Privacy by design

Built for the EU.
Ready for every
privacy law.

GDPR compliance isn’t a checkbox we added later - it’s the foundation SyncBeacon was designed on. No consent dark patterns, no workarounds.

Architecture
  1. 1SHA-256 hash in browser
    Email and phone hashed client-side - plain text never leaves the page.
  2. 2EU servers only
    Hashed event sent to Hetzner, Germany/Finland. No PII ever reaches our servers.
  3. 3Consent gate
    Non-consenting visitors: event dropped - not queued, not anonymised.
  4. 4Hashed forwarding
    Consented events forwarded to ad platforms under each platform's EU DPA.

How we protect your data

EU-Hosted Infrastructure

SyncBeacon's servers and database are hosted in the EU. Plain-text PII never reaches those servers - it is SHA-256 hashed in the browser first. The hashed event data forwarded to ad platforms (Meta, Google, TikTok) carries no reversible personal information and is transmitted under each platform's own EU Data Processing Agreement.

Client-Side PII Hashing

Email addresses and phone numbers are SHA-256 hashed in the user's browser before transmission. Plain-text PII never leaves the page - ever.

Consent-Signal Aware

Reads signals from your existing Consent Management Platform (CMP). Non-consenting visitors never have identifiable data forwarded to ad platforms.

Zero Third-Party Cookies

No reliance on third-party cookies whatsoever. Works identically regardless of browser cookie settings - compliant by architecture, not by workaround.

Data Minimisation by Default

Only the fields required for conversion matching are captured and forwarded. No behavioural profiling, no fingerprinting, no cross-site tracking.

Right to Erasure (RTBF)

Built-in GDPR Article 17 erasure endpoint. Remove all stored event data for a user in one API call - ready for Data Subject Access Requests.

Privacy and compliance questions

Is server-side tracking GDPR-compliant?

It can be, when consent is respected, data is minimised, and only permitted identifiers are forwarded. Compliance depends on implementation, consent banner configuration, and your privacy policy, not the concept alone.

How does SyncBeacon handle cookie consent?

SyncBeacon reads signals from your Consent Management Platform. In explicit mode, hashed customer identifiers are only forwarded when marketing consent was granted. Non-consenting orders can send limited, non-identifying order data where configured.

Where is my data stored?

SyncBeacon processes and stores event data on EU servers (Hetzner, Germany and Finland). Only hashed, pseudonymised identifiers are forwarded to ad platforms under each platform's data processing terms.

Does SyncBeacon use third-party cookies?

No. SyncBeacon does not rely on third-party cookies. Click IDs and session context are stored as first-party data where permitted, and confirmed conversions are delivered server-side.

What personal data is sent to ad platforms?

Only the fields needed for conversion matching: event name, value, currency, order ID, click IDs where available, and SHA-256 hashed email or phone when consent allows. Plain-text PII is hashed in the browser before it leaves the page.

Can I honour GDPR erasure requests?

Yes. SyncBeacon includes a Right to Erasure endpoint (GDPR Article 17) so you can remove stored event data for a user in one API call.

Privacy-compliant tracking
from day one.

No legal review needed. No consent workarounds. Just a clean pipeline built for the EU.

See pricingGet started →

Product

Compare

Learn

Legal