Last updated: April 2026
Vadour (“Vadour”, “we”, “us”) operates the analytics platform available at app.vadour.com and the related PrestaShop/WooCommerce plugins. Our data protection contact is [email protected].
| Category | What | Why (legal basis) |
|---|---|---|
| Account data | Name, email, hashed password | Contract performance |
| Billing data | Stripe customer/subscription IDs (no raw card data — Stripe holds that) | Contract performance |
| Store analytics | Order IDs, product names/prices, UTM parameters, click IDs (fbclid, gclid), device type, country (IP-derived, not stored raw) | Contract performance — you instruct us to process this data to deliver the service |
| End-customer identifiers | Hashed email (SHA-256, one-way), device fingerprint (canvas hash) | Legitimate interest — required for cross-session attribution without storing PII |
| Usage data | Pages visited in the app, feature usage (via PostHog, anonymised) | Legitimate interest — product improvement |
| Error logs | Stack traces, request metadata (via Sentry) | Legitimate interest — service reliability |
We do not store raw IP addresses, shopper names, or payment card numbers. We do not sell or share your data with third parties for advertising.
Vadour acts as a data processoron your behalf for the analytics data belonging to your store's customers. You (the merchant) remain the data controller for that data. By using Vadour you agree to our Data Processing Agreement (DPA), available on request at [email protected].
You are responsible for informing your end customers that their order and session data is processed by Vadouras a sub-processor for analytics purposes. A suggested disclosure for your privacy policy is available on request.
All data is stored on EU-hosted infrastructure (Hetzner, Germany — AZ Frankfurt). No data is transferred to third countries except where the sub-processors below have EU-adequate transfer mechanisms (Standard Contractual Clauses or equivalent).
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | US (SCC) |
| Resend | Transactional email | US (SCC) |
| PostHog | Product analytics (anonymised) | EU (PostHog Cloud EU) |
| Sentry | Error tracking | US (SCC) |
| Google (Gemini API) | AI analysis — only your analytics data, no PII sent | US (SCC) |
You have the right to:
To exercise any of these rights, email [email protected]. We respond within 30 days. You also have the right to lodge a complaint with Spain (AEPD).
The Vadour tracking pixel placed on your store sets a first-party session cookie (vctr_sid) to enable cross-session attribution. This cookie does not track users across domains and expires after 30 days of inactivity. No third-party advertising cookies are set by the Vadour pixel.
The Vadour dashboard app uses a session authentication cookie (authjs.session-token). This is strictly necessary for the service to function and does not require consent.
We use PostHog for anonymised usage analytics. PostHog respects Do Not Track signals and can be opted out of via our cookie banner.
We will notify you by email at least 14 days before any material change to this policy. Continued use of the service after that date constitutes acceptance.