VisitorsToday

Privacy & data model

What we collect — and what we never do

VisitorsToday is built privacy-first: first-party only, no third-party cookies, no cross-site or cross-device tracking, no personal data. Here is exactly how it works — no fine print.

What we collect

Page views & eventsOn your site only — page views, clicks, scroll depth, form interactions, outbound clicks, downloads.
Coarse locationCountry, region, and city — derived from the IP at the network edge. The IP address itself is never stored.
DeviceBrowser, OS, and device type, parsed from the User-Agent. No device fingerprinting.
SourceReferrer host and UTM campaign tags, so you can see where visitors came from.
A first-party visit idA single identifier stored in the visitor's browser (localStorage) to tell new vs returning visits apart — first-party only, never shared, never used across sites.

What we never collect

The data model

Events flow from the tracker to an append-only event stream, then into a durable store plus daily roll-ups that power your dashboard. You can export everything as CSV or JSON at any time, and delete a site to remove its data.

TransportTracker → /api/ingest → edge worker → event stream → Postgres + daily rollups.
Property limitsEvent properties are capped (key count, string length, nesting depth) so no oversized blobs are stored.
Your data, portableRead API + CSV/JSON export over your own data — no lock-in.

Data retention — kept for the life of your account

Your analytics history is yours to keep. Events land in a durable store, not a rolling window — no 6-day cap, no automatic deletion. See your first day's data years from now, and pull any of it out via the export at any time. When you delete a site, its data is removed.

RetentionKept for the life of your account — no rolling expiry.
Dashboard defaultShows up to the last 400 days for speed; the full history stays stored and is available via export.
DeletionDelete a site to remove its data; export it first if you want a copy.

Compliance posture

The data practices above are designed to align with the principles of GDPR and CCPA — data minimisation, no personal data, no third-party sharing. Note: VisitorsToday currently uses a first-party browser identifier (localStorage); depending on your jurisdiction and how you use the product, you should evaluate your own consent obligations. This page describes what the product does so you can make that assessment — it is documentation, not legal advice.