Privacy Policy
Last updated 30 June 2026
Last updated: 15 June 2026
11metrics ("we", "us", or "our") is a privacy-first marketing analytics and lead attribution platform operated by 11METRICS Ltd., registered in London, UK. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our platform at https://app.11metrics.ai and when our tracking pixel operates on your website.
1. Information We Collect
Account data: When you register, we collect your name, email address, company name, and password (stored as a bcrypt hash). We never store passwords in plain text.
Usage data: We collect information about how you use the platform — pages visited, features used, and actions taken — to operate and improve our service.
Tracking data: When you deploy the 11metrics pixel on your website, the pixel collects visitor sessions, UTM parameters, form submissions, and event data on your behalf. Email and phone data captured by the pixel is SHA-256 hashed on the client side before transmission — we never receive plain-text PII from your visitors. IP addresses are hashed server-side before storage and never persisted in plain text.
Payment data: Billing transactions are processed by Ziina (for GCC-region customers) and Stripe (for international customers). We do not store card numbers or bank account details on our servers.
Consent data: When your website visitors interact with the 11metrics cookie-consent banner, we record the consent decision (accept/decline), the timestamp, and the version of our privacy policy in force at that time. Consent preferences are stored client-side in localStorage (_pulse_consent). No pageview or tracking event is fired before a consent decision is made.
2. How We Use Your Information
We process your personal data for the following purposes and on the following legal bases (where GDPR applies):
To provide and operate the platform (contract performance, Art. 6(1)(b)): processing your subscription, managing your account, delivering platform features, and providing technical support.
To process payments (contract performance, Art. 6(1)(b)): issuing invoices, processing subscription fees, and maintaining billing records.
To send transactional communications (contract performance, Art. 6(1)(b)): account verification emails, password resets, payment receipts, usage alerts, and service notifications.
To improve and develop the platform (legitimate interests, Art. 6(1)(f)): analysing usage patterns, identifying bugs, and developing new features. Our legitimate interest is to maintain and improve the quality of our service. You may object to this processing at any time.
For security and fraud prevention (legitimate interests, Art. 6(1)(f)): detecting, investigating, and preventing fraud, abuse, and security incidents. Our legitimate interest is protecting our platform and our customers.
To comply with legal obligations (legal obligation, Art. 6(1)(c)): retaining financial records as required by tax law, responding to lawful requests from authorities, and fulfilling data subject rights.
Marketing communications (consent, Art. 6(1)(a)): if you have opted in, we may send you emails about product updates, new features, and promotional offers. You may withdraw your consent at any time by clicking the unsubscribe link in any marketing email or by emailing [email protected].
3. Data Sharing and Sub-processors
We do not sell your personal data to third parties. We share data only with trusted sub-processors who assist us in operating the platform, under contractual data protection obligations. The current list of sub-processors is set out below.
Sub-processor
Purpose
Location
Transfer mechanism
Microsoft Azure
Cloud infrastructure, application hosting, and file storage
EU (West Europe)
EU-based
Cloudflare
CDN, DDoS protection, and web analytics beacon
United States
SCCs + DPA
Stripe
Payment processing (international customers)
United States
SCCs + DPA
Ziina
Payment processing (GCC-region customers)
UAE
DPA
Sentry
Application error monitoring and performance tracking
United States
SCCs + DPA
Groq Cloud
AI text generation for platform analytics features
United States
SCCs + DPA
Hunter.io
Contact email enrichment (optional workspace feature)
France (EU)
EU-based
Brevo
Transactional email delivery
France (EU)
EU-based
MaxMind
IP geolocation (for session attribution; IPs hashed before storage)
United States
SCCs + DPA
HubSpot
CRM integration — only for workspaces that activate this connector
United States
SCCs + DPA
Zoho
CRM integration — only for workspaces that activate this connector
United States / India
SCCs + DPA
InsiderOne
Marketing platform integration — only for workspaces that activate this connector
Turkey
SCCs + DPA
CRM and marketing integrations (HubSpot, Zoho, InsiderOne, Brevo, Bitrix24) only receive data that your workspace explicitly syncs via the Cloud Connect feature. We do not send customer data to these services unless you configure and activate the connector.
We may also disclose personal data to law enforcement or regulatory authorities where required by applicable law, or to protect the rights, property, or safety of 11METRICS Ltd., our customers, or the public.
4. Cookies & Tracking Technologies
11metrics uses a single first-party cookie (_11metrics_uid) placed on your visitors’ browsers when you deploy our pixel on your domain. We do not set third-party tracking cookies.
Our marketing website (11metrics.ai) operates in cookie-free mode by default. If you choose to accept optional analytics cookies via our cookie-consent banner, those preferences are stored client-side in localStorage under the key _pulse_consent. We record: the consent decision, timestamp, and the version of this privacy policy in force at the time of consent (for GDPR Article 7 accountability).
No tracking events are fired before a consent decision is recorded. First-time visitors’ pageview events are deferred until the cookie-consent banner is interacted with.
5. Data Retention
Account data is retained for the lifetime of your workspace plus 30 days after account deletion, at which point all workspace data is permanently purged from our systems in accordance with GDPR Article 17.
Event and session data collected by the tracking pixel is retained for a maximum of 24 months, after which it is automatically deleted by our scheduled purge process. This implements the GDPR Article 5(1)(e) storage limitation principle.
Financial records (invoices, payment history) are retained for 7 years to comply with UK tax and accounting requirements.
You may request earlier deletion of your data at any time by contacting us at [email protected] or submitting a request via the “Do Not Sell or Share My Personal Information” page.
6. Your Rights
Depending on your jurisdiction, you may have the following rights over your personal data:
• Right of access — to receive a copy of the personal data we hold about you.
• Right to rectification — to correct inaccurate or incomplete data.
• Right to erasure — to request deletion of your personal data where no legitimate legal basis for continued processing exists.
• Right to restriction — to limit how we process your data in certain circumstances.
• Right to object — to object to processing based on legitimate interests or for direct marketing.
• Right to data portability — to receive your data in a structured, machine-readable format.
• Right to withdraw consent — where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — with the UK Information Commissioner’s Office (ICO) at ico.org.uk or with the supervisory authority in your country of residence.
To exercise any of these rights, email [email protected]. We will respond within 30 days (or within the timeframe required by your applicable law).
7. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you additional rights regarding your personal information.
Categories of personal information we collect:
• Identifiers: name, email address (hashed for pixel tracking), device identifiers, IP address (hashed before storage).
• Commercial information: subscription plan, billing history, invoice records.
• Internet or other electronic network activity: pixel events, page views, UTM parameters, session data, feature usage.
• Professional or employment-related information: company name, job role.
• Inferences: lead scores, audience segment classifications derived from tracked behaviour.
We do not sell or share your personal information for cross-context behavioural advertising. You have the right to opt out of the sale or sharing of your personal information. To exercise this right, visit our Do Not Sell or Share My Personal Information page.
California residents may also request to know what personal information we have collected, request deletion of personal information, and request correction of inaccurate personal information. We will not discriminate against you for exercising your CCPA rights.
To submit a CCPA request, visit https://11metrics.ai/do-not-sell or email [email protected] with the subject line "CCPA Request". We will verify your identity and respond within 45 days.
8. Security
We implement industry-standard security measures including:
• Encryption in transit: all data is transmitted over TLS 1.2 or higher.
• Encryption at rest: sensitive personal data fields (email addresses, phone numbers) are encrypted at rest using AES-256 encryption.
• Hashed identifiers: email addresses and phone numbers captured by the pixel are SHA-256 hashed client-side before transmission; IP addresses are hashed server-side before storage. Plain-text PII is never written to our event database.
• Access controls: multi-factor authentication (MFA/passkey) is required for privileged administrative access. Customer workspace data is isolated by strict multi-tenant access controls.
• Regular security reviews: we conduct periodic internal security assessments of our platform.
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we are committed to responding promptly to any security incidents.
9. International Data Transfers
11METRICS Ltd. is incorporated in the United Kingdom. Your personal data may be transferred to and processed in countries outside the UK and European Economic Area (EEA), including the United States, where some of our sub-processors operate.
For transfers to the United States and other third countries, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the UK ICO (International Data Transfer Agreements, “IDTAs”) or by the European Commission (where EU GDPR applies via the UK GDPR bridging mechanism), and where available, adequacy decisions. A list of sub-processors and their transfer mechanisms is provided in Section 3 above.
Where a sub-processor is located in the EU (such as Brevo and Hunter.io), no additional transfer mechanism is required.
10. Children
Our platform is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at [email protected] and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will indicate the date of the last update at the top of this page. For material changes, we will notify you via email or an in-app notice at least 14 days before they take effect. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.
The version of this policy in force at the time you gave consent to data processing is recorded against your consent record (see Section 4).
12. Contact
For privacy questions, to exercise your data rights, or to contact our Data Protection Officer, please contact us at [email protected] or write to:
11METRICS Ltd.
124–128 City Road
London, England
EC1V 2NX
United Kingdom