Privacy Overview
Ovyxa is built with privacy as a core principle, not an afterthought. We believe you can have powerful analytics without compromising your visitors' privacy.
Our Privacy-First Philosophy
First-Party Cookies Only
Ovyxa uses first-party cookies for accurate cross-session tracking and revenue attribution:
ovyxa_vid— visitor ID cookie (1 year), SameSite=Lax, Secureovyxa_sid— session ID cookie (30 min rolling), SameSite=Lax, Secure- Cookie consent banner required (GDPR)
- Enables accurate revenue attribution, visitor journeys, and cross-session tracking
No Cross-Site Tracking
Each website you track is completely isolated:
- No shared identifiers across domains
- No building of user profiles across sites
- No selling or sharing of data
- Each site's data stays separate
No Fingerprinting
We explicitly reject invasive tracking techniques:
- No canvas fingerprinting - We don't render hidden images to identify devices
- No font fingerprinting - We don't enumerate installed fonts
- No audio fingerprinting - We don't use audio context APIs
- No exotic device hashing - We don't combine obscure properties to create pseudo-IDs
These techniques are surveillance, not analytics. We don't use them.
Minimal Data Collection
We only collect what's necessary for meaningful analytics:
What we collect:
- Page URL (can be truncated)
- Referrer source
- Browser type (Chrome, Firefox, Safari)
- Device type (Desktop, Mobile, Tablet)
- Operating system family (Windows, macOS, iOS, Android)
- Country (derived from IP, never stored)
What we DON'T collect:
- Exact IP addresses (used transiently, never stored)
- Email addresses or names (unless user identification is enabled)
- Cross-site identifiers
EU Hosting Only
All data is stored in European data centers by default:
- Full GDPR compliance
- No data transfers outside EU/EEA
- Partners: OVHcloud, Scaleway, Hetzner
- TLS encryption in transit
- Disk encryption at rest
Transparent Methodology
We're open about exactly what we do:
- Public documentation of all data collection
- Clear explanation of how metrics are calculated
- Data Processing Agreement (DPA) available
- List of all sub-processors
User Control
You maintain control over your data:
- Data export - Download all your data anytime (CSV/JSON)
- Data deletion - Delete your account and all associated data
- Configurable retention - Set how long data is kept (6-36 months)
Privacy by Design
Privacy isn't a feature we added—it's how we designed the system from day one:
-
IP addresses: Used only in RAM to derive country code, then discarded. Never written to disk. Hash keys (if used for daily unique calculation) are salted, site-specific, and expired within 24 hours.
-
User-Agent strings: Parsed to extract browser/device families, then reduced to categories. Raw UA strings are not stored.
-
Query parameters: Can be configured to strip sensitive parameters (email, tokens) from URLs before storage.
Compliance & Certifications
- GDPR - Full compliance with EU data protection regulation
- CNIL - French data protection authority guidelines followed
- CCPA - California Consumer Privacy Act compliant
- Data Processing Agreement - Available for all business customers
Trust & Verification
We build trust through transparency:
- All data processing documented
- Security measures published
- Regular third-party audits (planned)
- Bug bounty program (coming soon)
- Public incident disclosure policy
Questions?
- Read our GDPR compliance guide
- Review our DPA template
- Contact us for specific compliance questions
Privacy isn't a marketing claim for us—it's our foundation.