Summary: Fairlytics is a privacy-first analytics platform. We do not use cookies, do not track individuals across sites, and do not collect or store any personally identifiable information (PII) from website visitors. No consent banner is required for websites using Fairlytics.
This Privacy Policy applies to (a) visitors of websites that use the Fairlytics tracking script, and (b) Fairlytics account holders (website owners who use our service).
1. Data Controller
The data controller for the Fairlytics service is:
Fairlytics — operated by Guillem
Email: privacy@fairlytics.dev
If you are a website owner using Fairlytics, you are the data controller for your visitors' data, and Fairlytics acts as a data processor on your behalf.
2. Data We Collect from Website Visitors
When a website uses Fairlytics, the following data is processed for each page view:
- IP address → derived to country code (e.g. "ES"), then the IP is immediately discarded in-memory. Never stored in any database or log file.
- User-Agent → parsed to browser family, OS family, and device type. Raw string never stored.
- Page URL → path only (e.g. "/about"). Query parameters and fragments stripped.
- Referrer → domain only (e.g. "google.com"). Full URL and query parameters truncated.
- Screen width → categorized as Mobile, Tablet, or Desktop.
Session Tracking
We use a random session identifier stored in your browser's sessionStorage to count unique visitors within a single browsing session. This identifier is a random UUID with no connection to personal data, is cleared when the tab closes, expires after 30 minutes of inactivity, and is never sent to third parties.
Under the ePrivacy Directive (Article 5(3)), this sessionStorage use qualifies as strictly necessary for the legitimate service requested by the website operator (audience measurement), in line with CNIL's exemption criteria for audience measurement tools.
3. Data We Do NOT Collect from Visitors
- No cookies or persistent identifiers
- No IP addresses stored
- No fingerprinting or cross-site tracking
- No personal data from visitors
- No query parameters or URL fragments
- No localStorage, IndexedDB, or persistent client-side storage
4. Do Not Track (DNT) and Global Privacy Control (GPC)
We respect both the Do Not Track browser header and the Global Privacy Control signal. If a visitor's browser sends DNT: 1 or Sec-GPC: 1, the tracking script does not execute at all — no data is collected and no sessionStorage is used.
This complies with CPRA, CPA, CTDPA, TDPSA, and other US state laws that mandate recognition of universal opt-out mechanisms.
5. Legal Basis for Processing (GDPR)
Website visitor data: Fairlytics does not collect personal data from website visitors. To the extent any authority considers any stored data personal, the legal basis is legitimate interest (Article 6(1)(f)).
Account holder data: Contract performance (Article 6(1)(b)) for providing the service, legitimate interest (Article 6(1)(f)) for weekly reports, and legal obligation (Article 6(1)(c)) for billing records required by tax law.
6. Data for Account Holders
If you create a Fairlytics account, we store: email address (for login and reports), hashed password (bcrypt, cost factor 12 — never plaintext), website domains you register, and subscription/billing data via Stripe.
7. Third-Party Services
| Service | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database hosting | EU (Ireland) |
| Railway | Application hosting | Configurable |
| Stripe | Payment processing | US (PCI DSS) |
| Resend | Transactional email | US |
We do not sell, share, or transfer visitor analytics data to any third party.
8. International Data Transfers
Our database is in the EU (Ireland). Transfers to US-based sub-processors (Stripe, Resend) are protected under the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs) as fallback. Only account holder email addresses are transferred to US services — visitor analytics data remains in the EU.
9. Data Retention
- Page view data: 24 months, then automatically purged
- Aggregated daily stats: retained indefinitely (aggregate counts only)
- Account data: retained until you delete your account
- Billing records: retained per applicable tax law requirements
10. Your Rights (GDPR — EEA Residents)
Account holders in the EEA have the right to: access, rectification, erasure, restriction, data portability, and objection. To exercise these rights, email privacy@fairlytics.dev. We respond within 30 days.
You may also lodge a complaint with your local supervisory authority.
Website visitors: because we do not collect personal data from visitors, data subject requests regarding visitor data are not applicable.
11. Your Rights (US Privacy Laws)
California (CCPA/CPRA): We do not sell or share personal information. We do not collect personal information from website visitors. California account holders have the right to know, delete, correct, and opt-out, with non-discrimination guaranteed.
Other US states: We respect privacy rights under Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Montana, Indiana, Iowa, Tennessee, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Maryland, and Minnesota privacy laws. Because we do not collect personal data from visitors, these laws generally do not impose additional obligations on visitor data processing.
12. Children's Privacy
We do not knowingly collect personal information from children under 16 (or under 13 under COPPA). Account registration requires users to be at least 18. Since we do not collect personal data from visitors of any age, COPPA does not apply to visitor data.
13. Data Security
All data encrypted in transit (TLS 1.2+). Passwords hashed with bcrypt (cost factor 12). API keys stored as SHA-256 hashes. All queries use parameterized SQL.
14. Automated Decision-Making
Fairlytics does not engage in automated decision-making or profiling as defined by GDPR Article 22. No decisions with legal or similarly significant effects are made about any individual based on automated processing.
15. Do Not Sell or Share My Personal Information
Fairlytics does not sell personal information. Fairlytics does not share personal information for cross-context behavioral advertising. This applies to both visitor data and account holder data.
16. Data Breach Notification
In the event of a data breach affecting account holder personal data, we will notify affected users without undue delay and within timeframes required by applicable law (72 hours under GDPR, 30-60 days under US state laws), and notify relevant authorities as required. Because we do not store personal data from visitors, a breach of the analytics database would not expose visitor personal information.
17. Changes to This Policy
Material changes will be communicated via email to account holders at least 30 days before taking effect. The "Last updated" date above will be revised accordingly.
18. Contact
For privacy inquiries or data requests: privacy@fairlytics.dev
Response time: within 30 days for formal requests.