Privacy by architecture, not by policy
No cookies, no fingerprinting, no PII. Visitor data is ephemeral and permanently deleted after daily aggregation.
Surveillance is architecturally impossible
Other tools promise privacy through policy. We make tracking individuals impossible by design — session IDs are derived server-side from an irreversible daily-rotating hash, and raw visitor metadata is never stored.
Visitor data lifecycle
Server-derived hash per day
Stored for 24 hours
Pre-aggregated summaries
Permanently removed
Visitor data is permanently deleted every 24 hours
Only anonymous interactions. Nothing personal.
Privatrak captures the minimum data needed for product analytics — and nothing that could identify an individual.
Auto-Captured Events
Pageviews, clicks, and form submissions are captured automatically. No manual instrumentation needed.
No Personal Data Stored
No names, emails, or device fingerprints are ever stored. IP addresses and User-Agents are used only in memory to derive session hashes, then immediately discarded.
Form Metadata Only
Form submissions are tracked with metadata only — the form's tag and selector. No field values, no input contents, no text entries.
Form submissions are tracked by metadata only — no field values are ever captured.
Compliant by architecture, not by checkbox.
Because Privatrak collects zero personal data, you're compliant with GDPR, CCPA, and ePrivacy by default — no consent banners, no cookie popups, no complex privacy policy rewrites.
GDPR Compliant
Session derivation uses an irreversible daily-rotating HMAC hash — no raw personal data is stored, so no consent is required under Article 6. No Data Processing Agreement needed.
CCPA Compliant
No sale or sharing of personal information. No opt-out mechanism required because there's nothing to opt out of.
ePrivacy / Cookie Law
Zero cookies, zero localStorage, zero browser storage of any kind. The ePrivacy directive simply doesn't apply.
No consent banner needed. No cookie popup. No complex privacy policy changes.
Your data pipeline, fully transparent.
From script tag to dashboard — every step is designed to minimize data and maximize privacy. Here's exactly what happens.
Data Architecture
Frequently Asked Questions
Everything you need to know about privacy and data handling in Privatrak.
No. Privatrak uses zero cookies, zero localStorage, and zero browser storage of any kind. Session identification uses an in-memory ID that dies when the tab closes.
Yes. Because Privatrak collects zero personal data, no consent is required under GDPR Article 6. You don't need a cookie banner, a Data Processing Agreement, or complex changes to your privacy policy.
The server derives anonymous session IDs from visitor metadata using a daily-rotating HMAC key. Raw IP and User-Agent are used only in memory and immediately discarded — never stored. Event data is stored with these anonymous session references, then permanently aggregated daily. Only anonymous summaries remain.
No. The system is architecturally designed to make individual identification impossible. Session IDs are derived from an irreversible HMAC hash with a daily-rotating key. Raw IP and User-Agent are never stored — only the irreversible hash is kept. Session mappings are deleted within 24 hours.
No. Your analytics data is yours alone. We never sell, share, or provide access to any third party. There are no ad trackers, no data brokers, and no third-party scripts.
The tracker's auto-capture never collects personal data. However, if you use custom events via tracker.track() or data-track-* attributes, you control what data is sent. Avoid including emails, names, or other PII in custom event attributes.
We recommend mentioning Privatrak in your privacy policy for full transparency, even though the data processing is minimal and privacy-friendly. If you're unsure about the details, the best advice always comes from a legal professional.
Be the first to try privacy-first analytics
Join the waitlist and get early access when we launch.