RocketCheckout RocketCheckout
RocketCheckout RocketCheckout

Privacy Policy

Effective Date: January 10, 2026

Contents

  1. 1. Introduction
  2. 2. Data Processing Role
  3. 3. Information We Collect
  4. 4. How We Use Information
  5. 5. Advertising & Signal Routing
  6. 6. Cookies & Tracking
  7. 7. Information Sharing
  8. 8. Subprocessors
  9. 9. Data Security
  10. 10. Data Retention
  11. 11. International Transfers
  12. 12. Your Privacy Rights
  13. 13. Children's Privacy
  14. 14. Third-Party Services
  15. 15. Changes to This Policy
  16. 16. Contact Us

1. Introduction

RocketCheckout ("we," "our," or "us") provides eCommerce checkout optimization, funnel analytics, and conversion signal routing services to merchants. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform and website at rocketcheckout.com.

By using our services, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of our services.

2. Data Processing Role

RocketCheckout acts as a data processor on behalf of merchants who use our platform. Merchants are the data controllers.

This distinction is important under GDPR and similar data protection laws:

  • Merchants (Data Controllers) determine the purposes and means of processing customer data, and are responsible for obtaining necessary user consents and ensuring lawful collection
  • RocketCheckout (Data Processor) processes data only on the merchant's documented instructions, to provide and improve the services described in our agreement

Merchants who require a formal Data Processing Agreement (DPA) may request one or refer to our published DPA at rocketcheckout.com/dpa.

3. Information We Collect

A. Merchant Account Information

  • Name, email address, and phone number
  • Company name and business details
  • Store URL and eCommerce platform
  • Billing and payment information (processed by Stripe)
  • Communication preferences

B. Checkout & Event Data (Core to Service)

As part of providing our checkout optimization services, we process event data on behalf of merchants. This includes:

  • Checkout events (initiated, completed, abandoned)
  • Purchase value and transaction metadata
  • Product identifiers and order details (as transmitted by merchant stores)
  • Device and session identifiers
  • Traffic source and attribution signals
  • Browser type and operating system information

C. Technical Platform Data

  • IP addresses and approximate location
  • Server logs and usage statistics
  • API call metadata and performance data
  • Cookies and similar tracking technologies

4. How We Use Information

We use collected information to:

  • Provide, operate, and maintain our checkout optimization services
  • Analyze funnel performance and generate insights for merchants
  • Route conversion signals to advertising platforms on behalf of merchants
  • Process payments and manage merchant accounts
  • Provide technical support and respond to inquiries
  • Detect fraud, abuse, and security incidents
  • Improve platform features and develop new capabilities
  • Comply with legal obligations

We collect only data necessary for these purposes (data minimization principle) and do not use checkout event data for our own advertising or profiling purposes.

Lawful Basis for Processing (GDPR)

Where GDPR or equivalent law applies, we rely on the following lawful bases:

  • Contract — processing necessary to provide the services you have contracted for (account management, checkout event collection, billing)
  • Consent — analytics, marketing cookies, and conversion signal routing to advertising platforms where user consent is required by applicable law
  • Legitimate Interests — security monitoring, fraud prevention, and limited product improvement analytics, where these interests are not overridden by your rights
  • Legal Obligation — retention of financial records and compliance with regulatory requirements

5. Advertising & Signal Routing

Important transparency notice: A core feature of RocketCheckout is server-side conversion signal routing. This means we may process and transmit checkout and purchase events to third-party advertising platforms on behalf of merchants.

Supported advertising platforms currently include:

  • Meta (Facebook/Instagram): via the Meta Conversions API
  • Google Ads: via Google Analytics 4 / Measurement Protocol
  • TikTok Ads: via the TikTok Events API

Data transmitted to these platforms typically includes:

  • Purchase and checkout event types
  • Transaction values and currency
  • Hashed customer identifiers (email, phone — hashed before transmission)
  • Device and browser metadata
  • Attribution and campaign data

These signals are transmitted on behalf of and at the direction of merchants to improve ad targeting, measurement, and attribution accuracy. Merchants are responsible for ensuring appropriate user consent is in place for these transmissions in their jurisdictions.

6. Cookies & Tracking Technologies

We use cookies and similar technologies on our marketing website for:

  • Essential cookies: Required for platform operation and security
  • Analytics cookies: To understand how visitors use our website
  • Marketing cookies: For attribution and advertising performance measurement

Users must provide consent before non-essential cookies are set. See our full Cookie Policy for details on what we use and how to manage preferences.

Consent enforcement: RocketCheckout processes tracking and analytics data only after consent is obtained where required by applicable law. Non-essential tracking is not activated until consent is confirmed.

Merchants are responsible for implementing compliant cookie consent banners on their own storefronts when using RocketCheckout's tracking SDK.

7. Information Sharing and Disclosure

We do not sell, trade, or rent personal information to third parties. We may share information in the following circumstances:

  • Subprocessors: With trusted third-party service providers (see Section 8) under data processing agreements
  • Advertising Platforms: Conversion signals transmitted on merchant instruction (see Section 5)
  • Legal Requirements: When required by applicable law, court order, or governmental authority
  • Safety: To protect the rights, property, or safety of RocketCheckout, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of business assets — with appropriate confidentiality protections
  • Consent: With your explicit consent for other specific purposes

8. Subprocessors

We engage the following categories of subprocessors to support our services. All subprocessors are bound by data processing agreements and appropriate security obligations.

SubprocessorPurposeLocation
StripePayment processingUSA / Global
Google (Analytics / GCP)Analytics, cloud infrastructureUSA / Global
SupabaseDatabase hosting (PostgreSQL)USA / EU (configurable)
ClickHouse CloudAnalytics data warehouseVPS / configurable region
ResendTransactional email deliveryUSA
TwilioSMS notifications (recovery)USA / Global

We will notify merchants of material changes to our subprocessor list in advance. Enterprise customers may request the full, current subprocessor list at privacy@rocketcheckout.com.

9. Data Security

We implement appropriate technical and organizational security measures, including:

  • Encryption in transit (TLS 1.2+) for all data transfers
  • Encryption at rest for sensitive stored data
  • Role-based access controls and least-privilege principles
  • Regular security assessments and dependency audits
  • Hashing of personally identifiable data (email, phone) before transmission to ad platforms

No security measure is 100% guaranteed. In the event of a data breach affecting your rights and freedoms, we will notify affected parties as required by applicable law.

10. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy:

  • Merchant account data: Retained for the duration of the account, plus 90 days post-termination to allow data export
  • Checkout event data: Retained per the merchant's plan tier; typically 12–36 months for analytics
  • Server logs: Retained for up to 90 days for security and debugging purposes
  • Billing records: Retained for 7 years as required by financial regulations

Upon account deletion or contract termination, data is securely deleted or anonymized within 90 days, unless longer retention is required by law.

11. International Data Transfers

RocketCheckout operates globally and your information may be transferred to and processed in countries other than your own. We ensure such transfers comply with applicable data protection laws by applying:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for EEA data
  • Adequacy decisions where available
  • Equivalent contractual safeguards with all subprocessors

12. Your Privacy Rights

GDPR Rights (EEA / UK Users)

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request erasure of your personal data ("right to be forgotten")
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Restriction: Request restriction of processing in certain circumstances
  • Withdraw Consent: Withdraw consent at any time where processing is consent-based
  • Supervisory Authority: Lodge a complaint with your local data protection authority

CCPA Rights (California Residents)

  • Right to know what personal information is collected, used, and shared
  • Right to delete personal information
  • Right to opt out of sale of personal information (we do not sell personal data)
  • Right to non-discrimination for exercising privacy rights

To exercise any of these rights, please contact us at privacy@rocketcheckout.com. We will respond within 30 days.

13. Children's Privacy

Our services are not directed to individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we become aware that a child's data has been collected, we will take prompt steps to delete it.

14. Third-Party Services

Our platform integrates with and may contain links to third-party services (eCommerce platforms, advertising networks, analytics tools). We are not responsible for the privacy practices of these external services. We encourage you to review the privacy policies of any third-party services you use in conjunction with RocketCheckout.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered merchants or by a prominent notice on our website. The "Effective Date" at the top of this page reflects the date of the most recent revision. Continued use of our services after changes take effect constitutes acceptance of the updated policy.

16. Contact Us

For privacy-related requests and questions about this policy:

Privacy requests: privacy@rocketcheckout.com

General enquiries: contact@rocketcheckout.com

DPA requests: rocketcheckout.com/dpa

This Privacy Policy is effective as of January 10, 2026. It applies to all RocketCheckout services and supersedes all prior privacy notices.

Terms of ServiceCookie PolicyData Processing Agreement