
  • We have disabled Google Signals and data sharing with Google for advertising purposes.
  • Google may transfer data to servers in the United States. Google LLC is certified under the EU-US Data Privacy Framework.

For more information, see Google's Privacy Policy. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

3.2 Ahrefs Analytics

We use Ahrefs Analytics, a web analytics service provided by Ahrefs Pte. Ltd. Ahrefs Analytics helps us understand how visitors find and interact with our Website. Specifically:

  • Ahrefs Analytics collects data such as page views, traffic sources, referral URLs, and user interactions with Website elements.
  • Ahrefs Analytics does not use cookies for tracking purposes.
  • Ahrefs Analytics is loaded only after you have accepted analytics cookies via our cookie consent banner.

For more information, see Ahrefs' Privacy Policy.

3.3 PostHog (Product Analytics)

We use PostHog for product analytics to understand how users interact with the Platform. PostHog helps us:

  • Track product usage events, feature adoption, and user flows within the Platform.
  • Generate session replays with personally identifiable information automatically masked.
  • Run feature flags and A/B tests to evaluate new functionality.
  • Build funnels and retention analyses to improve the user experience.

PostHog data is hosted in the EU (Frankfurt, Germany) on PostHog Cloud EU. We have configured PostHog to respect Do Not Track (DNT) browser settings. PostHog does not sell or share your data with third parties for their own purposes.

4. Cookies and Tracking Technologies

Cookies are small text files placed on your device when you visit a website. We use cookies and similar technologies (such as local storage and pixel tags) for the purposes described below.

4.1 Essential Cookies

These cookies are strictly necessary for the Website and Platform to function. They cannot be disabled. They include:

  • Session cookies that maintain your authenticated state
  • Security cookies that help prevent cross-site request forgery (CSRF)
  • Cookie consent preference cookies that remember your cookie choices
  • Load-balancing cookies that ensure consistent service delivery

4.2 Analytics Cookies

These cookies help us understand how visitors interact with our Website. They are only placed after you provide consent via our cookie banner.

  • Google Analytics cookies (_ga, _ga_*): Used to distinguish unique users and sessions. These cookies expire after 2 years (_ga) or 24 hours (_ga_*) respectively.
  • PostHog cookies (ph_*): Used to track product usage events and maintain session identity. These cookies are set only for authenticated Platform users.

4.3 Cookie Consent

When you first visit our Website, you are presented with a cookie consent banner that allows you to accept or reject non-essential cookies. Essential cookies are always active as they are required for basic Website functionality. You can change your cookie preferences at any time by clicking the "Cookie Settings" link in our Website footer. If you reject analytics cookies, no Google Analytics or PostHog tracking scripts will be loaded, and no analytics cookies will be placed on your device. You can also manage cookies through your browser settings, though this may affect Website functionality.

5. How We Use Your Information

We use the information we collect for the following purposes:

  • Service delivery: To provide, operate, maintain, and improve the Platform and its features, including processing your workflows, managing integrations, and delivering the functionality you expect.
  • Account management: To create and manage your account, process billing and payments, and administer your subscription.
  • Communications: To send you technical notices, security alerts, product updates, billing reminders, and support messages. We also send marketing communications where you have opted in, with an unsubscribe option in every message.
  • Customer support: To respond to your requests, troubleshoot issues, and provide technical assistance.
  • Analytics and improvement: To understand usage trends, measure feature adoption, conduct A/B tests, and improve the user experience of both the Website and Platform.
  • Security and fraud prevention: To detect, investigate, and prevent unauthorized access, security incidents, fraud, and other malicious activity.
  • Legal compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.
  • Business operations: To support internal business operations including auditing, data analysis, research, and troubleshooting.

6. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under the GDPR:

6.1 Consent (Article 6(1)(a) GDPR)

We rely on your consent for placing non-essential cookies (analytics cookies from Google Analytics and PostHog), sending marketing emails and newsletters, and processing data collected through optional forms. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

6.2 Performance of a Contract (Article 6(1)(b) GDPR)

We process your data as necessary to perform our contractual obligations to you, including providing access to the Platform, managing your account and subscription, processing payments, delivering customer support, and maintaining integrations you have configured.

6.3 Legitimate Interest (Article 6(1)(f) GDPR)

We process certain data based on our legitimate interests, provided these interests are not overridden by your data protection rights. Our legitimate interests include:

  • Improving and optimizing our Website and Platform based on aggregated usage patterns
  • Ensuring the security and integrity of our services
  • Detecting and preventing fraud and abuse
  • Conducting internal analytics and business intelligence
  • Communicating with you about product changes that affect your use of the Platform

6.4 Legal Obligation (Article 6(1)(c) GDPR)

We may process your data where necessary to comply with a legal obligation, such as tax and accounting requirements, responding to lawful government requests, or retaining records as required by applicable law.

7. Data Sharing and Subprocessors

We do not sell your personal data. We share your data only in the following circumstances:

7.1 Subprocessors

We engage trusted third-party service providers (subprocessors) to assist in delivering our services. Each subprocessor is bound by a Data Processing Agreement (DPA) that requires them to protect your data in accordance with this Privacy Policy and applicable law. Our key categories of subprocessors include:

  • Cloud hosting and infrastructure: Amazon Web Services (AWS) for Platform hosting, data storage, and compute services (EU region: eu-central-1, Frankfurt)
  • Analytics: Google Analytics (GA4) for website analytics; PostHog for product analytics (EU-hosted)
  • Email delivery: For transactional emails (account verification, password resets, billing notifications) and marketing communications where you have opted in
  • Payment processing: For securely processing subscription payments and managing billing
  • Customer support tools: For managing support tickets and customer communications
  • Form processing: HubSpot for processing data submitted through Website forms (see Section 12)

A complete and current list of our subprocessors is available upon request by contacting [email protected].

7.2 Other Disclosures

We may also disclose your personal data:

  • To comply with applicable laws, regulations, or legal processes (e.g., subpoenas, court orders)
  • To protect the rights, property, or safety of GTMStack, our users, or the public
  • In connection with a merger, acquisition, reorganization, or sale of assets, in which case the acquiring entity will be bound by this Privacy Policy
  • With your explicit consent for any other purpose

8. International Data Transfers

GTMStack, Inc. is based in the United States. If you are accessing our Website or Platform from outside the United States, your personal data may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the following safeguards:

  • EU-US Data Privacy Framework (DPF): Where applicable, we rely on our subprocessors' certifications under the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework. GTMStack is committed to applying for certification under the EU-US Data Privacy Framework.
  • Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we use the European Commission's Standard Contractual Clauses (2021/914) as the legal mechanism for data transfers. These are incorporated into our Data Processing Agreements with subprocessors.
  • Supplementary measures: We implement additional technical and organizational measures, including encryption in transit and at rest, access controls, and regular security assessments, to ensure an adequate level of data protection.

Our primary cloud infrastructure is hosted in the EU (AWS eu-central-1, Frankfurt, Germany) to minimize cross-border data transfers for our European customers.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our specific retention periods are:

  • Account data: Retained for the duration of your active account plus 30 days after account deletion to allow for recovery. After this period, account data is permanently deleted.
  • Platform usage data: Retained for 24 months from the date of collection, then aggregated and anonymized for statistical purposes.
  • Website analytics data: Google Analytics data is retained for 14 months. PostHog data is retained for 12 months.
  • Communication and support data: Retained for 3 years from the date of the last interaction to support ongoing customer relationships and legal compliance.
  • Billing and transaction records: Retained for 7 years to comply with tax, accounting, and regulatory obligations.
  • Cookie data: Essential cookies expire at the end of your browser session or after 12 months. Analytics cookies expire as described in Section 4.2.
  • Marketing consent records: Retained for as long as the consent is active, plus 5 years after withdrawal to demonstrate compliance.

When data is no longer needed, it is securely deleted or irreversibly anonymized. You may request earlier deletion of your data by exercising your rights as described in Sections 10 and 11 below, subject to our legal retention obligations.

10. Your Rights Under the GDPR (EU/EEA Residents)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR and equivalent local legislation:

  • Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how it is processed. We will provide this within 30 days of your verified request.
  • Right to rectification (Article 16): You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
  • Right to erasure (Article 17): You have the right to request deletion of your personal data where it is no longer necessary for the purpose it was collected, you withdraw consent, or there is no overriding legal basis for continued processing. Certain data may be retained where required by law.
  • Right to restriction of processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest data accuracy or object to processing.
  • Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller without hindrance.
  • Right to object (Article 21): You have the right to object to processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an absolute right to object to processing for direct marketing purposes.
  • Rights related to automated decision-making (Article 22): We do not currently use your personal data for solely automated decision-making that produces legal effects or similarly significantly affects you. If this changes, we will update this policy and provide you with the right to obtain human intervention, express your point of view, and contest the decision.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time by contacting us or using the relevant opt-out mechanism (e.g., cookie settings, email unsubscribe links).

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. If we need additional time (up to 60 additional days), we will inform you of the extension and the reasons for the delay. You also have the right to lodge a complaint with your local data protection supervisory authority.

11. Your Rights Under the CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

  • Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share the information. You may make this request up to twice in a 12-month period.
  • Right to delete: You have the right to request the deletion of your personal information that we have collected. We will comply with your request, subject to certain exceptions permitted by law (such as data needed for legal compliance or to complete a transaction).
  • Right to correct: You have the right to request that we correct any inaccurate personal information we maintain about you.
  • Right to opt-out of sale or sharing: We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising. If our practices change in the future, we will update this policy and provide a "Do Not Sell or Share My Personal Information" link on our Website.
  • Right to limit use of sensitive personal information: We do not use or disclose sensitive personal information for purposes beyond those permitted under the CCPA.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, a different quality of service, or be denied service for exercising your privacy rights.

To exercise your CCPA rights, please contact us at [email protected]. We will verify your identity before processing your request, which may require you to provide additional information. We will respond to your request within 45 days. If we need additional time, we will inform you in writing.

Categories of personal information collected in the preceding 12 months: Identifiers (name, email, IP address), commercial information (subscription and billing records), internet or electronic network activity (usage data, browsing history on our Website), geolocation data (country/city level from IP), and professional or employment-related information (job title, company name). We have not sold any personal information in the preceding 12 months.

12. HubSpot Forms

Certain forms on our Website, including contact forms, demo request forms, and newsletter sign-up forms, are powered by HubSpot, Inc. When you submit information through these forms:

  • Your form submission data (such as name, email address, company name, and any message content) is transmitted to and processed by HubSpot's CRM platform.
  • HubSpot may set cookies on your device to track your interactions with our Website for the purpose of associating your form submissions with your browsing activity. These cookies are only set if you have accepted analytics cookies via our cookie consent banner.
  • HubSpot processes your data as our subprocessor under a Data Processing Agreement that requires compliance with GDPR and other applicable data protection laws.
  • HubSpot stores data primarily in the United States and is certified under the EU-US Data Privacy Framework.

For more information about HubSpot's data practices, see HubSpot's Privacy Policy.

13. Self-Hosted Deployments

GTMStack is available as a self-hosted deployment option. When you deploy the Platform on your own infrastructure:

  • Your data stays on your infrastructure. All Platform data, including CRM integrations, workflows, analytics, and user activity, is stored and processed entirely within your own environment. GTMStack does not have access to this data.
  • No Platform usage data or customer data is transmitted to GTMStack servers from self-hosted deployments unless you explicitly opt in to anonymous usage analytics.
  • The only data GTMStack collects from self-hosted customers is account and billing information necessary to manage your subscription, provide license keys, and deliver software updates.
  • You are the data controller for all personal data processed within your self-hosted deployment. You are responsible for implementing appropriate data protection measures in accordance with applicable laws.
  • Support requests may require you to share diagnostic information (logs, configuration details) with us. This is always at your discretion, and we will advise you on how to redact sensitive data before sharing.

14. Children's Privacy

Our Website and Platform are not directed to individuals under the age of 16, and we do not knowingly collect personal data from children under 16 years of age. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information as promptly as possible. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at [email protected] so we can take appropriate action.

15. Security Measures

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
  • Access controls: Role-based access controls (RBAC) limit employee access to personal data on a need-to-know basis. Multi-factor authentication is required for all internal systems.
  • Infrastructure security: Our cloud infrastructure is hosted on AWS with network segmentation, firewall rules, intrusion detection, and continuous monitoring.
  • Security audits: We conduct regular security assessments, vulnerability scans, and penetration tests. Critical findings are remediated promptly.
  • Incident response: We maintain a documented incident response plan. In the event of a data breach, we will notify affected individuals and relevant supervisory authorities within the timeframes required by applicable law (72 hours under the GDPR).
  • Employee training: All employees with access to personal data receive regular data protection and security awareness training.
  • Vendor assessment: All subprocessors undergo security and privacy assessments before engagement and on a periodic basis thereafter.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the revised policy on this page with an updated "Last updated" date. For significant changes that affect how we process your personal data, we will provide additional notice through email or a prominent notification on our Website at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically. Your continued use of our Website or Platform after changes are posted constitutes your acceptance of the updated policy.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. For EU residents, you can find your supervisory authority at https://edpb.europa.eu.

Get GTM insights delivered weekly

Join operators who get actionable playbooks, benchmarks, and product updates every week.