Privacy Policy

1. Introduction

TraceLog ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web analytics service.

We are GDPR and CCPA compliant and take data privacy seriously. Our service is designed with privacy-first principles.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Name (optional)
• Password (encrypted)
• Company name (optional)

2.2 Analytics Data

TraceLog collects the following data about your website visitors:

• Page views and navigation patterns
• Click events and scroll depth
• Session duration and bounce rates
• Geolocation (country level only, derived from IP address)
• Device type, browser, and operating system
• Referrer information
• Core Web Vitals and performance metrics
• Error events and stack traces

2.3 Automatically Sanitized Data

We automatically sanitize all personally identifiable information (PII) before storage, including:

• Email addresses
• Phone numbers
• Credit card numbers and IBAN
• API keys and authentication tokens
• Any content from form fields marked with data-tlog-ignore

3. How We Use Your Information

We use the collected information for:

• Providing and improving our analytics service
• Generating AI-powered insights about your website performance
• Processing natural language queries using OpenAI's GPT models
• Sending you service-related notifications and updates
• Detecting and preventing fraud or abuse
• Complying with legal obligations

4. Data Storage and Security

4.1 Storage Location

Your data is stored on MongoDB Atlas servers located in GDPR-compliant data centers.

4.2 Data Retention

Analytics data is retained according to your subscription tier:

• Free: 30 days
• Starter: 60 days
• Growth: 90 days
• Business: 1 year

After this period, data is automatically deleted. Account information is retained until you delete your account.

4.3 Security Measures

• 256-bit SSL encryption for data in transit
• Encryption at rest for sensitive data
• IP address masking in all logs
• Regular security audits and updates
• Role-based access control

5. Third-Party Services

We use the following third-party services:

• OpenAI: For AI-powered insights and natural language query processing. Your analytics data may be sent to OpenAI's API for processing but is not used for model training.
• MongoDB Atlas: For database hosting and storage
• Resend: For transactional emails (account notifications, reports)

6. Cookies and Tracking

TraceLog does not use third-party cookies for analytics tracking. We use:

• localStorage: For session tracking on your website visitors (expires after 15 minutes of inactivity)
• Authentication cookies: For keeping you logged into your TraceLog dashboard

No consent banner is required for TraceLog's tracking on your website under GDPR, as we do not use cookies for analytics purposes.

7. Your Rights (GDPR/CCPA)

You have the right to:

• Access: Request a copy of your data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Data portability: Export your data in JSON format via our API
• Restriction: Limit how we process your data
• Object: Object to processing of your data
• Withdraw consent: At any time, without affecting lawfulness of prior processing

To exercise these rights, use the account settings in your dashboard or reach out through the in-app support.

8. Data Sharing and Disclosure

We do not sell or rent your data. We may share information in the following cases:

• With your explicit consent
• To comply with legal obligations (court orders, subpoenas)
• To protect our rights and prevent fraud
• With service providers who assist in our operations (under strict confidentiality agreements)
• In case of a merger, acquisition, or asset sale (you will be notified)

9. International Data Transfers

If you access TraceLog from outside the EU, your data may be transferred to and processed in the EU or other countries. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for GDPR compliance.

10. Children's Privacy

TraceLog is not intended for users under 16 years old. We do not knowingly collect personal information from children. If you believe we have collected data from a child, contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or dashboard notification. Continued use of TraceLog after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions or requests, please use the in-app support feature in your TraceLog dashboard, or reach out through our GitHub repository.