Open AnalyticsOpen Analytics

Legal

Privacy Policy

Open Analytics involves two different relationships with data. Depending on how you use the service, different sections below apply to you.

Last updated: May 25, 2026

Two roles at a glance

Who you areWhat happensWho stores analytics events
Role A — Platform user
You sign in and create / manage website projects		We run the dashboard and site registry. Your visitors' tracking data goes to your Supabase project.You(your Supabase). We do not store your sites' event data on Platform servers.
Role B — Visitor to our website
You browse our website (landing, docs, legal pages, etc.)		We may use our own tracker.js to measure traffic on our pages for product and security purposes.We (in Supabase we operate for the Platform site), as described in Role B below.

Role A — You use Open Analytics to manage your websites

This section applies if you have an account and add sites in the dashboard. You are a customer of the management platform.

What we store (management only)

We process and store only what is needed to operate the Platform for you:

  • Account: Supabase user id, session, and OAuth profile fields (name, email, avatar; GitHub public metadata if you use GitHub sign-in)
  • Site registry: site name, domain, site key, and Supabase connection details you provide (project URL, anon key, project id) so we can list sites and open your dashboard
  • Operational logs:IP, timestamp, and user agent in hosting/CDN logs for security and reliability (not used as your website's analytics product)

Your tracking data — in your Supabase, not ours

When you embed tracker.js on your properties, events are sent directly from your visitors' browsers to the Supabase project you configure (or another endpoint you choose). Open Analytics does not receive, copy, or retain those events on our application servers.

The dashboard reads from your project to show metrics; that is display access only. We do not treat your events table as data we own.

Typical fields your tracker may write (in your database) include:

  • Page URL, path, query, hostname, title, referrer
  • Pseudonymous visitor_id and visit_id (fingerprint + localStorage)
  • Device, browser, OS, screen, language
  • UTM and ad click parameters
  • Optional geo and distinct_id from identify()

Your responsibilities: privacy notice on your sites, lawful basis, retention, and visitor rights for that data. This policy does not replace yours.

Optional: our /api/geo for your tracker

If you set data-geo-url to our /api/geo, we may forward your visitor's IP to third-party geo providers and return approximate location. We do not add that to our Role B analytics dataset; it is a pass-through for your tracker. You may host your own geo endpoint instead.

Role B — You visit the Open Analytics website

This section applies when you browse ourmarketing site, documentation, legal pages, or other pages we operate (collectively, the "Platform website"), without necessarily having a dashboard account.

We are the data controller for analytics on these pages. We may run the same open-source tracker on our own site to understand usage, improve the product, and detect abuse.

What we collect on the Platform website

Depending on configuration, we may record:

  • Pages viewed, time on page, and navigation paths
  • Referrer and UTM parameters
  • A pseudonymous visitor identifier (browser signals + localStorage on our domain)
  • Browser, device, operating system, screen size, and language
  • Approximate country or coordinates if geo is enabled
  • Hostname and page URL on our domain

We do not intentionally collect passwords or payment data through the tracker. Do not submit sensitive personal data in forms on public pages.

Where we store it and why

Platform-website analytics are stored in ourSupabase project (separate from the registry database and separate from each customer's tracker projects). We use this data to:

  • Measure traffic and feature interest on our site
  • Improve content, UX, and documentation
  • Maintain security and investigate abuse

We do not sell this analytics data.

Cookies and local storage (Platform website)

  • Authentication: session cookies if you sign in to the dashboard
  • Analytics: localStorage on our domain (for example visitor id, cached geo) when the tracker is active

Where required by law, we rely on consent or legitimate interest for non-essential analytics. You may use browser controls or Do Not Track if we enable data-do-not-track on our snippet.

Your rights (Platform website visitor)

Depending on your location, you may request access, correction, deletion, or restriction of personal data we hold about your visit. Contact us using the details below. We will respond within applicable legal timeframes.

Shared topics

How we use Role A management data

  • Authenticate you and operate the dashboard
  • Store site registry entries and verify Supabase credentials
  • Provide documentation and support
  • Secure and improve the Platform
  • Enforce our Terms of Service

Retention

  • Role A — registry & account: while your account and sites exist, then as needed for legal or operational purposes
  • Role A — your sites' events: you control retention in your Supabase projects
  • Role B — Platform website analytics: kept for as long as needed for the purposes above, then deleted or aggregated according to our internal schedule

Sharing

We may share information with:

  • Infrastructure providers (Supabase, OAuth providers, hosting, geo providers when used)
  • Authorities when required by law
  • Successors in a merger or acquisition, with notice where required

We do not sell Role A registry data. We do not sell Role B analytics data. We do not receive Role A customers' event streams on our servers.

Legal bases (EEA/UK)

  • Role A (management): contract and legitimate interests to provide the service
  • Role B (our website analytics): legitimate interests (product improvement, security) and consent where required
  • Your websites (Role A customers): you determine the lawful basis for your visitors

International transfers

Data may be processed in regions where our or your Supabase projects and hosting providers operate. Use appropriate safeguards required in your jurisdiction.

Children

The Platform is not directed at children under 16. We do not knowingly collect personal information from children.

Changes

We may update this policy. The revised version will be posted here with an updated date.

Contact

Role A (account / registry): contact the operator of the instance you use or open an issue in the repository.

Role B (visits to our website): same contact — specify that your request relates to Platform website analytics.

Terms of Service · Security documentation