Privacy Policy

PixelEngine is a product of Byteex Ltd("we", "us", "our"). We provide a Webflow Designer Extension that connects Meta Pixel and Conversions API (CAPI) tracking to Webflow sites.

Contact: privacy@byteex.co

Account data

When you sign up via the Webflow Designer Extension, we collect:

• Email address (from Supabase Auth)
• Webflow site ID and site name
• Webflow OAuth access token (encrypted at rest)

Configuration data

• Meta Pixel ID(s)
• CAPI access token(s), encrypted at rest with AES-GCM
• Event trigger mappings (which elements fire which events)
• Privacy settings (IP anonymization, consent preferences)

Event data (from your site visitors)

When a visitor interacts with your Webflow site, our tracking script may collect:

• Event name (e.g., PageView, Lead, Purchase)
• Page URL
• IP address (optionally anonymized)
• User agent string
• Facebook click ID (fbclid) and browser ID (fbp) cookies
• Form field values (email, phone, name). Only when forms are submitted, only hashed (SHA-256) before transmission
• A fingerprint-based external ID cookie (can be disabled in settings)

• Event forwarding: We forward event data to Meta's Conversions API on your behalf. This is the core service and what you're paying for.
• Dashboard analytics: We aggregate event counts (by event name, status, page) for the in-extension dashboard. No PII is stored in these aggregates.
• Account management: Email is used for authentication, billing (via Paddle), and support communications.
• Service operation: Error logs and performance metrics help us debug issues.

• Infrastructure: Cloudflare Workers (edge compute), Cloudflare D1 (SQLite database), Supabase (authentication).
• Encryption: CAPI access tokens and Webflow OAuth tokens are encrypted at rest using AES-256-GCM.
• PII hashing: Visitor PII (email, phone, name, address) is SHA-256 hashed on our Cloudflare Worker before being sent to Meta. We never store raw PII.
• Event log retention: Event logs are retained for 30 days by default (configurable up to 180 days), then automatically deleted.
• Data location: Cloudflare Workers run at the edge globally. D1 databases are located in the EU (WEUR region).

We share data only with:

• Meta (Facebook): Event data is forwarded to Meta's Conversions API as configured by you. This is the purpose of the service.
• Paddle: Our payment processor. Receives your email and billing information for subscription management.
• Cloudflare: Our infrastructure provider. Processes data as a sub-processor.
• Supabase: Our authentication provider. Stores email and auth credentials.

We do not sell personal data. We do not use visitor data for our own advertising.

PixelEngine respects your site visitors' consent choices. Our tracking script checks for consent signals from:

• Webflow's built-in Privacy / Cookie Consent banner
• Cookiebot
• OneTrust
• Google Consent Mode v2
• Global Privacy Control (GPC) browser signal
• Your own window.PIXELENGINE_OPTOUT = true flag

If any of these signals indicate the visitor has not consented to marketing tracking, no events are fired. Neither the browser pixel nor the CAPI server event.

You(the site owner) are the data controller for your visitors' data. We act as a data processor. You are responsible for obtaining appropriate consent via your site's cookie banner.

Under GDPR and similar laws, you have the right to:

• Access the data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and data
• Export your data in a portable format
• Withdraw consent at any time

To exercise these rights, email privacy@byteex.co. We will respond within 30 days.

PixelEngine's tracking script sets the following cookies on your visitors' browsers:

We also store fbclid in localStorage as a backup when the Meta Pixel cookie is blocked. This can be disabled in Settings → Privacy.

• All API tokens encrypted at rest (AES-256-GCM)
• All traffic over HTTPS
• Webhook signatures verified (HMAC-SHA256)
• Supabase JWT authentication on all protected endpoints
• Webflow ID token verification for site-scoped access

We may update this policy from time to time. We'll notify you of material changes via the email associated with your account. Continued use of PixelEngine after changes constitutes acceptance.