Back to home

What We Collect

Last updated: January 15, 2026

Overview

Supalytics is designed to give you useful insights about your website traffic while respecting visitor privacy. We collect only what's necessary and nothing more.

Our principle: If we don't need it, we don't collect it.

Tracking Modes

Supalytics offers two tracking modes that you can configure per website:

Privacy Mode (Default)

Our default cookie-less tracking that works without any consent:

  • Visitor IDs rotate every 24 hours
  • No cookies or browser storage used
  • GDPR compliant without a consent banner

For more accurate returning visitor tracking:

  • Persistent visitor ID stored in first-party cookie
  • Cookie name: supalytics_vid
  • Cookie expiry: 1 year
  • Non-EU visitors: Cookies set automatically (no consent required)
  • EU visitors: Requires explicit consent via your cookie banner

When cookie mode is enabled but consent is not given (EU visitors), we automatically fall back to privacy mode.

Data We Collect

From Your Website Visitors

Data PointExamplePurpose
Page URL/blog/my-postWhich pages are visited
Referrergoogle.comWhere visitors come from
CountryUnited StatesGeographic breakdown
RegionCaliforniaRegional insights
CitySan FranciscoCity-level insights
BrowserChromeBrowser breakdown
Operating SystemmacOSOS breakdown
Device TypeDesktopDevice breakdown
Screen Size1920x1080Responsive design insights
Languageen-USLanguage preferences
Timestamp2025-12-17 10:30:00When visits occur
UTM Parametersutm_source=twitterCampaign tracking

How We Get This Data

  • Page URL, Referrer, Language, Screen Size: From the browser's JavaScript APIs
  • Country, Region, City: From Cloudflare headers (not IP-based lookup)
  • Browser, OS, Device: Parsed from the User-Agent header
  • Timestamp: Server time when request is received
  • UTM Parameters: From the page URL query string

Session & Visitor Identification

We use a privacy-preserving hash to identify unique visitors:

visitor_id = hash(daily_salt + domain + IP + user_agent)

Key properties:

  • The hash changes every 24 hours (daily salt rotation)
  • The IP address is never stored - only used for hashing
  • The hash cannot be reversed to get the original IP
  • We cannot track visitors across days or across different websites

Session tracking:

  • Sessions are tracked server-side (no client storage)
  • A session expires after 30 minutes of inactivity
  • Sessions cannot persist across browser restarts

Data We Do NOT Collect (Privacy Mode)

Cookies (Privacy Mode Only)

In Privacy Mode (the default), we do NOT set any cookies.

In Cookie Mode, we set a single first-party cookie:

  • Name: supalytics_vid
  • Purpose: Persistent visitor identification
  • Duration: 1 year
  • This cookie contains only a random visitor ID - no personal data

Browser Storage

We use localStorage only to store:

  • User consent status (if cookie mode is enabled)
  • User opt-out preference (if they choose to block tracking)

We do NOT use:

  • sessionStorage
  • IndexedDB
  • Web SQL

No IP Addresses

We do NOT store IP addresses.

  • IPs are used momentarily to generate a hash
  • The hash is stored, not the IP
  • Even we cannot retrieve the original IP from the hash

No Fingerprinting

We do NOT use fingerprinting techniques like:

  • Canvas fingerprinting
  • WebGL fingerprinting
  • Audio fingerprinting
  • Font enumeration
  • Plugin enumeration
  • Hardware fingerprinting

No Personal Data

We do NOT collect:

  • Names
  • Email addresses
  • Phone numbers
  • Physical addresses
  • Social media profiles
  • Any personally identifiable information

No Cross-Site Tracking

We cannot track users across different websites because:

  • The visitor hash includes the domain
  • Different domains = different hashes
  • There's no shared identifier between sites

What This Means for Privacy

For GDPR Compliance

Privacy Mode (default):

  • No cookie consent banner needed for Supalytics
  • No data subject access requests for visitor data (there's nothing to access)
  • No "right to be forgotten" applies (we don't know who visited)

Cookie Mode:

  • Consent required for EU visitors - integrate with your cookie banner
  • Non-EU visitors do not require consent under GDPR
  • EU visitors without consent automatically use privacy mode

For Your Visitors

Your visitors get:

  • No tracking across websites
  • No tracking across days (hash changes daily)
  • No personal information collected
  • No way to identify them as individuals

For You

You still get useful analytics:

  • Unique visitor counts (accurate per day)
  • Traffic sources and referrers
  • Geographic breakdown
  • Device and browser stats
  • Page performance metrics

Technical Details

Our Tracking Script

The script we provide is:

  • Under 1.5KB (gzipped over network)
  • No external dependencies
  • Async loading (doesn't block page render)
  • Open for inspection (minified but not obfuscated)

Data Flow

1. Visitor loads your page
2. Our script collects: URL, referrer, screen size, language, UTM params
3. Data is sent to our EU servers
4. Server extracts: User-Agent, Cloudflare geo headers
5. Server generates: visitor_id hash (IP used and discarded)
6. Anonymized data stored in ClickHouse (Amsterdam, Netherlands)
7. You see aggregate stats in your dashboard

Data Retention

  • Analytics data: Retained while your account is active
  • After account deletion: Data deleted within 30 days
  • No data sold or shared with third parties

Questions?

If you have questions about what we collect, contact us at support@supalytics.co.

We're happy to explain our data practices in detail.