Privacy Policy

Last updated: April 17, 2026

Visitrack is built privacy-first. This page explains what we collect, why, and what we never do. Plain English, no dark patterns.

1. What we collect about your website visitors

When you install the Visitrack tracker on your site, we record anonymous, aggregate events only:

• URL path, referrer, and page title
• Country, region, and city (derived from IP, which is discarded immediately)
• Device type, browser, and operating system (parsed from the user-agent header)
• A rotating daily hash used to count unique visitors, derived from IP + user-agent + your site ID + a salt that rotates every 24 hours — the raw IP is never stored
• Custom events and revenue you explicitly send via our SDK (visitrack.track() / visitrack.revenue())

We do not use cookies, browser fingerprinting, or any cross-site tracking. We do not sell data. We do not run ads against it. We do not build shadow profiles.

2. What we collect about you (the customer)

When you sign up for a Visitrack account we store:

• Your email address (for authentication and transactional email)
• A salted password hash (handled by Supabase Auth — we never see your password)
• Your purchase record from Lemon Squeezy (order ID, customer ID, plan)

3. Sub-processors

• Supabase — database, authentication, file storage (EU/US regions)
• Vercel — hosting, edge network, serverless functions
• Lemon Squeezy — payment processing, tax handling, invoicing

4. Legal bases (GDPR)

We process website-visitor data on the basis of our customers' legitimate interest in understanding aggregate traffic to their own sites. Because we do not use cookies or identifiers that can re-identify an individual, Visitrack does not require a cookie banner under GDPR, CCPA, or PECR in the vast majority of jurisdictions.

5. Data retention

Aggregate analytics are retained for as long as your account is active. Delete an account and all associated sites/events are purged within 30 days. You can export all your data to CSV at any time from the dashboard.

6. Your rights

You can access, correct, export, or delete your personal data at any time by emailing privacy@visitrack.app. We respond within 30 days.

7. Security

All traffic is served over TLS 1.2+. Data at rest is encrypted by Supabase. Access to production systems is limited to the founder and protected by hardware 2FA.

8. Changes to this policy

If we make material changes we will email all active customers at least 14 days before they take effect.

9. Contact

Questions? privacy@visitrack.app