Privacy Policy
Last updated: July 6, 2026. This is a template pending legal review — placeholders in brackets.
Who we are
VisitorType (“the Service”) is operated by [OPERATOR NAME / ENTITY], [ADDRESS], [COUNTRY]. Contact: [email protected]. For website visitors of sites that use our snippet, we act as a data processor on behalf of the site owner (the data controller). For registered users of our dashboard, we are the data controller.
Data we process about website visitors (as processor)
When a site using our snippet is visited, we process:
- User-agent string and derived bot/AI classification
- Page path and referrer — with query strings and fragments removed before storage
- A random per-browser-session identifier (expires when the tab session ends)
- Engagement measurements (time on page, scroll depth)
- Technical automation signals used solely for bot classification
We do not store IP addresses of website visitors, do not use persistent cookies or cross-site identifiers, and do not build visitor profiles. The snippet honors the Global Privacy Control (GPC) and Do Not Track signals by collecting nothing when they are present. Event data is automatically deleted after [90] days.
Data we hold about registered users (as controller)
- Account data: name, email, hashed password or OAuth identity
- Authentication session metadata (IP address, user agent) for account security
- Container configuration, tags, triggers, API keys (stored hashed)
- Optional AI-provider API keys you add for the assistant (never displayed in full)
- Waitlist entries: email and optional company name
Legal bases: performance of contract (operating your account) and legitimate interest (security). We do not sell personal data.
Sub-processors
[HOSTING PROVIDER, e.g. Vercel Inc.] (hosting), [DATABASE PROVIDER, e.g. Neon] (data storage, [EU REGION]), [EMAIL PROVIDER, e.g. Resend] (transactional email). If you configure the built-in assistant, your prompts and aggregated analytics summaries are sent to the AI provider you choose and key you supply (e.g. Anthropic, OpenAI, DeepSeek, Zhipu, or your own Ollama server) — that processing happens under your relationship with that provider.
Your rights
Under GDPR you may request access, rectification, erasure, restriction, portability, or object to processing — contact [email protected]. Website visitors should direct requests to the owner of the website they visited (the controller); we support controllers in fulfilling them. You may lodge a complaint with your supervisory authority.
Retention & deletion
Visitor events: deleted after [90] days automatically. Account data: deleted upon account deletion request to [email protected]; deleting a container permanently deletes all its events. Backups expire within [30] days.