Security practices

TL;DR: Data is encrypted in transit. Pageview and session metrics don't persist raw IP addresses or full User-Agent strings. Processing happens in the EU - see Subcontractors for the full list. Data is not sold or monetised.

Custom event properties come from embedding sites – don't send personal data you're not allowed to process. Backups are taken and access is restricted.

Data minimisation

For pageview and session data, raw IP addresses and full User-Agent strings are never written to storage. The optional opt-out uses localStorage as documented; nothing is written during normal tracking. The full minimisation design is in the Tracking Policy.

How request data is handled

Session fingerprinting is one-way and unlinkable across calendar days. See How unique visitors are derived in the Tracking Policy for the full details.

Encryption

Data is encrypted in transit using HTTPS with TLS 1.3. Request data is hashed irreversibly – there's no key to undo it. Encryption and access controls are applied to data at rest where applicable.

Where data lives

See Subcontractors for the full list of providers and data locations.

Access and backups

Only people who need it to run or support the service have access to systems and data. Backups run regularly and recovery measures are in place for incidents. No third party gets access to account holder data outside the listed subprocessors.

Subprocessors

A small set of subprocessors runs the service – the list is at Subcontractors. None of them get more access than the service requires.

Reporting security issues

Found a vulnerability? Report it via the contact options on the site. It'll be reviewed and fixed. Please allow reasonable time to address it before sharing it publicly.

Contact

Security questions or concerns? Use the contact options on the site.

Last updated: May 2026