Privacy & Security

DataSaaS is built with privacy at its core. Here's how we protect your data and your visitors' privacy.

What DataSaaS collects

• Page URLs and titles — What content visitors view
• Referrer — Where visitors came from
• UTM parameters — Campaign tracking data
• Country, region, city — Resolved from IP (IP is not stored)
• Device type, browser, OS — Parsed from user agent
• Screen width and language — Browser settings
• Event timestamps — When actions occur

What DataSaaS does NOT collect

• IP addresses — Used for geolocation during ingestion, then discarded
• Personal identifiable information (PII) — No names, emails, or personal data
• Fingerprints — No browser fingerprinting
• Cross-site tracking — Cookies are scoped to your domain only

Cookie usage

Both cookies are:

• First-party only — Set on your domain, not a third-party domain
• SameSite=Lax — Not sent in cross-site requests
• Domain-scoped — Set on your root domain with path /

Do Not Track

DataSaaS respects the browser's Do Not Track (DNT) setting. When DNT is enabled, no events are sent.

Bot filtering

The tracking script detects and skips:

• navigator.webdriver (headless browsers)
• __nightmare (Nightmare.js)
• _phantom / callPhantom (PhantomJS)

Server-side bot filtering is also applied based on User-Agent patterns.

Row Level Security (RLS)

All database tables enforce Row Level Security. Users can only access data for websites they own. This is enforced at the PostgreSQL level — even a direct database query cannot bypass it.

API key encryption

Payment provider API keys are encrypted at rest in the database. They are never exposed in API responses or logs.

Rate limiting

The event ingestion endpoint is rate-limited to 100 events per minute per IP address, protecting against abuse and DDoS attempts.