Skip to main content

Privacy Overview

Ovyxa is built with privacy as a core principle, not an afterthought. We believe you can have powerful analytics without compromising your visitors' privacy.

Our Privacy-First Philosophy

No Cookies by Default

Ovyxa uses cookie-less tracking in strict mode. This means:

  • No consent banner required (in most jurisdictions)
  • Visitors don't need to accept cookies to be counted
  • GDPR-compliant by design
  • No tracking data stored in visitor browsers

Learn more about cookie-less tracking.

No Cross-Site Tracking

Each website you track is completely isolated:

  • No shared identifiers across domains
  • No building of user profiles across sites
  • No selling or sharing of data
  • Each site's data stays separate

No Fingerprinting

We explicitly reject invasive tracking techniques:

  • No canvas fingerprinting - We don't render hidden images to identify devices
  • No font fingerprinting - We don't enumerate installed fonts
  • No audio fingerprinting - We don't use audio context APIs
  • No exotic device hashing - We don't combine obscure properties to create pseudo-IDs

These techniques are surveillance, not analytics. We don't use them.

Minimal Data Collection

We only collect what's necessary for meaningful analytics:

What we collect:

  • Page URL (can be truncated)
  • Referrer source
  • Browser type (Chrome, Firefox, Safari)
  • Device type (Desktop, Mobile, Tablet)
  • Operating system family (Windows, macOS, iOS, Android)
  • Country (derived from IP, never stored)

What we DON'T collect:

  • Personal identifiable information (PII)
  • Exact IP addresses (used transiently, never stored)
  • City or precise location
  • Email addresses or names
  • Unique user IDs (in strict mode)

EU Hosting Only

All data is stored in European data centers by default:

  • Full GDPR compliance
  • No data transfers outside EU/EEA
  • Partners: OVHcloud, Scaleway, Hetzner
  • TLS encryption in transit
  • Disk encryption at rest

Our strict mode qualifies as "exempt tracking" under GDPR:

  • Based on legitimate interest (audience measurement)
  • Minimal data collection
  • Aggregated reporting only
  • No individual tracking
  • Purpose-limited (analytics only)

See our GDPR documentation for complete details.

Transparent Methodology

We're open about exactly what we do:

  • Public documentation of all data collection
  • Clear explanation of how metrics are calculated
  • Open source roadmap
  • Data Processing Agreement (DPA) available
  • List of all sub-processors

User Control

You maintain control over your data:

  • Self-hosting option - Run Ovyxa on your own infrastructure
  • Data export - Download all your data anytime (CSV/JSON)
  • Data deletion - Delete your account and all associated data
  • Configurable retention - Set how long data is kept (6-36 months)

Privacy by Design

Privacy isn't a feature we added—it's how we designed the system from day one:

  1. IP addresses: Used only in RAM to derive country code, then discarded. Never written to disk. Hash keys (if used for daily unique calculation) are salted, site-specific, and expired within 24 hours.

  2. User-Agent strings: Parsed to extract browser/device families, then reduced to categories. Raw UA strings not stored in our cloud (optional in self-hosted).

  3. No persistent IDs: In strict mode, we don't generate or store any unique identifier for visitors. Calculations are done on aggregated data only.

  4. Query parameters: Can be configured to strip sensitive parameters (email, tokens) from URLs before storage.

Modes of Operation

Strict Mode (Default)

  • Cookie-less tracking
  • No persistent identifiers
  • Approximate daily unique visitors
  • No consent banner needed
  • GDPR/CNIL compliant

Opt-In Mode (Phase 2)

For customers who obtain explicit consent and need advanced features:

  • First-party localStorage ID
  • Multi-day visitor tracking
  • Funnel and cohort analysis
  • Requires consent banner and proper legal basis

Opt-in mode must be explicitly enabled and properly disclosed.

Compliance & Certifications

  • GDPR - Full compliance with EU data protection regulation
  • CNIL - French data protection authority guidelines followed
  • ePrivacy Directive - Cookie-less mode exempt from consent requirement
  • CCPA - California Consumer Privacy Act compliant
  • Data Processing Agreement - Available for all business customers

Trust & Verification

We build trust through transparency:

  • All data processing documented
  • Security measures published
  • Regular third-party audits (planned)
  • Bug bounty program (coming soon)
  • Public incident disclosure policy

Questions?

Privacy isn't a marketing claim for us—it's our foundation.