Tracking Policy

TL;DR: The heft.io analytics script doesn't use cookies and doesn't store anything that can be tied back to an individual. Data is scoped to one day, one site, one device — no cross-site or cross-day identity.

The design is built on privacy-by-design principles and aligned with the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR); it also reflects principles consistent with the California Consumer Privacy Act (CCPA) where applicable.

What gets stored

Each page view or custom event records the signals below. Anything not on this list — full query strings, raw IP addresses, raw User-Agent strings — is discarded.

• 🔗

  Page URL

  Which pages were viewed and how often. Non-attribution query parameters are dropped.

  Stored as:

  • url
  • ref
  • utm_source
  • utm_medium
  • utm_campaign
  • utm_content
  • utm_term
• ↩️

  Referrer

  Identifies the traffic source. Sensitive query parameters are stripped.

  Stored as:

  • url (sanitised)
• 🖥️

  User-Agent

  Aggregate breakdowns by browser, OS, and device type.

  Stored as:

  • browser
  • os
  • device

  The raw User-Agent string is never stored.

• 🌐

  Language

  Aggregate breakdowns by language, derived server-side from the Accept-Language request header.

  Stored as:

  • language code
• 📍

  Geography

  Derived server-side from IP via a GeoIP database for aggregate geography reports.

  Stored as:

  • country
  • state
  • city

  The IP itself is never stored.

How unique visitors are derived

Nothing is written to the visitor's device — no cookies, no local storage, no persistent identifiers. Each request sends the client's IP and User-Agent to the analytics server. A daily session fingerprint is computed as SHA-256 of: a server-side salt, the UTC date, the site id, SHA-256(IP), and SHA-256(User-Agent).

The fingerprint is one-way and can't be reversed. A visitor on five different days counts as five uniques — sessions are unlinkable across calendar days. "New vs returning" and long-term retention metrics aren't supported by design.

The raw IP and User-Agent are never stored.

Custom events

Embedding sites can send custom event payloads through the Tracking API. Those fields are stored as sent. Don't send personal data you're not allowed to process.

Opt-out

Visitors who'd prefer not to be counted can opt out via localStorage, as documented in the Tracking API. Nothing is written unless opt-out is explicitly requested.

Where data lives

All data is encrypted at rest and processed in the EU. See Subcontractors for the full list of providers and locations.

Compliance

Whether you need a cookie banner, consent notice, or anything else depends on how you embed the script, what you send in custom events, and the law that applies to you. Standard pageview tracking is designed to need none of that — for your specific situation, consult an advisor.

Last updated: May 2026