heft.io

Security practices

TL;DR: Data is encrypted in transit. Built-in pageview and session metrics do not persist raw IP addresses or full User-Agent strings. Bunny CDN delivers the analytics app, the public website, and the tracking service, with EU-only processing; application and analytics data live in the EU (Scaleway, France); transactional email goes through Scaleway (France).

Custom event properties are supplied by embedding sites — do not send personal data you are not allowed to process. Backups are taken and access is restricted. Data is not sold or monetised.

Data minimization

Privacy comes first for pageview and session handling: raw IP and full User-Agent strings are not written to storage. Optional tracker opt-out uses a first-party cookie as documented. The data minimization design is described in the Data policy.

How request data is handled

Each request sends the client's IP and User-Agent to the analytics server. A daily session fingerprint is computed as a one-way hash of a server-side salt, the UTC date, the site id, and hashes of IP and User-Agent. The raw IP and User-Agent are never stored in logs, databases, or on disk.

Encryption

Data is encrypted in transit using HTTPS with TLS 1.3 or 1.2 as fallback. Hashing of request data is irreversible; there is no key to "decrypt" it. Encryption and access controls are used for data at rest where applicable.

Where data lives

Bunny CDN wraps the analytics application, the pub website, the tracking infrastructure, and the Google Fonts proxy. Application and analytics data live in the EU on Scaleway (France); the service for authentication and the data API run in that same regional stack. Transactional email goes through Scaleway (France). DNS for heft.io is managed on Scaleway (France).

Data access and backups

Access to systems and data is limited to people who need it to operate and support the service.

Backups are taken regularly and measures are in place to restore availability after an incident. Software development and infrastructure are not outsourced in a way that gives third parties access to account holders' data beyond the subprocessors used.

Subprocessors

A small set of subprocessors is used. The current list is at Subcontractors. They are chosen for security and data protection and are not given access beyond what is needed to provide the service.

Reporting security issues

If a security vulnerability in the service or code is found, it should be reported via the contact options on the site. It will be reviewed and a fix will be worked on. A reasonable time to address it is appreciated before the issue is shared publicly.

Contact

Security questions or concerns? Use the contact options on the site.

Last updated: April 2026