Privacy Policy

Last updated: February 2026

      Summary: Fairlytics is a privacy-first analytics platform. We do not use cookies, do not track individuals across sites, and do not collect or store any personally identifiable information (PII) from website visitors. No consent banner is required for websites using Fairlytics.
    

This Privacy Policy explains how Fairlytics collects, uses, stores, and protects data. It applies to (a) visitors of websites that use the Fairlytics tracking script, and (b) Fairlytics account holders (website owners who use our service).

1. Data Controller

The data controller for the Fairlytics service is:

Fairlytics
Operated by Guillem
Email: privacy@fairlytics.dev

If you are a website owner using Fairlytics to collect analytics on your website, you are the data controller for your website visitors' data, and Fairlytics acts as a data processor on your behalf. See our Data Processing Agreement for details.

2. Data We Collect from Website Visitors

When a website uses Fairlytics, the following data is processed for each page view. We distinguish between what is transiently processed in server memory and what is actually stored in our database:

Raw Input	What We Store	What We Discard
IP address	Country code (e.g. "ES")	Full IP address — never written to database or logs
User-Agent string	Browser family, OS family, device type	Raw User-Agent — never stored
Page URL	Path only (e.g. "/about")	Query parameters and fragments — stripped
Referrer	Domain only (e.g. "google.com")	Full referrer URL and query parameters — truncated
Screen width	Device category (Mobile/Tablet/Desktop)	Exact screen dimensions

2.1 Session Tracking

Fairlytics uses a random session identifier stored in your browser's sessionStorage to count unique visitors within a single browsing session. This identifier:

Is a random UUID with no connection to any personal data
Is stored only in the browser tab's sessionStorage (not a cookie)
Is automatically cleared when the browser tab is closed
Expires after 30 minutes of inactivity
Is never sent to third parties
Cannot be used to identify or re-identify any individual

Under the ePrivacy Directive (Article 5(3)), storing information on a user's device generally requires consent. However, this sessionStorage use qualifies as strictly necessary for the legitimate service explicitly requested by the website operator (audience measurement), in line with CNIL's exemption criteria for audience measurement tools and similar guidance from European data protection authorities. The stored data is a random value with no personal data, is limited to a single browsing session, and is used solely to avoid double-counting visitors.

      No cookies. We never set cookies of any kind. The sessionStorage mechanism is not a cookie, is not sent with HTTP requests, and does not persist across browser sessions.
    

3. Data We Do NOT Collect from Visitors

No cookies or persistent identifiers
No IP addresses stored (derived to country code in-memory, then discarded)
No browser fingerprinting or device fingerprinting
No cross-site or cross-device tracking
No personal data of any kind from visitors
No query parameters or URL fragments
No raw User-Agent strings
No localStorage, IndexedDB, or any persistent client-side storage
No names, email addresses, phone numbers, or contact details

4. Do Not Track (DNT) and Global Privacy Control (GPC)

We respect both the Do Not Track browser header and the Global Privacy Control signal. If a visitor's browser sends DNT: 1 or Sec-GPC: 1 (or has navigator.globalPrivacyControl enabled), the Fairlytics tracking script does not execute at all — no data is collected, no request is sent to our servers, and no sessionStorage is used.

This complies with requirements under the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Texas Data Privacy and Security Act (TDPSA), and other US state privacy laws that mandate recognition of universal opt-out mechanisms.

5. Legal Basis for Processing (GDPR)

5.1 Website Visitor Data

Fairlytics does not collect personal data from website visitors as defined by GDPR Article 4(1). The data stored (page path, referrer domain, country code, browser family, OS family, device type, random session ID, timestamp) cannot be used, individually or in combination, to identify a natural person.

Because no personal data is processed, GDPR does not strictly apply to visitor data. However, to the extent any data protection authority considers any of this data to constitute personal data, the legal basis would be legitimate interest (GDPR Article 6(1)(f)) — the website operator's legitimate interest in understanding aggregate traffic patterns on their own website, balanced against the minimal impact on visitor privacy given that no identifying information is collected or stored.

5.2 Account Holder Data

For Fairlytics account holders (website owners), we process personal data under the following legal bases:

Contract performance (GDPR Article 6(1)(b)) — processing email and password is necessary to provide the analytics service you signed up for
Legitimate interest (GDPR Article 6(1)(f)) — sending weekly analytics reports to help you use the service effectively
Legal obligation (GDPR Article 6(1)(c)) — retaining billing records as required by tax and accounting laws

6. Data We Collect from Account Holders

If you create a Fairlytics account (as a website owner), we collect and store:

Email address — for account login, weekly analytics reports, and service communications
Password — stored as a bcrypt hash (cost factor 12); we never store or have access to your plaintext password
Website domains — the sites you register for tracking
Subscription and billing data — plan tier and Stripe customer ID for payment processing

7. Third-Party Services (Sub-Processors)

We use the following third-party services to operate Fairlytics:

Service	Purpose	Data Accessed	Location
Supabase (AWS)	Database hosting	All stored analytics and account data	EU (Ireland, eu-west-1)
Railway	Application hosting	All data in transit	Configurable region
Stripe	Payment processing	Email address, payment details	US (PCI DSS Level 1)
Resend	Transactional email	Email addresses of account holders	US

We do not sell, rent, share, or transfer website visitor analytics data to any third party. Analytics data is only accessible to the website owner who registered the site.

8. International Data Transfers

Our primary database is hosted in the EU (AWS eu-west-1, Ireland). However, some sub-processors are located in the United States:

Stripe (payments) and Resend (email) are US-based. Data transfers to these services are protected under the EU-US Data Privacy Framework (DPF), established by the European Commission's adequacy decision of 10 July 2023. Both services are certified under the DPF.
As a fallback safeguard, we also maintain Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914) with our US-based sub-processors, along with supplementary measures including encryption in transit and at rest.

Only account holder data (email addresses) is transferred to US-based services. Website visitor analytics data remains in the EU.

9. Data Retention

Individual page view data: retained for 24 months from collection, then automatically purged
Aggregated daily statistics: retained indefinitely (these are aggregate counts with no individual-level data)
Account data: retained until you delete your account
Billing records: retained for the period required by applicable tax and accounting laws (typically 7 years) after the end of the subscription

10. Your Rights Under GDPR (EEA Residents)

If you are a Fairlytics account holder located in the European Economic Area, you have the following rights regarding your personal data:

Right of access (Article 15) — request a copy of the personal data we hold about you
Right to rectification (Article 16) — request correction of inaccurate data
Right to erasure (Article 17) — request deletion of your account and all associated data
Right to restriction (Article 18) — request that we limit processing of your data
Right to data portability (Article 20) — receive your data in a structured, machine-readable format
Right to object (Article 21) — object to processing based on legitimate interest

To exercise any of these rights, email privacy@fairlytics.dev. We will respond within 30 days.

Website visitors: Because we do not collect personal data from website visitors, data subject access requests regarding visitor data are generally not applicable — there is no personal data to access, rectify, or delete.

Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

11. Your Rights Under US Privacy Laws

11.1 California (CCPA/CPRA)

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code § 1798.100 et seq.):

We do not sell or share personal information of website visitors
We do not collect personal information from website visitors
We do not use sensitive personal information for purposes beyond what is necessary to provide the service
For account holders: we collect your email address and hashed password for the business purpose of providing the analytics service

California residents with a Fairlytics account have the right to:

Know what personal information we collect and how it is used
Delete your personal information (account deletion)
Correct inaccurate personal information
Non-discrimination for exercising your privacy rights

To exercise your rights, email privacy@fairlytics.dev. We do not require an authorized agent but will accept one with proper verification.

11.2 Other US States

Fairlytics respects the privacy rights granted by state privacy laws including those of Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Montana (MCDPA), Indiana, Iowa, Tennessee, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Maryland, and Minnesota.

Because Fairlytics does not collect personal data from website visitors, these laws generally do not impose additional obligations on our visitor data processing. For account holders, the rights described above (access, correction, deletion, portability) apply regardless of your state of residence.

If you believe we have not adequately addressed your privacy concerns, you may contact your state's attorney general.

12. Children's Privacy

Fairlytics does not knowingly collect personal information from children under 16 (or under 13 in the US under COPPA). The Fairlytics account registration requires users to be at least 18 years old. Since we do not collect personal data from website visitors of any age, COPPA and similar child protection laws do not apply to our visitor data processing.

13. Data Security

We implement the following technical and organizational measures to protect your data:

All data encrypted in transit using TLS 1.2 or higher
Database access restricted to the application server only, with connection pooling
Passwords hashed with bcrypt (cost factor 12)
API keys stored as SHA-256 hashes (raw keys never retained after initial generation)
All database queries use parameterized statements to prevent SQL injection
Environment variables used for all secrets and credentials
No personally identifiable information stored in the analytics database

14. Automated Decision-Making

Fairlytics does not engage in automated decision-making or profiling as defined by GDPR Article 22. No decisions with legal or similarly significant effects are made about any individual based on automated processing of their data.

15. Do Not Sell or Share My Personal Information

Fairlytics does not sell personal information. Fairlytics does not share personal information for cross-context behavioral advertising. This applies to both website visitor data and account holder data. Because we do not sell or share personal information, there is no need to submit an opt-out request, but you may contact us at any time with questions.

16. Data Breach Notification

In the unlikely event of a data breach affecting account holder personal data (email addresses, password hashes), we will:

Investigate the breach and determine its scope
Notify affected account holders without undue delay, and within the timeframes required by applicable law (e.g., 72 hours under GDPR, 30-60 days under US state laws)
Notify relevant supervisory authorities and state attorneys general as required by law
Provide information about the nature of the breach, data affected, and steps taken to mitigate it

Because we do not store personal data from website visitors (no IP addresses, no names, no identifiers), a breach of the analytics database would not expose any visitor personal information.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify account holders via email at least 30 days before the changes take effect
For changes that affect how we process visitor data, post a notice on our website

Continued use of the service after the effective date of changes constitutes acceptance of the updated policy.

18. Contact

For privacy inquiries, data subject requests, or concerns:

Email: privacy@fairlytics.dev
Response time: within 30 days for formal requests