Privacy Policy

Effective Date: 1/01/2026
Company: Boats LLC going by FirstParty

1. Introduction

FirstParty ("we," "us," or "our") provides first-party, server-side conversion tracking infrastructure for direct brand clients and agency partners (collectively, "Clients"). Our services include Google Tag Manager (GTM) configuration, server-side GTM (sGTM) deployment via Google Cloud Run, and conversion signal routing to advertising platforms including Google Ads, Meta, and TikTok.

This Privacy Policy describes how we collect, use, store, and protect data in the course of delivering those services. It applies to all Clients who engage FirstParty directly or through an agency relationship.

This policy does not cover the end-user privacy practices of our Clients’ own websites or products. Clients remain independently responsible for their own privacy disclosures to their customers.

2. Our Role in Data Processing

FirstParty acts as a data processor on behalf of its Clients. We do not independently determine the purposes or means of processing personal data; we act on Client instructions to collect, route, and transmit conversion signals as configured within each engagement.

Clients act as the data controller for all personal data collected through their websites, ad campaigns, and checkout flows. By engaging FirstParty, Clients represent that they have the legal basis to process the data they instruct us to handle.

3. Data We Process

The scope of data processed by FirstParty depends on the specific tracking configuration deployed for each Client. This may include:

3.1 GTM and Tracking Pixel Data

Through Google Tag Manager (client-side and server-side), we may process:

Page view events, click events, and form submission events triggered on Client websites
Google Click IDs (GCLID), Meta Click IDs (fbclid), TikTok Click IDs (ttclid), and other ad platform click identifiers appended to landing page URLs
First-party cookies set or read from Client domains, used to persist click IDs and session data across a user’s visit
IP addresses, user agent strings, and other server-side request metadata received by sGTM containers hosted on Google Cloud Run
Custom data layer variables defined by the Client’s GTM configuration, which may include purchase values, product categories, or other event parameters

‍

Server-side GTM containers are hosted on infrastructure managed by FirstParty on behalf of the Client (via Stape or direct Google Cloud Platform deployment). Raw event data is processed in-transit and forwarded to ad platform APIs; FirstParty does not operate a persistent data store for raw event logs unless explicitly included in the engagement scope.

3.2 Ad Platform Data (Google Ads, Meta, TikTok)

FirstParty configures and operates integrations with the following advertising platform APIs on behalf of Clients:

Google Ads Enhanced Conversions — transmits hashed customer data (email address, phone number, or address) alongside conversion events to improve match rates against Google’s identity graph
Meta Conversions API (CAPI) — transmits conversion events and hashed customer identifiers server-side to Meta, bypassing browser-based tracking limitations
TikTok Events API — transmits conversion events and hashed identifiers to TikTok’s server-side API

‍

All customer PII transmitted to these platforms is hashed using SHA-256 prior to transmission, consistent with each platform’s data requirements. FirstParty does not transmit unhashed PII to advertising platforms.

Each platform operates its own privacy and data retention policies. Clients should review the privacy documentation of Google, Meta, and TikTok directly to understand how those platforms handle received data.

4. How We Use Data

FirstParty uses Client data solely to deliver the agreed tracking and conversion services. Specifically:

To configure, test, and validate GTM containers and server-side event pipelines
To route conversion events to Client-designated ad platform accounts
To diagnose and resolve tracking errors, data discrepancies, or configuration issues
To generate implementation reports or performance summaries shared with the Client

‍

We do not use Client data for our own marketing purposes, aggregate it across clients for resale, or share it with third parties except as required to deliver the service (e.g., cloud infrastructure providers) or as required by law.

5. Data Retention

FirstParty does not retain raw conversion event data beyond what is necessary for delivery and QA of the service. Specifically:

Event data processed through sGTM containers is forwarded to the destination platform in real time and is not stored in FirstParty-operated databases unless a persistent enrichment or stitching layer has been explicitly deployed as part of the engagement
Configuration data (GTM container settings, tag configurations, API credentials) is retained for the duration of the Client relationship and deleted within 30 days of engagement termination upon written request
Access credentials (ad account tokens, GTM permissions) are stored encrypted and revoked upon contract termination

6. Access Controls and Security

FirstParty implements appropriate technical and organizational measures to protect Client data, including:

Role-based access controls: only FirstParty personnel assigned to a Client engagement have access to that Client’s configuration and credentials
Encrypted credential storage for all ad platform API tokens and GTM service account keys
Server-side GTM containers deployed on Google Cloud Run with HTTPS-only endpoints and access logging
MCC-level (Manager Account) linking for Google Ads access, and Business Manager partner access for Meta, ensuring Client retains ownership and can revoke access at any time

‍

Clients are responsible for maintaining the security of their own GTM containers, ad accounts, and any access they grant to third parties outside of FirstParty.

7. Sub-processors

To deliver our services, FirstParty relies on the following categories of sub-processors:

Google Cloud Platform / Stape — hosting of server-side GTM infrastructure
Google Tag Manager — tag management and event orchestration
Google Ads, Meta, TikTok — destination platforms for conversion data as directed by the Client

‍

We will notify Clients of material changes to our sub-processor list that may affect the processing of their data.

8. Client Responsibilities

Clients engaging FirstParty are responsible for:

Ensuring they have an appropriate legal basis (e.g., consent, legitimate interest) for the collection and processing of end-user data on their properties
Maintaining accurate and compliant privacy policies on their own websites that disclose the use of server-side tracking, advertising pixels, and conversion APIs
Complying with applicable advertising platform terms of service, including Meta’s Business Tools Terms, Google’s Customer Match policy, and TikTok’s Events API terms
Providing FirstParty with only the data necessary to fulfill the agreed tracking objectives

9. Agency Partners

Where FirstParty is engaged by an agency on behalf of an underlying brand client, the agency assumes responsibility for ensuring that the brand client has been informed of, and consented to, the data practices described in this policy. FirstParty treats the agency as the contracting Client and processes data in accordance with agency instructions.

Agencies may not instruct FirstParty to process data in ways that exceed the scope of what has been authorized by the underlying brand client.

10. Data Subject Rights

To the extent FirstParty processes personal data subject to privacy regulations (including GDPR, CCPA, or other applicable laws), data subjects should direct rights requests (access, deletion, correction, opt-out) to the Client whose website or campaign generated the data. FirstParty will cooperate with Clients to fulfill valid data subject requests within a commercially reasonable timeframe.

If you believe FirstParty itself holds your personal data and wish to exercise your rights, please contact us at the address below.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or sub-processor relationships. We will notify active Clients of material changes by email with reasonable advance notice. Continued use of FirstParty services after the effective date of an updated policy constitutes acceptance of the changes.

12. Contact

For questions about this Privacy Policy, data processing practices, or to submit a data rights request, contact:

‍

FirstParty

Email: data@firstparty.com

This policy does not constitute legal advice. Clients should consult their own legal counsel to ensure their use of FirstParty services is compliant with applicable privacy laws in their jurisdiction.