Data Policy
The heft.io analytics runs without using cookies and without storing personally identifiable information (PII). Nothing that is stored can be tied back to an individual.
The design follows privacy-by-design principles and is aligned by design with the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR); it also reflects principles consistent with the California Consumer Privacy Act (CCPA) where applicable.
Data is scoped to one day, one site, and one device; no cross-site or cross-day identity.
Event data stored
Each page view and custom event produces a data object. The following signals are stored. Anything not listed here (e.g. full query strings, raw User-Agent, IP address) is discarded.
| Signal | Stored as | Purpose |
|---|---|---|
| Location | url plus query parameters ref, utm_source, utm_medium, utm_campaign, utm_content, and utm_term. | Which pages were viewed and how often; non-attribution query params are dropped. |
| Referrer | Sanitised url. | Identifies the traffic source; sensitive query parameters are stripped. |
| User-Agent | browser (e.g. Safari 17.2), os (e.g. Windows 11), device (desktop | mobile | tablet) | Aggregate breakdowns by browser, OS, and device type. The raw User-Agent string is never persisted. |
| Language | Normalised language code (e.g. en-GB) | Aggregate breakdowns by language from the request’s Accept-Language header; not sent from the script. |
| Location | country (ISO 3166-1 alpha-2), state, city | Derived server-side from IP via a GeoIP database for aggregate geography reports. The IP itself is never stored. |
How unique visitors are derived
No cookies, local storage, or persistent device identifiers are used. Nothing is read or written on the visitor’s device. Each request sends the client’s IP and User-Agent to the analytics server. A daily session fingerprint is computed as SHA-256 of: a server-side salt, the UTC date, the site id, SHA-256(IP), and SHA-256(User-Agent).
The fingerprint cannot be reversed to recover them. Sessions are unlinkable across calendar days — the same visitor on five different days counts as five uniques. “New vs returning” and long-term retention metrics are not supported.
The raw IP and User-Agent are never stored.
Site Data
Analytics data for a site belongs to the account that owns the site. It is not sold or used for advertising or profiling beyond providing the service. Account or site data can be deleted at any time; deletion is permanent and no copies are retained.
All data is stored encrypted at rest; the application and analytics databases run in the European Union (Scaleway, France) and are frequently backed up.
CDN and delivery
The analytics web application, the public website, the tracking service, and the Google Fonts proxy are served through Bunny CDN using an EU-focused configuration. See Subcontractors.
Infrastructure
Scaleway in France is used for DNS, transactional email, databases, and the container workloads for the application, authentication, and data API. Regions and providers are chosen for alignment with EU privacy expectations. See Subcontractors.
Regulations
Whether you need a cookie banner, consent, or other notices depends on how you embed the script, what you send in custom events, and applicable law. The intent is minimal processing and no unnecessary prompts for standard pageview tracking. For your situation, consult an advisor.