01Two kinds of people, two kinds of data
We process data about two distinct groups:
- Customers — people and teams who create an Open Analytics account to track their own websites.
- Website visitors — people who load a page on a site that has the Open Analytics tracker installed.
If you only browse our marketing site, documentation, or legal pages, see section 08. The table below is a quick reference:
| Who you are | Our role | Where data is stored |
|---|---|---|
| Customer You sign in and manage website projects | We operate the dashboard and process analytics on your behalf as a data processor. | Account data and analytics events in our secure infrastructure (see sections 05–07). |
| Visitor to a tracked website | Your website owner is the data controller. We process analytics events only to provide the service to them. | Analytics events in our infrastructure, accessible to the customer through their dashboard. |
| Visitor to our website Landing, docs, legal pages, etc. | We are the data controller for analytics on our own pages. | Our infrastructure, as described in section 08. |
02What we collect from website visitors
When someone loads a page on a site that uses Open Analytics, our tracker may send us:
- Page URL, path, query string, page title, and hostname
- Referrer URL, if the browser sends one
- UTM campaign parameters and ad click identifiers (
gclid,fbclid,msclkid) when present - Pseudonymous identifiers:
visitor_id,session_id, andvisit_id - Device type, operating system, browser family, screen size, and language — parsed from the User-Agent and browser APIs
- Approximate location (country code, latitude, longitude) derived from IP address via third-party geo lookup services
- Optional
distinct_idwhen the site owner callsidentify()(for example after a signup) - Custom event names and properties when configured by the site owner
We do not intentionally collect names, email addresses, passwords, or payment details through the tracker. Site owners should avoid sending sensitive personal data in custom events.
03How visitor identification works
Open Analytics supports two tracking modes. You choose the mode when installing the script. The default is fingerprint mode (no cookies).
Fingerprint mode (default) — no cookies
Set data-use-cookies="false" or omit the attribute. In this mode:
- No cookies are seton the visitor's device.
visitor_idis a hash of browser signals (user agent, language, screen size, timezone, and similar non-personal attributes). It cannot be reversed to identify a specific person.session_idandvisit_idare stored insessionStorageand cleared when the browser tab closes.- Cached geo data may be stored in
sessionStoragebriefly to avoid repeated lookups.
Fingerprint mode is designed for privacy-friendly analytics. In many jurisdictions it does not require a cookie consent banner — but you (the site owner) are responsible for assessing compliance with GDPR, ePrivacy, and local laws.
Cookie mode — first-party cookies
Set data-use-cookies="true" to use first-party cookies, similar to traditional analytics tools. In this mode we set:
oa_vid— visitor identifier (up to 1 year)oa_sid/oa_sid_at— session identifier (30-minute inactivity timeout)oa_vst/oa_vst_at— visit identifier (30-minute inactivity timeout)oa_did— optional distinct ID fromidentify()
Cookie mode provides more stable cross-session visitor counts. You may need a cookie consent banner depending on your jurisdiction and how you use the data.
Do Not Track
Set data-do-not-track="true" on the script tag to respect browser Do Not Track settings. When enabled, the tracker does not send events.
04Your responsibilities as a customer
When you install Open Analytics on your website, you are the data controllerfor your visitors' analytics data. You must:
- Publish a privacy notice on your site that describes your use of analytics, including which tracking mode you use
- Obtain any required consents (especially if you enable cookie mode)
- Establish a lawful basis for processing under applicable law (GDPR, CCPA, and similar regulations)
- Respond to visitor rights requests (access, deletion, etc.) — we can assist you upon request
- Configure retention, exclusions, and tracking settings appropriate for your use case
This Privacy Policy does not replace your own privacy notice. See our documentation for setup guidance.
05What we collect from customers
When you create and use an Open Analytics account, we store:
- Account: email address, display name, and avatar (from Google, GitHub, or your sign-in provider). We do not store passwords.
- Authentication: user ID and session tokens managed by our authentication provider
- Projects & sites: site names, domains, site keys, tracking settings, and configuration you provide
- Team: email addresses of people you invite to collaborate
- Subscription: plan tier, trial dates, and billing status. Payment card details are handled by our payment processor — we do not store full card numbers.
- Operational logs: IP address, timestamp, and user agent in server and CDN logs for security, abuse prevention, and reliability
06How we use the data
- Display analytics about your websites in your dashboard
- Authenticate you and operate the platform
- Send transactional email — account notices, trial reminders, and service updates
- Enforce plan limits and detect abuse
- Improve Open Analytics using aggregated, non-identifying insights
- Maintain security and investigate incidents
- Enforce our Terms of Service
We do not sell your data, share it with advertisers, or use visitor analytics to train AI models.
07Who processes data on our behalf
We use trusted third-party providers to operate the service. They process data only on our instructions:
- Supabase — authentication and database hosting
- OAuth providers (Google, GitHub) — sign-in
- Hosting & CDN — application delivery and DDoS protection
- Geo IP providers — approximate location from IP address (used by the tracker)
- Email provider — transactional email delivery
- Payment processor — subscription billing (paid plans only)
08Analytics on our own website
When you browse our marketing site, documentation, or other pages we operate, we may use our own tracker to measure traffic, improve the product, and detect abuse. We are the data controller for this data.
We may record the same categories described in section 02, plus:
- Pages viewed and navigation paths
- Feature interest (for example which docs pages are read)
Authentication cookies: if you sign in to the dashboard, our authentication provider sets session cookies required for login.
Analytics storage: depending on our configuration, we use fingerprint mode (default) or cookie mode on our own site. We do not sell this data.
09Data retention
- Analytics events:kept according to your plan's retention period (for example 30 days on the free plan, 90 days on Startup, up to 365 days on paid plans), then deleted automatically
- Account data: kept while your account is active, then deleted within a reasonable period after closure unless we must retain it for legal obligations
- Backups: rolling backup windows, then permanently deleted
- Free trial: if you do not subscribe after a trial, analytics and account data may be deleted shortly after the trial ends
10Sharing of data
We may share information only when necessary:
- With infrastructure and service providers listed in section 07, under data processing agreements where applicable
- With authorities when required by law or valid legal process
- With successors in a merger or acquisition, with notice where required by law
We do not sell, rent, or trade personal data or analytics data to third parties for their marketing purposes.
11Cookies summary
| Cookie / storage | Purpose | When used |
|---|---|---|
oa_vid, oa_sid, oa_vst, oa_did | Visitor, session, visit, and distinct IDs | Cookie mode only (data-use-cookies="true") |
sessionStorage (session / visit IDs, geo cache) | Session tracking without persistent cookies | Fingerprint mode (default) |
| Auth session cookies | Dashboard login | When you sign in to Open Analytics |
You can disable analytics cookies by using fingerprint mode, or clear cookies through your browser settings. Disabling cookies in cookie mode may affect visitor counting accuracy.
12Your rights
Depending on your location (including the EEA, UK, and California), you may have rights to access, correct, delete, restrict, or port your personal data, and to object to or withdraw consent for certain processing.
Customers: you can manage your account from the dashboard or contact us to exercise your rights.
Visitors to a tracked website: contact the website owner — they are the data controller. We cannot identify individual visitors on our own in most cases, so the site owner should submit requests on your behalf if needed.
Visitors to our website: contact us using the details in section 16 and specify that your request relates to our website analytics.
We will respond within applicable legal timeframes.
13Legal bases (EEA / UK)
- Customer account data: performance of our contract with you and legitimate interests in operating the service
- Analytics for customers: we process visitor data on your instructions as a processor; you determine the lawful basis
- Our website analytics: legitimate interests (product improvement, security) and consent where required by law
- Security logs: legitimate interests in protecting the service
14International transfers
Data may be processed in countries where our infrastructure providers operate. Where required, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms.
15Security
We take reasonable technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. No method of transmission over the internet is 100% secure.
16Children
Open Analytics is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us data, please contact us.
17Changes to this policy
We may update this policy from time to time. We will post the revised version on this page with an updated effective date. For material changes, we will notify active customers by email where appropriate.
18Contact
Questions about this privacy policy?
- Open an issue on our GitHub repository
- Or reach out through your account settings in the dashboard