Built for Trust
Attribution for PC and console games comes with unique privacy challenges — storefronts like Steam don't expose user-level data the way mobile app stores do. TRACKS is purpose-built for this reality: best-practice data handling with no cookies, no persistent identifiers, and infrastructure that stays under your control.
No Cookies. No Persistent Identifiers.
Unlike mobile MMPs that rely on device IDs and SDKs, TRACKS is designed for the PC and console ecosystem where those approaches don't apply. No cookies, no LocalStorage, no persistent identifiers on player devices. Basic attribution works under legitimate interest, with a consent flag to gate postback data sharing with ad networks when needed.
Pseudonymised by Default
IP addresses are cryptographically salted and hashed on arrival — the plain-text IP is never stored. Hashed IPs combined with user-agent data enable probabilistic attribution matching, while regular salt rotation prevents long-term re-identification.
30-Day Automatic Deletion
Raw attribution logs are automatically purged after 30 days. No data hoarding, no indefinite retention. You get the insights you need while minimising the data you hold.
Your Cloud. Your Control.
Games publishers handle sensitive launch and revenue data — it shouldn't live on someone else's servers. TRACKS deploys directly into your own Google Cloud project. You choose the server region, manage access rights, and control security configurations. Player data never leaves your infrastructure.
Encrypted End-to-End
All data is protected with TLS encryption in transit and at-rest encryption on your servers. From the moment a player interacts with your campaign to the moment the data lands in your dashboard, it's locked down.
No Sensitive PII Collected
TRACKS does not collect names, email addresses, phone numbers, or physical addresses. We process only what's needed for attribution: URLs, referrer data, UTM parameters, user agents, and pseudonymised event data.
Runs in Your Cloud, Not Ours
Game studios and publishers need to keep campaign data, revenue metrics, and player analytics confidential — especially around launches. TRACKS deploys into your own Google Cloud project so sensitive marketing intelligence never touches a third-party environment. You decide where it runs, who can access it, and how long data is retained.
Need more detail? Read the full technical documentation
Google Cloud Platform
Cloud Storage, Cloud Run, Pub/Sub, Cloud Functions
Customer-Controlled
You own the project, region, access, and billing
Encrypted at Rest
Google-managed or customer-managed encryption keys
No Data Mirroring
Personal data is never copied to Second Stage systems
Compliance, Simplified
Publishing games globally means navigating GDPR, CCPA, and evolving privacy regulations. TRACKS is architected so compliance is built in from day one — not bolted on after launch.
GDPR Compliant
Basic attribution operates under Article 6(1)(f) — legitimate interest — using only pseudonymised data. When you activate postbacks to share conversion signals with ad networks, TRACKS provides a consent-gated workflow under Article 6(1)(a) so data is only shared when your players opt in.
- You remain the sole data controller — Second Stage is not a processor
- Data stays in your infrastructure, never shared with us or third parties
- Consent flag controls which data can be shared with media partners
- Privacy policy templates included to simplify compliance
CCPA & CPRA Ready
TRACKS supports California privacy regulations through built-in pseudonymisation and data minimisation. No sensitive personal information is collected, and the 30-day retention window aligns with regulatory expectations for proportionate data handling.
Right to Forget — Built In
A dedicated API enables deletion of all records associated with a specific user ID or hash. Handle Data Subject Access Requests (DSARs) programmatically — no manual database intervention, no support tickets.
Only What's Needed. Nothing More.
TRACKS collects the minimum data required for accurate attribution across PC and console storefronts — pseudonymised campaign and event data — and nothing else. No names, no emails, no player accounts, no persistent identifiers. Your players stay anonymous, and raw logs are automatically deleted after 30 days.
For full technical details on what data is collected and how it's processed, see our data collection documentation.
Common Questions
Is TRACKS compliant with GDPR?
Yes. TRACKS processes data in pseudonymised and aggregated formats, stores IP addresses using non-reversible hashes with a 30-day retention limit, and deploys in your own cloud infrastructure. Basic attribution operates under legitimate interest; postback functionality is consent-gated.
Does TRACKS collect any PII?
TRACKS does not collect sensitive PII such as names, emails, or phone numbers. The primary data concern — client IP addresses — is hashed using a non-reversible method before storage. Reporting shows only aggregated data, never user-level information.
How does TRACKS handle the right to erasure?
TRACKS provides a GDPR Forget API that deletes all records associated with a given user ID and blocks future entries for that ID. This enables you to handle Data Subject Access Requests programmatically without manual database intervention.
Where is TRACKS data stored?
All data is stored in your own Google Cloud project — you choose the region, manage access rights, and control retention. TRACKS does not collect or mirror data on its side. This is comparable to an on-premise setup with enterprise-level data sovereignty.
Have more questions? View all FAQs
Privacy-first attribution for games.
See how TRACKS delivers full-funnel marketing intelligence for PC and console — built on industry best practices.