Join us at The Whalies ā€¢ April 10th
Get Your Ticket

TripleĀ Whale Trust Center

Learn about our privacy and security practices.
Access important and useful documents and resources.

Learn about our privacy and security practices. Access important and useful documents and resources.

Data Privacy

The privacy of your personal data is important to us. We have a number of practices and measures in place to ensure the privacy of your personal data.

Learn More

Reliability

Our customers depend on our products to drive revenue and insights for their business. To earn that trust, we place reliability and transparency front and center in the design and development of our products.

LearnĀ More

Compliance

Triple Whale follows strict international standards and regulations in order to keep your data safe.

LearnĀ More

Compliance Certifications, Standards,
and Regulations

Get the answers you need

Below are our most frequently asked questions about our privacy practices.

Is Triple Whale the Data Controller or the Data Processor?
Triple Whale acts as a data processor regarding the personal data that is processed through our platform on behalf of our customers, including those collected into the platform via APIs connected by our customers to their accounts at other third-party services (for example, where their online stores are stored and operated, or where they advertise). Triple Whale is also a data processor regarding the personal data collected using the Triple Whale Pixel on behalf of its customers.

We process this data strictly on behalf of and under the instructions of our customers, in accordance with our Data Processing Addendum (DPA) and other commercial agreements with them.

Triple Whale is a data controller regarding personal data that we collect for our own purposes which includes personal data on our website visitors, contact details on our prospective and existing customers, and billing information of our customers and vendors. For more information on personal data which we process as the data controller please refer to our Privacy Notice.
What types of personal data does Triple Whale process?
At Triple Whale, we collect and store different types of personal data ā€“ personal data about our users/ customers/ website visitors and those who interact with our promotions and marketing, personal data of prospective and existing business customers, personal data of our customersā€™ users (i.e. credentialed users), personal data of employees and service providers, and personal data which we process strictly on behalf of and under the instructions of our customers - as part of the provision of our services and products. You can read more about how we process data in our Privacy Notice.
What personal data does Triple Whale collect on customersā€™ users?
The types of personal data collected on our customersā€™ end-users or shoppers are determined by the customer. These could vary depending on the Triple Whale products used by the customer, the input data it provides, or the data it allows to flow into the Triple Whale platform through their connected APIs. This would typically include browser and connectivity data on the shopper collected via the Triple Whale Pixel, and shopper journey attribution points throughout the customerā€™s online assets (online ad, storefront, product views, page interactions, communications, shopper contact, and shipping information, order information, purchasing preferences, and history), as submitted to the Triple Whale platform by or on behalf of the customer, at their choice and preference.
How will Triple Whale be using personal data that it processed on behalf of Triple Whale customers?
Triple Whale will process customer personal data in accordance with our Data Processing Addendum (DPA) and the customerā€™s reasonable instructions.
How does Triple Whale collect, store and use personal data as a Data Controller?
Triple Whale processes personal data as a data controller as described in our Privacy Notice.
Is Triple Whale GDPR compliant?
Triple Whaleā€™s global privacy program is generally shaped in light of the most comprehensive and advanced data protection regulation in the world, the EU General Data Protection Regulation (GDPR), with its data processing principles in mind as Triple Whale continues to look for ways to enhance its data protection and privacy posture.

For these purposes, Triple Whale has also appointed leading privacy consultancy PrivacyTeam Ltd. as its Data Protection Officer, for monitoring and advising on Triple Whaleā€™s ongoing privacy compliance and serving as a point of contact on privacy matters for data subjects and supervisory authorities. Triple Whaleā€™s Data Protection Officer may be reached at [email protected].
Is Triple Whale CCPA compliant?
Triple Whale monitors developments in privacy legislation in the US to remain compliant and ready. Triple Whale sees its services as directed towards businesses, and therefore it monitors and adapts to meet its business and service provider responsibilities, as applicable, under the California Consumer Privacy Act. Ā 

If you have a question regarding specific regulations in California or other parts of the US please let us know and we will refer it to our DPO for review.
Does Triple Whale offer a Data Processing Addendum (DPA)?
Triple Whale offers a Data Processing Addendum (DPA) in which we commit to process our customers' data and perform our duties as a data processor under the GDPR and CCPA, as well as other applicable data protection regulations. You can review our DPA on our website.
Does Triple Whale have a Data Protection Officer (DPO)?
Triple Whale has appointed leading privacy consultancy PrivacyTeam Ltd. as its Data Protection Officer, for monitoring and advising on our ongoing Privacy compliance and serving as a point of contact on Privacy matters for data subjects and supervisory authorities. Our Data Protection Officer may be reached at [email protected].
Does Triple Whale use sub-processors? Where can I see the list of your sub-processors?
Yes, we use sub-processors in order to provide our services. Before engaging any third-party sub-processor, we evaluate their privacy, security, and confidentiality practices and execute an agreement implementing the applicable requirements under privacy regulations and that is no less onerous than the DPA with our customers.

A list of our subprocessors is available upon request.
In which countries do you process personal data?
Triple Whale processes personal data (1) where Triple has entities, i.e., Israel and the US, at this time; and (2) where our processors and sub-processors are located, i.e., the EEA, USA, and Israel, at this time. Whether we transfer personal data as a data controller or a data processor, we make sure that we are compliant with applicable local transfer regulations and restrictions and that any cross-border transfer of personal data is subject to appropriate safeguards and implementation of a compliant transfer mechanism, as needed.

This includes, for example, transferring personal data to countries deemed "adequate" by the origin country regulator, adopting Standard Contractual Clauses for cross-border transfers from the EEA/UK/Switzerland, and self-certifying and relying on self-certification to the Data Privacy Framework for personal data transfers to the US, etc.
To which countries do you transfer personal data?
Triple Whale transfers personal data to Israel, the US, the EEA, and Ukraine at this time. When transferring data to Israel and/or the EEA from countries where there are transfer restrictions ā€“ generally, Triple Whale can rely on the "adequate" status of Israel and/or the EEA as locations providing sufficient protections for personal data and sufficient data subject rights, therefore allowing the transfer of personal data without additional safeguards. When transferring data to the US and/or Ukraine from countries where there are transfer restrictions - Triple Whale generally relies on the European Commission's 2021 Standard Contractual Clauses and the EU-US Data Protection Framework (in addition to the Standard Contractual Clauses).

For a specific transfer inquiry please reach out to us at [email protected] with the exporting location and the importing destination names.
Where is customer data stored?
Triple Whale stores customer data primarily in the US and uses legally accepted transfer mechanisms, such as the EU Standard Contractual Clauses (SCCs) approved by the European Commission in 2021, with supplemental clauses approved by the UK Information Commissionerā€™s Office and the Swiss Federal Data Protection and Information Commissioner, to transfer personal data from the EEA/UK/Switzerland to the US. These include additional safeguards laid out and enforced both in the SCCs themselves and in Triple Whale's DPA (Schedule 2 Part 4) to ensure that the data is protected, kept confidential, and that data subject rights are enforced to the same standards afforded under the GDPR in the EEA and Switzerland and under the UK GDPR in the UK.

Triple Whale is also self-certified to the EU-US and Swiss-US Data Privacy Frameworks (DPF), and to the UK Extension to the EU-US DPF. Ā Triple Whale conducts regular Transfer Impact Assessments regarding the transfers initiated by Triple Whale of personal data originating from the EEA/UK/Switzerland to subprocessors in countries without an appropriate adequacy decision, including in the US.

A memo summarizing the conclusions of our assessment regarding transfers to the US may be shared with you upon request (subject to an NDA).
How is my personal data protected?
Triple Whale is committed to providing customers with a highly secure and reliable environment for their data. We have therefore developed a security model that covers all aspects of our systems, including encryption of data in transit and at rest, access restrictions, and firewalls.

All Triple Whale data collected on behalf of customers is located in Googleā€™s USA based data centers where there are both DRP and BCP plans.

Triple Whale achieved a SOC 2 Type 1 attestation in August 2023, and is working toward accomplishing our SOC 2 Type 2 attestation in mid 2024.

A more detailed description of our security policy is available upon request.
How does Triple Whale handle Data Subject Rights requests?
Triple Whale has an internal procedure to respond to data subject requests (e.g. to receive a copy of any personal data that Triple Whale holds on that data subject in our systems, to correct any inaccuracies in the data we hold, or to have it deleted, etc.) in a timely manner and subject to applicable law.

If Triple Whale is the processor of the personal data (i.e. processes it on behalf of a certain customer), then Triple Whale will either refer the request to the appropriate customer (where we can link the request to that customer) and/or inform the data subject that we are the data processors and that in order to exercise their data rights they must approach the relevant customer, who is the controller of the data in question. We will then act strictly in accordance with the customerā€™s instructions, subject to any superseding regulations. Ā 
What is Triple Whaleā€™s retention policy for personal data?
Data that we process as controllers, per our Privacy Notice, is retained in accordance with the Notice and our internal Data Retention Policy. Generally, said information is retained for as long as we are providing you with our services, and then for an additional period for legal and operational purposes. If you have questions regarding a specific data type or a specific data subject right you would like to exercise, please reach out to us at [email protected].

Data that we process as processors, we retain on behalf of the customer for as long as is necessary to continue to provide the customer with the services, and subject to customer instructions, including ad-hoc instructions, and our signed Data Processing Agreement with that customer. Generally, we retain customers' personal data for up to 60 days following termination of services, at which point we permanently delete any customer personal data in our possession.
What is Triple Whaleā€™s policy regarding the deletion of personal data that Triple processes on customersā€™ behalf?
Customers can instruct us to delete their ā€œcustomer dataā€ (personal data that we process on their behalf) during the course of their active subscription. When the subscription expires or is terminated, we will delete the personal data we processed on the customerā€™s behalf within the timeline specified in the DPA.
How does the Triple Whale Pixel work in terms of privacy compliance?
The Triple Whale Pixel is intended for attribution and analytics purposes. The responsibility or decision to collect consent for cookies (or provide opt-out options), and how, rests with our customer, who ultimately controls their storefront and other online assets (e.g. their online ads) where the Triple Whale Pixel may be placed.The Triple Whale Pixel can be integrated with and managed through most industry-standard cookie management platforms (CMPs), and will therefore collect (or stop collecting) data based on the customerā€™s configuration of the CMP.
How do Tripleā€™s Whaleā€™s AI capabilities impact the protection of customersā€™ personal data?
Triple Whaleā€™s AI capabilities are supported by subprocessors that are subject to signed data processing addendums with security requirements and processing limitations no less strict than those we have ourselves committed to. Triple Whale ensures complete data segregation between customers and each customer can use Triple Whaleā€™s AI capabilities only with regard to its own data within the Triple Whale platform. Ā 
Will Googleā€™s Consent Mode v2 have any effect on Triple Whaleā€™s Pixel?
The Triple Whale pixel does not rely on Google services. It collects data, independently of any Google service, and is subject to the configurations, if any, of the cookie management platform in the customerā€™s store.
Would Googleā€™s proposal to deprecate third-party cookies have any effect on Triple Whaleā€™s Pixel?
Triple Whaleā€™s Pixel uses multiple tracking mechanisms for its services and 3rd party cookies are only one of them. As a result, we do not expect any meaningful impact on Triple Whaleā€™s ability to provide the best solution in the market even if Googleā€™s proposal goes into effect.

Also, keep in mind that Google announced the deprecation of 3rd party cookies several years ago and has been postponing it ever since with the current official timeline being the second half of 2024, though some analysts predict it will be in 2025.
Given the EU regulatorā€™s scrutiny of analytics products, including Google Analytics, does Triple Whale have any concerns about similar scrutiny of its product in the EU?
Triple Whale is not concerned about similar scrutiny, most importantly because Triple Whale does not track users across multiple customers, i.e., the same user will be given completely different system-generated IDs across different shops, and in each shop Triple Whale strictly acts as a processor regarding the data that is collected; additionally, Triple Whale cannot and does not enrich the data collection of/from a shopper in one shop with additional information it has collected elsewhere.

Triple Whaleā€™s Data Processing Agreement enforces that we have no interest in identifiable data, we will make no use of such identifiable data beyond the purposes of providing the services, and our actions regarding such data are strictly as processors on behalf of the relevant customer.

Explore our resources

Ā© Triple Whale Inc.
266 N 5th Street, Columbus OH 43209