Privacy Policy
Last updated: December 21, 2025
Introduction
Supalytics ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our web analytics service.
Our core principle: We collect only what's necessary to provide useful analytics, and we never collect personal data from your website visitors.
For Website Owners (Our Customers)
Account Data We Collect
When you create an account, we collect:
- Email address
- Name (from Google sign-in)
- Payment information (processed by Stripe, we don't store card details)
How We Use Your Account Data
- To provide and maintain your analytics dashboard
- To authenticate you and manage your account
- To send important service updates
- To respond to your support requests
- To process payments for paid plans
For Website Visitors (Your Users)
What We Collect
When someone visits a website using Supalytics, we collect:
| Data Point | Purpose |
|---|---|
| Page URL | To show which pages are visited |
| Referrer URL | To show where visitors come from |
| Country, region, city | Geographic breakdown (from Cloudflare headers) |
| Device type | Desktop, tablet, or mobile breakdown |
| Browser & OS | Technical breakdown |
| Screen size | Responsive design insights |
| Timestamp | When the visit occurred |
| Session duration | Engagement metrics |
| Custom events | Event names and metadata defined by the website owner |
| Revenue data | Purchase amounts attributed to visitors (if configured by website owner) |
What We Do NOT Collect
- No cookies - We don't set any cookies
- No localStorage tracking - We don't store identifiers in the browser
- No IP addresses - IPs are used only for hashing, never stored
- No fingerprinting - We don't combine data points to identify users
- No cross-site tracking - We can't track users across different websites
- No personal data - No names, emails, or identifying information from visitors
How Visitor Identification Works
We use a privacy-preserving method to count unique visitors:
- When a visitor loads a page, we generate a hash from:
IP + User Agent + Domain + Daily Salt - This hash changes every 24 hours (daily rotation)
- The original IP is never stored - only the hash
- The hash cannot be reversed to identify the visitor
- We cannot track the same visitor across different days
This approach is GDPR-compliant and does not require cookie consent banners.
Custom Events & Revenue
Website owners may configure custom event tracking and revenue attribution on their sites. This data is defined and controlled by the website owner, not Supalytics. We simply store and display this data in the dashboard. Custom events may include:
- Event names (e.g., "signup", "purchase")
- Metadata properties (e.g., plan type, price)
- Revenue amounts (for e-commerce tracking)
Revenue tracking details: When revenue attribution is enabled, we sync the following from Stripe:
- Transaction amount and currency
- Encrypted transaction identifier (for deduplication)
- Timestamp
We deliberately do not collect or store:
- Customer name or email
- Billing or shipping address
- Payment method details (card number, last 4, expiry)
- Any other customer information
The raw Stripe charge ID is never stored—this protects against data breaches. However, website owners may still correlate revenue with customers using transaction amounts and timestamps. This is inherent to any revenue attribution system.
Data Storage & Security
All data is stored on servers located in the European Union:
| Service | Location | Purpose |
|---|---|---|
| Vercel | Frankfurt, Germany | Frontend hosting |
| Railway | Amsterdam, Netherlands | Backend, database & analytics |
We use industry-standard security measures:
- Encryption in transit (TLS/HTTPS)
- Encryption at rest
- Regular security updates
- Access controls and monitoring
Your Rights (GDPR)
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Right to Access - Request a copy of your personal data
- Right to Rectification - Request correction of inaccurate data
- Right to Erasure - Request deletion of your data
- Right to Data Portability - Request your data in a portable format
- Right to Object - Object to processing of your data
- Right to Restrict Processing - Request limitation of processing
To exercise these rights, you can:
- Delete your account from Settings
- Export your data from the dashboard
- Contact us at support@supalytics.co
Data Retention
- Account data: Retained until you delete your account
- Analytics data: Retained for as long as your account is active
- After deletion: All data is permanently deleted within 30 days
Third-Party Services
We use the following services to operate Supalytics:
| Service | Purpose | Data Shared |
|---|---|---|
| Vercel | Hosting | None (static files only) |
| Railway | Backend & Analytics | Account data, anonymized analytics |
| Stripe | Payments | Payment info (PCI compliant) |
| Google OAuth | Authentication | Email (if you choose Google sign-in) |
| Cloudflare | CDN & geolocation | Request headers (not stored) |
California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know - Request what personal information we've collected about you in the past 12 months
- Right to Delete - Request deletion of your personal information
- Right to Non-Discrimination - We won't treat you differently for exercising your privacy rights
Categories of personal information collected (last 12 months):
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Email, name | Yes (account holders only) |
| Commercial info | Purchase history | Yes (payment records) |
| Internet activity | Pages visited, referrers | Yes (anonymized, for your website visitors) |
| Geolocation | Country, region, city | Yes (from Cloudflare headers, not precise location) |
We do not sell personal information. We have not sold personal information in the preceding 12 months and have no plans to do so.
To exercise your California privacy rights, contact us at support@supalytics.co or delete your account from Settings.
Children's Privacy
Supalytics is not intended for use by children under 16. We do not knowingly collect data from children.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting the new policy on this page
- Updating the "Last updated" date
- Sending an email for material changes
Contact Us
If you have any questions about this Privacy Policy:
- Email: support@supalytics.co
- Website: https://supalytics.co