Privacy Policy
Last updated: March 23, 2026
1. Introduction
EngageTrack (“we”, “us”, or “our”) is a privacy-first web analytics service operated by Asuna Labs. This Privacy Policy explains how we collect, use, store, and protect information when you use our website, dashboard, tracking SDK, and related services (collectively, the “Service”).
We are committed to respecting your privacy and complying with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and other applicable data protection laws.
2. Our Privacy-First Approach
EngageTrack operates in memory mode by default, which means our tracking script does not use cookies, localStorage, sessionStorage, or any other form of device storage. Session tracking uses an in-memory JavaScript variable that is automatically discarded when the browser tab is closed.
Because we store nothing on the visitor's device in the default mode, no cookie or storage consent banner is required under the ePrivacy Directive or GDPR.
2.1 Server-Side Visitor Identification
To count unique visitors within a single day, our server computes a cryptographic hash (SHA-256) from the visitor's IP address, User-Agent header, and a random salt that rotates every 24 hours. The raw IP address is discarded immediately after hashing — it is never stored. Because the salt changes daily, it is mathematically impossible to track a visitor across multiple days or reverse the hash to recover the original IP address.
2.2 Optional Storage Mode
Website owners may enable persistent tracking by adding data-persistence="storage" to the script tag. In this mode, a random visitor identifier is stored in localStorage and session data in sessionStorage. This enables multi-day returning visitor tracking but requires a cookie/storage consent banner in the EU under the ePrivacy Directive.
2.3 Cross-Domain Tracking (Storage Mode Only)
When storage mode is enabled and a website owner configures the data-allowed-hostnames attribute, the SDK may append _et_vid and _et_sid query parameters to outbound links for cross-domain session stitching. These are URL parameters, not cookies. They are consumed on load and immediately removed from the URL. This feature is disabled in the default memory mode.
3. Data Collected from Website Visitors
When a website owner installs the EngageTrack tracking script on their site, we collect the following categories of data from their visitors:
3.1 Page & Navigation Data
- Page URL, path, and title
- Referrer URL and inferred referrer source
- UTM campaign parameters (source, medium, campaign, term, content)
3.2 Engagement Data
- Event type (pageview, click, form submission, file download, outbound link, purchase, custom event)
- Time on page and scroll depth
- Custom event names and properties (if configured)
- Email addresses captured when a visitor clicks a
mailto:link on the instrumented website - Phone numbers — phone numbers captured when a visitor clicks a
tel:link on the instrumented website
3.3 Technical Data
- Browser name and version
- Operating system name and version
- Device type (desktop, mobile, tablet)
- Screen width and height
3.4 Geolocation Data
We derive approximate geographic location from the visitor's IP address using the MaxMind GeoLite2 database. This includes:
- Country, region, and city
- Approximate latitude and longitude
We do not store raw IP addresses. The IP is processed in memory for geolocation purposes and then discarded.
3.5 Revenue Data (Optional)
If the website owner has set up revenue tracking, we may collect purchase amounts, currency codes, and order identifiers to enable revenue attribution.
3.6 Identity Data (Optional)
If the website owner calls our identify() API, they may optionally send a user ID, email, name, or avatar URL to link a visitor to a known user. This data is sent at the discretion of the website owner, not collected automatically.
4. Data Collected from Account Holders
When you create an EngageTrack account, we collect:
- Account information: Name, email address, and password (stored as a bcrypt hash). If you sign in via Google or GitHub, we receive your name, email, and profile avatar from the OAuth provider.
- Organization details: Organization name, slug, and configuration preferences.
- Billing information: Company name, VAT/tax ID, and billing address (country, city, postal code, address lines). Payment card details are handled exclusively by Stripe — we never see or store your card numbers.
5. How We Use Your Data
- Provide the Service: Display analytics dashboards, reports, and insights to website owners.
- Account management: Authenticate users, manage teams, and facilitate collaboration.
- Billing: Process subscriptions and payments through Stripe.
- Transactional emails: Send email verification, password reset, and team invitation emails.
- Security: Maintain audit logs of important account actions, detect abuse, and protect the Service.
- Improvement: Analyze aggregated, anonymized usage patterns to improve the Service.
6. Legal Basis for Processing (GDPR)
- Contract performance: Processing account and billing data to provide the Service you signed up for.
- Legitimate interest: In the default memory mode, collecting anonymized analytics data to provide insights to website owners. No device storage is used and visitors cannot be tracked across days, satisfying both GDPR legitimate interest and ePrivacy requirements. Website owners who enable storage mode must obtain visitor consent.
- Legal obligation: Maintaining billing records as required by tax and accounting laws.
- Consent: When you voluntarily provide optional data (e.g., via the identify API).
7. Third-Party Processors
We share data with the following third-party services only as necessary to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, name, billing address, subscription details |
| LemonSqueezy | Payment processing (alternative provider) | Email, name, billing address, order details |
| Paddle | Payment processing (alternative provider) | Email, name, billing address, transaction details |
| Polar | Payment processing (alternative provider) | Email, name, billing address, checkout details |
| Google OAuth | Authentication | Email, name, profile picture (from Google) |
| GitHub OAuth | Authentication | Email, name, profile picture (from GitHub) |
| MaxMind | IP geolocation | None (offline database, no API calls) |
| SMTP Provider | Transactional emails | Email address, email content |
| AWS (eu-central-1) | Infrastructure hosting | All service data (encrypted at rest) |
8. Data Storage & Security
- Location: All data is stored on servers located in the European Union (AWS eu-central-1, Frankfurt).
- Database: Analytics data is stored in TimescaleDB/PostgreSQL. Session and caching data uses Redis.
- Encryption: Sensitive fields are encrypted using AES-256-GCM. Passwords are hashed with bcrypt. All data in transit is encrypted via TLS/HTTPS.
- Authentication: Dashboard access is protected by JWT-based authentication with short-lived access tokens and long-lived refresh tokens.
- Audit logging: Critical account actions are recorded in an audit log for security monitoring.
9. Data Retention
- Analytics events: Retained for the duration of your active subscription. Aggregated daily summaries are computed and retained separately.
- Account data: Retained as long as your account is active. Upon account deletion, personal data is removed within 30 days.
- Billing records: Retained as required by applicable tax and accounting laws (typically 7–10 years).
- Audit logs: Retained for up to 2 years for security purposes.
10. Your Rights (GDPR)
If you are located in the European Economic Area, you have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate personal data.
- Erasure: Request deletion of your personal data (“right to be forgotten”).
- Portability: Request your data in a machine-readable format.
- Restriction: Request that we limit processing of your data.
- Objection: Object to processing based on legitimate interest.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
11. Information for Website Visitors
If you are a visitor to a website that uses EngageTrack and wish to exercise your data rights, you should contact the website owner (data controller) directly. EngageTrack acts as a data processor on behalf of website owners. You may also contact us at [email protected] and we will assist in directing your request.
12. Children's Privacy
EngageTrack is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify account holders of material changes via email or a dashboard notification. The “Last updated” date at the top of this page indicates when the policy was last revised.
14. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at: