What We Collect

Overview

Supalytics is designed to give you useful insights about your website traffic while respecting visitor privacy. We collect only what's necessary and nothing more.

Our principle: If we don't need it, we don't collect it.

Data We Collect

From Your Website Visitors

How We Get This Data

• Page URL, Referrer, Language, Screen Size: From the browser's JavaScript APIs
• Country, Region, City: From Cloudflare headers (not IP-based lookup)
• Browser, OS, Device: Parsed from the User-Agent header
• Timestamp: Server time when request is received
• UTM Parameters: From the page URL query string

Session & Visitor Identification

We use a privacy-preserving hash to identify unique visitors:

visitor_id = hash(daily_salt + domain + IP + user_agent)

Key properties:

• The hash changes every 24 hours (daily salt rotation)
• The IP address is never stored - only used for hashing
• The hash cannot be reversed to get the original IP
• We cannot track visitors across days or across different websites

Session tracking:

• Sessions are tracked server-side (no client storage)
• A session expires after 30 minutes of inactivity
• Sessions cannot persist across browser restarts

Data We Do NOT Collect

No Cookies

We do NOT set any cookies. Zero. None.

Our tracking script does not:

• Create cookies
• Read cookies
• Use document.cookie in any way

No Browser Storage

We do NOT use:

• localStorage
• sessionStorage
• IndexedDB
• Web SQL
• Any other client-side storage mechanism

No IP Addresses

We do NOT store IP addresses.

• IPs are used momentarily to generate a hash
• The hash is stored, not the IP
• Even we cannot retrieve the original IP from the hash

No Fingerprinting

We do NOT use fingerprinting techniques like:

• Canvas fingerprinting
• WebGL fingerprinting
• Audio fingerprinting
• Font enumeration
• Plugin enumeration
• Hardware fingerprinting

No Personal Data

We do NOT collect:

• Names
• Email addresses
• Phone numbers
• Physical addresses
• Social media profiles
• Any personally identifiable information

No Cross-Site Tracking

We cannot track users across different websites because:

• The visitor hash includes the domain
• Different domains = different hashes
• There's no shared identifier between sites

What This Means for Privacy

For GDPR Compliance

Because we don't collect personal data:

• No cookie consent banner needed for Supalytics
• No data subject access requests for visitor data (there's nothing to access)
• No "right to be forgotten" applies (we don't know who visited)

For Your Visitors

Your visitors get:

• No tracking across websites
• No tracking across days (hash changes daily)
• No personal information collected
• No way to identify them as individuals

For You

You still get useful analytics:

• Unique visitor counts (accurate per day)
• Traffic sources and referrers
• Geographic breakdown
• Device and browser stats
• Page performance metrics

Technical Details

Our Tracking Script

The script we provide is:

• Under 1.5KB (gzipped over network)
• No external dependencies
• Async loading (doesn't block page render)
• Open for inspection (minified but not obfuscated)

Data Flow

1. Visitor loads your page
2. Our script collects: URL, referrer, screen size, language, UTM params
3. Data is sent to our EU servers
4. Server extracts: User-Agent, Cloudflare geo headers
5. Server generates: visitor_id hash (IP used and discarded)
6. Anonymized data stored in Tinybird (Frankfurt, Germany)
7. You see aggregate stats in your dashboard

Data Retention

• Analytics data: Retained while your account is active
• After account deletion: Data deleted within 30 days
• No data sold or shared with third parties

Questions?

If you have questions about what we collect, contact us at support@supalytics.co.

We're happy to explain our data practices in detail.