Privacy & Data
How we collect, store, and protect your data
1. Introduction
At DNOMIA Bilgi Teknolojileri Ticaret Limited Sirketi (Dnomia), we value your privacy and the security of your data. This Privacy Policy explains what data we collect, the purposes of data collection, and your rights regarding your data.
Dnomia is a server-side tracking and event routing platform. We help businesses collect, process, and forward analytics and conversion events to their configured destinations such as Google Analytics 4, Meta Conversions API, Google Ads, and others.
In this relationship, Dnomia acts as a data processor. Our customers (the businesses that install Dnomia) are the data controllers. We process personal data strictly on behalf of our customers and according to their instructions.
2. Scope and Domains
This Privacy Policy covers all Dnomia products and services across the following domains:
- dnomia.app: Scout Dashboard, user account management, billing, and third-party integrations (Google Ads, Facebook, Pinterest, TikTok, etc.)
- scout.dnomia.app: Server-side event collection API. Receives tracking events from websites and forwards them to configured destinations.
- cdn.dnomia.app: Content delivery for the Scout SDK (JavaScript library) and related assets.
- dnomia.com: Marketing website, blog, and documentation.
If you do not accept this Privacy Policy, you should not continue using our services.
3. Collected Data
Dnomia collects and processes the following categories of data on behalf of its customers:
| Category | Data Points | Collection Method |
|---|---|---|
| Identity Information | Email, phone, first/last name (via identify() command) | Only when explicitly provided by the end user |
| Browser Identifiers | Anonymous ID, session ID | Generated automatically by the SDK |
| Advertising Identifiers | gclid, fbp, fbc, msclkid, ttclid (from cookies, only collected after consent is granted) | From cookies, only after consent is granted |
| Campaign Parameters | UTM parameters (from URL) | Extracted from page URL parameters |
| Event Data | Page views, purchases, add-to-cart, form submissions, conversion events | Configured by the customer via SDK or server-side |
| E-commerce Data | Order ID, revenue, currency, product details (ID, name, price, quantity) | Sent with conversion events by the customer |
| Technical Data | IP address (truncated for analytics), user agent, page URL, referrer URL | Collected from HTTP request headers |
4. How We Use Data
We use the data collected through our platform for the following purposes:
- Event routing: Forwarding events to destinations configured by our customers, including Google Analytics 4, Meta Conversions API, Google Ads, TikTok Events API, Pinterest Conversions API, LinkedIn CAPI, Microsoft Ads UET, and others.
- Attribution and conversion tracking: Matching advertising click identifiers with conversion events to measure campaign performance on behalf of our customers.
- Aggregate analytics: Providing anonymized, aggregate analytics. A cookieless mode is available that does not require user consent.
What we do NOT do:
- We do not sell personal data to any third party.
- We do not use personal data for our own advertising purposes.
- We do not share data with any parties beyond the destinations explicitly configured by our customers.
- We do not build user profiles for our own commercial use.
- We do not use data for training AI or machine learning models.
5. Third-Party Integrations and OAuth
Dnomia integrates with third-party advertising and analytics platforms to deliver conversion data. When customers connect their accounts, the following applies:
- Google Ads: Customers authorize Dnomia via OAuth to access the Google Ads API (scope:
adwords). Dnomia uses this access solely to upload offline conversion events to the customer's Google Ads account. Dnomia does not read, modify, or delete any data from Google Ads accounts. OAuth tokens (access token and refresh token) are stored encrypted in our database and are used only for conversion uploads. - Facebook (Meta) Conversions API: Customers provide a system user access token and pixel ID. Dnomia sends conversion events to the customer's Meta dataset.
- Pinterest Conversions API: Customers authorize Dnomia via OAuth. Dnomia sends conversion events to the customer's Pinterest ad account.
- Other destinations (TikTok Events API, Google Analytics 4, LinkedIn CAPI, Microsoft Ads UET, PostHog, Umami): Similar patterns apply. Customers provide credentials or authorize via OAuth, and Dnomia sends conversion events on their behalf.
For all integrations, Dnomia acts as a conduit for the customer's own data. We do not use customer data or third-party platform credentials for any purpose other than delivering the customer's conversion events to their configured destinations.
6. Google User Data: Limited Use Disclosure
Dnomia's use of Google Ads API data adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- Google user data is used only to provide and improve the Dnomia platform's functionality (uploading offline conversions).
- Google user data is not transferred, sold, or disclosed to any third party, except as necessary to provide the service or as required by law.
- Google user data is not used for advertising, marketing, data brokering, credit assessment, or training AI/ML models.
- OAuth tokens are stored encrypted and are accessible only to the authenticated customer who authorized the connection.
- Customers can revoke access at any time by disconnecting the Google Ads destination from their Dnomia dashboard or by revoking access through their Google Account settings.
7. Data Retention
How long each data type is stored
| Data | Period | Note |
|---|---|---|
| Attribution Click IDs | 90 days | gclid, fbp, fbc, etc. |
| Attribution UTMs | 90 days | Campaign parameters |
| Tracking Parameters | 30 days | Edge enrichment data |
| Profile PII | 90 days | Hashed for matching, plaintext for active destinations |
| Inactive Profile | 90 days | PII anonymized, aggregate metrics preserved |
| Event Details | 90 days | PII stripped at processing, hashes kept |
| Visitor Cookie (_dnomia_id) | 90 days | Aligned with maximum destination conversion window (90 days) |
| OAuth Tokens | Until disconnected | Stored encrypted, deleted when integration is removed or account is deleted |
| Account Data | Duration of relationship | Deleted upon request via support@dnomia.com |
8. Consent Mechanism
Three consent levels and their behavior
Full Consent
All data is collected and processed. Events are sent immediately to all configured destinations.
Analytics Only
PII is stripped, IP is truncated. Anonymous aggregate data only.
Denied
No data is recorded. All tracking stops immediately.
Default consent state: The SDK defaults to a "pending" state. No data is collected or transmitted until consent is explicitly granted by the end user through a supported consent management platform or a manual API call.
Do Not Track: The SDK respects the browser's Do Not Track (DNT) signal by default. When DNT is enabled, no tracking occurs.
Supported CMPs
Dnomia auto-detects the following consent management platforms and syncs consent state automatically.
| Platform | Description |
|---|---|
| Cookiebot | Automatic detection and consent sync. Listens to Cookiebot consent events and updates tracking state. |
| OneTrust | Enterprise-grade consent management. Integrates with OneTrust consent categories (C0002, C0004). |
| Usercentrics | Consent management with automatic geo-detection. Syncs with Usercentrics consent state. |
| Iubenda | Privacy and cookie consent solution. Respects Iubenda consent preferences (Purpose 4/5). |
| Mobildev CMP | Turkish market CMP solution. Native integration for KVKK compliance. |
| Efilli CMP | Turkish e-commerce focused CMP. Integrated consent detection for Turkish online stores. |
| IAB TCF 2.2+ | Universal fallback via standard __tcfapi. Covers 100+ Google-certified CMPs. Purpose 1 (storage) maps to analytics, Purpose 7 (ad measurement) maps to full consent. |
10. Your Rights (GDPR/KVKK)
Data subject rights under GDPR Article 15/17 and KVKK Article 11
Right to Access (Data Export)
You have the right to request a complete export of all personal data we hold about you. This right is provided under GDPR Article 15 and KVKK Article 11.
Right to Erasure
You have the right to request the permanent deletion of your personal data. Once processed, this action is irreversible and removes all profile data, event history, and associated identifiers from our systems.
Right to Restriction of Processing
You may request that we restrict the processing of your personal data under certain conditions, such as when you contest the accuracy of the data or object to its processing.
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON), and to transmit that data to another controller.
Right to Object
You have the right to object to the processing of your personal data for specific purposes. When you object, we will cease processing unless we can demonstrate compelling legitimate grounds.
How to Exercise Your Rights
You can exercise any of these rights by contacting us at support@dnomia.com. If you are a customer of a business that uses Dnomia, you may also request data erasure through the business's dashboard, which provides a self-service erasure feature. We will respond to all valid requests within 30 days.
11. Data Deletion and Erasure Requests
In accordance with GDPR Article 17 (Right to Erasure) and KVKK Article 7, Dnomia provides automated data deletion capabilities.
Automated Deletion via SDK
The Dnomia SDK includes a built-in forget command that sends an erasure request to the collection endpoint. When triggered:
- All tracking parameters (UTM data, click IDs, attribution data) associated with the visitor's anonymous ID are permanently deleted.
- An asynchronous erasure process removes related event data and profile information.
- The request is logged with a unique request ID for audit purposes.
- Dnomia cookies and browser storage are cleared on the client side.
Dashboard Erasure Feature
Business customers can submit erasure requests through their Dnomia dashboard by providing the email address or phone number of the data subject. The erasure process is handled asynchronously and removes all matching profile and event data.
Manual Deletion Requests
If you wish to request deletion of your data manually, you can contact us at support@dnomia.com. We will process your request within 30 days as required by applicable data protection regulations.
12. Data Processing & Security
Processing locations: Data is processed on Hetzner infrastructure located in Germany and Finland, and on Cloudflare's global edge network. All infrastructure is GDPR-compliant.
Encryption in transit: All data transmitted between browsers, our SDK, collection endpoints, and processing servers is encrypted using TLS (Transport Layer Security).
Encryption at rest: OAuth tokens and API credentials are encrypted at rest in our database.
Field-level hashing: Personally identifiable information (email addresses, phone numbers) is hashed using SHA-256 before being forwarded to advertising destinations. This ensures that PII is not transmitted in plaintext to third-party platforms.
Data processor role: Dnomia processes data on behalf of its customers (data controllers). We do not determine the purposes or means of processing. Our customers configure which events are collected, which destinations receive data, and what consent policies apply.
Access controls: Access to production systems and personal data is restricted to authorized personnel only, using role-based access controls and audit logging.
13. International Data Transfers
Our primary data processing infrastructure is located within the European Union (Hetzner, Germany/Finland). When data is processed at Cloudflare's global edge nodes, it is subject to Cloudflare's GDPR Data Processing Addendum (DPA).
Where personal data is transferred outside the European Economic Area, we rely on EU Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers.
No personal data is transferred to jurisdictions outside of GDPR-adequate countries without appropriate safeguards in place.
14. Compliance
GDPR
European Union General Data Protection Regulation. Dnomia operates as a data processor under Article 28 and supports data subject rights under Articles 15-22.
KVKK
Turkey Personal Data Protection Law. Dnomia complies with KVKK Article 11 data subject rights and processes data in accordance with Turkish data protection requirements.
ePrivacy Directive
ePrivacy Directive compliant. Cookie consent is obtained before any non-essential cookies are set.
DMA (Digital Markets Act)
Dnomia supports consent signal forwarding to gatekeeper platforms as required by the Digital Markets Act. Consent Mode signals are automatically sent to Google, Meta, and TikTok based on the end user's consent state.
15. Age Restriction
Our services are intended for persons 18 years of age or older. You should not use our platform if you are not at least 18 years old. If we become aware that we are processing personal data belonging to persons under 18, we will immediately delete this personal data.
16. Links to Other Websites
Our platform may contain links to websites belonging to third parties, and our Privacy Policy does not apply to these websites. We do not accept any responsibility for these websites. You should read their privacy policies before sharing your data with third-party websites.
17. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date below and notify customers via email or dashboard notification.
Last updated: February 2026
18. Contact
DNOMIA Bilgi Teknolojileri Tic. Ltd. Sti.
Merkez Mah. Hasat Sk. No:52 D:1, Sisli, Istanbul, 34381, Turkey
Email: support@dnomia.com
Website: dnomia.app