Join us at The Whalies • April 10th
Get Your Ticket

Triple Whale Trust Center

Learn about our privacy and security practices.
Access important and useful documents and resources.

Learn about our privacy and security practices. Access important and useful documents and resources.

Data Privacy

The privacy of your personal data is important to us. We have a number of practices and measures in place to ensure the privacy of your personal data.

Learn More

Reliability

Our customers depend on our products to drive revenue and insights for their business. To earn that trust, we place reliability and transparency front and center in the design and development of our products.

Learn More

Compliance

Triple Whale follows strict international standards and regulations in order to keep your data safe.

Learn More

Compliance Certifications, Standards,
and Regulations

Get the answers you need

Below are our most frequently asked questions about our privacy practices.

Is Triple Whale the Data Controller or the Data Processor?
Triple Whale acts as a data processor regarding the personal data that is processed through our platform on behalf of our customers, including those collected into the platform via APIs connected by our customers to their accounts at other third-party services (for example, where their online stores are stored and operated, or where they advertise). Triple Whale is also a data processor regarding the personal data collected using the Triple Whale Pixel on behalf of its customers. 

We process this data strictly on behalf of and under the instructions of our customers, in accordance with our Data Processing Addendum (DPA) and other commercial agreements with them.

Triple Whale is a data controller regarding personal data that we collect for our own purposes which includes personal data on our website visitors, contact details on our prospective and existing customers, and billing information of our customers and vendors. For more information on personal data which we process as the data controller please refer to our Privacy Notice.
What types of personal data does Triple Whale process?
At Triple Whale, we collect and store different types of personal data – personal data about our users/ customers/ website visitors and those who interact with our promotions and marketing, personal data of prospective and existing business customers, personal data of our customers’ users (i.e. credentialed users), personal data of employees and service providers, and personal data which we process strictly on behalf of and under the instructions of our customers - as part of our provision of our services and products. You can read more about how we process data in our Privacy Notice.
What personal data does Triple Whale collect on customers’ users?
The types of personal data collected on our customers’ end-users or shoppers are determined by the customer. These could vary depending on the Triple Whale products used by the customer, the input data it provides, or the data it allows to flow into the Triple Whale platform through their connected APIs. This would typically include browser and connectivity data on the shopper collected via the Triple Whale Pixel, and shopper journey attribution points throughout the customer’s online assets (online ad, storefront, product views, page interactions, communications, shopper contact, and shipping information, order information, purchasing preferences and history), as submitted to the Triple Whale platform by or on behalf of the customer, at their choice and preference. 
How will Triple Whale be using personal data that it processed on behalf of Triple Whale customers?
Triple Whale will process customer personal data in accordance with our Data Processing Addendum (DPA) and the customer’s reasonable instructions.
How does Triple Whale collect, store and use personal data as a Data Controller?
Triple Whale processes personal data as a data controller as described in our Privacy Notice.
Is Triple Whale GDPR compliant?
Triple Whale's global privacy program is designed with some of the most comprehensive and advanced data protection regulations in the world in mind, including the EU General Data Protection Regulation (GDPR), as we regularly look for ways to enhance our data protection and privacy posture.

For these purposes, Triple Whale has also appointed leading privacy consultancy PrivacyTeam Ltd. as its Data Protection Officer, for monitoring and advising on Triple Whale’s ongoing privacy compliance and serving as a point of contact on privacy matters for data subjects and supervisory authorities. Triple Whale’s Data Protection Officer may be reached at [email protected].
Is Triple Whale CCPA / CPRA ready? 
Triple Whale monitors developments in privacy legislation in the US to remain compliant and ready. Triple Whale is also ready for the California Privacy Rights Act (CPRA) becoming applicable in 2023.

If you have a question regarding specific regulations in California or other parts of the US please let us know and we will refer it to our DPO for review.
Does Triple Whale offer a Data Processing Addendum (DPA)?
Triple Whale offers a Data Processing Addendum (DPA) in which we commit to process our customers' data and perform our duties as a data processor under the GDPR, as well as other applicable data protection regulations. You can review our DPA on our website.
Does Triple Whale have a Data Protection Officer (DPO)? 
Triple Whale has appointed leading privacy consultancy PrivacyTeam Ltd. as its Data Protection Officer, for monitoring and advising on our ongoing Privacy compliance and serving as a point of contact on Privacy matters for data subjects and supervisory authorities. Our Data Protection Officer may be reached at [email protected].
Does Triple Whale use sub-processors? Where can I see the list of your sub-processors?
Yes, we use sub-processors in order to provide our services. Before engaging any third-party sub-processor, we evaluate their privacy, security, and confidentiality practices and execute an agreement implementing the applicable requirements under privacy regulations and that is no less onerous than the DPA with our customers. 

A list of our subprocessors is available upon request.
Where is customer data stored?
Triple Whale stores customer data primarily in the US and uses legally accepted transfer mechanisms, such as the EU Standard Contractual Clauses (SCCs) approved by the European Commission in 2021, with supplemental clauses approved by the UK Information Commissioner’s Office and the Swiss Federal Data Protection and Information Commissioner, to transfer personal data from the EEA/UK/Switzerland to the US. These include additional safeguards laid out and enforced both in the SCCs themselves and in Triple Whale's DPA (Schedule 2 Part 4) to ensure that the data is protected, kept confidential, and data subject rights are enforced to the same standards afforded under the GDPR in the EEA and Switzerland and under the UK GDPR in the UK. 

Triple Whale conducts regular Transfer Impact Assessments regarding the transfers initiated by us of personal data originating from the EEA/UK/Switzerland to subprocessors in countries without the appropriate adequacy decision, including in the US. 

A memo summarizing the conclusions of our assessment regarding transfers to the US may be shared with you upon request (subject to an NDA). 
How is my personal data protected?
Triple Whale is committed to providing customers with a highly secure and reliable environment for their data. We have therefore developed a security model that covers all aspects of our systems, including encryption of data in transit and at rest, access restrictions, and firewalls. 

All Triple Whale data collected on behalf of customers is located in Google’s USA based data centers where there are both DRP and BCP plans.

Triple Whale achieved a SOC 2 Type 1 attestation in August 2023, and is working toward accomplishing our Type 2 attestation in early 2024.

A more detailed description of our security policy is available upon request. 
How does Triple Whale handle Data Subject Rights requests?
Triple Whale has an internal procedure to respond to data subject requests (e.g. to receive a copy of any personal data that Triple Whale holds on that data subject in our systems, to correct any inaccuracies in the data we hold, or to have it deleted, etc.) in a timely manner and subject to applicable law.

If Triple Whale is the processor of the personal data (i.e. processes it on behalf of a certain customer), then Triple Whale will either refer the request to the appropriate customer (where we can link the request to that customer) and/or inform the data subject that we are the data processors and that in order to exercise their data rights they must approach the relevant customer, who is the controller of the data in question. We will then act strictly in accordance with the customer’s instructions, subject to any superseding regulations.    
What is Triple Whale’s policy regarding the deletion of personal data that Triple processes on customers’ behalf?
Customers can instruct us to delete their “customer data” (personal data that we process on their behalf) during the course of their active subscription. When the subscription expires or is terminated, we will delete the personal data we processed on the customer’s behalf following the customer’s request within the timeline specified in the DPA. 
How does the Triple Whale Pixel work in terms of privacy compliance?
The Triple Whale Pixel is intended for attribution and analytics purposes. 

The responsibility or decision to collect consent for cookies (or provide opt-out options), and how, rests with our customer, who ultimately controls their storefront and other online assets (e.g. their online ads) where the Triple Whale Pixel may be placed.

The Triple Whale Pixel can be integrated with and managed through most industry-standard cookie management platforms (CMPs), and will therefore collect (or stop collecting) data based on the customer’s configuration of the CMP. 
Would Google’s proposal to deprecate third-party cookies have any effect on Triple Whale’s Pixel?
Triple Whale’s Pixel uses multiple tracking mechanisms for its services and 3rd party cookies are only one of them. As a result, we do not expect any meaningful impact on Triple Whale’s ability to provide the best solution in the market even if Google’s proposal goes into effect.

Also, keep in mind that Google announced the deprecation of 3rd party cookies several years ago and has been postponing it ever since with the current official timeline being the second half of 2024, though some analysts predict it will be in 2025.
Given the EU regulator’s scrutiny of analytics products, including Google Analytics, does Triple Whale have any concerns about similar scrutiny of its products in the EU?
Triple Whale is not concerned about similar scrutiny, most importantly because Triple Whale does not track users across multiple customers, i.e., the same user will be given completely different system-generated ID’s across different shops, and in each shop Triple Whale strictly acts as a processor regarding the data that is collected; additionally, Triple Whale cannot and does not enrich the data collection of/from a shopper in one shop with additional information it has collected elsewhere. 

Triple Whale’s Data Processing Agreement enforces that we have no interest in identifiable data, we will make no use of such identifiable data beyond for the purposes of providing the services, and our actions with regards to such data is strictly as processors on behalf of the relevant customer.

Explore our resources

© Triple Whale Inc.
266 N 5th Street, Columbus OH 43209