Pulsora
Start 14-Day Free Trial

Privacy & Compliance#

Pulsora is built on a simple principle: you don't need personal data to understand your website's performance. We've designed every part of our system to respect user privacy while giving you the analytics you need to make better decisions.

Our Privacy Philosophy#

Most analytics platforms start by collecting everything, then try to anonymize it. We take the opposite approach: we never collect personal data in the first place.

What This Means in Practice#

  • No cookies - Zero browser storage, no tracking cookies
  • No device fingerprinting - No Canvas, WebGL, or Audio context probing
  • No personal data - IP addresses and user agents are hashed immediately, never stored raw
  • Automatic expiration - All visitor identifiers expire through salt rotation (24h-30d)
  • No cross-site tracking - Each website uses isolated salts and identifiers

Result: You get complete analytics without compromising your visitors' privacy.

What We Collect#

Pulsora collects only the minimum data needed for web analytics:

Data Point What It Is Why We Collect It How We Anonymize It
Page URL The page your visitor viewed Track which pages are popular Stored as-is (no personal data in URLs)
Referrer Where the visitor came from Understand traffic sources Stored as-is (domain/URL only)
Timestamp When the visit occurred Calculate metrics over time Rounded to nearest second
User Agent Browser type and version Basic browser analytics Hashed with SHA256 + salt, never stored raw
IP Address Visitor's IP address Generate anonymous fingerprint Hashed with SHA256 + salt, never stored raw
UTM Parameters Campaign tracking codes Attribution analytics Stored as-is (you control these)
Custom Events Events you explicitly track Feature usage analytics Only data you send
Revenue Data Transaction amounts Revenue attribution No customer PII required

How Visitor Identification Works#

Instead of storing IP addresses or using cookies, we generate an anonymous fingerprint on the server:

fingerprint = SHA256(IP_Address + User_Agent + Website_ID + Salt)

Key points:

  • Hash is generated on the server (not in the browser)
  • Raw IP and User Agent are never stored anywhere
  • Salt rotates automatically based on your attribution window (24h-30d)
  • After salt rotation, all fingerprints become invalid

This means visitor identifiers are temporary by design. There's no way to track a visitor indefinitely because the salt that created their fingerprint is discarded.

What We Don't Collect#

We explicitly do not collect:

  • Personal Identifiable Information (PII) - No names, emails, phone numbers
  • Cookies - No browser storage or tracking cookies
  • Device fingerprints - No invasive client-side fingerprinting
  • Mouse movements - No session recordings or heatmaps
  • Form contents - We never capture what users type
  • Precise geolocation - No GPS or fine-grained location tracking
  • Cross-site data - Each website is completely isolated

If you accidentally send personal data (e.g., email in URL parameters), we'll still store it—so don't send PII to Pulsora. Structure your events and URLs to exclude personal information.

GDPR Compliance#

Pulsora is fully compliant with the General Data Protection Regulation (GDPR) without requiring consent banners.

We operate under legitimate interest (GDPR Article 6(1)(f)):

  • Analytics are necessary for website operation
  • Processing is minimal and privacy-respecting
  • Visitor impact is negligible (anonymous data only)
  • Benefits outweigh any privacy concerns

GDPR Article 4(1): Pseudonymization#

"...the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information..."

Pulsora's fingerprints meet this standard:

  • IP + User Agent are hashed with a rotating salt (additional information)
  • Salt is discarded after rotation (additional information destroyed)
  • Cannot link back to individuals without the salt

Right to Access & Deletion#

Because Pulsora doesn't store personal data, typical GDPR data subject requests don't apply:

  • Right to access: We don't have personal data to retrieve
  • Right to deletion: Data auto-expires through salt rotation
  • Right to rectification: No personal data to correct

If a visitor requests their data, you can explain:

  • All tracking is anonymous via server-side hashing
  • Raw IP addresses are never stored
  • Identifiers expire automatically (show your attribution window)
  • No personal data exists to retrieve or delete

No. Pulsora doesn't use cookies or collect personal data, so cookie/tracking consent is not required under GDPR.

Recommendation: Mention in your privacy policy that you use "anonymous analytics" and link to Pulsora's privacy documentation. Example language:

We use Pulsora Analytics to understand how visitors use our site. Pulsora is a privacy-first analytics service that doesn't use cookies or collect personal data. All visitor tracking is anonymous via server-side hashing. Learn more at [link to this page].

CCPA Compliance#

The California Consumer Privacy Act (CCPA) regulates the "sale" of personal information. Pulsora complies because:

  1. No personal information collected - Anonymous fingerprints aren't covered by CCPA
  2. No data sale - We don't sell or share visitor data with third parties
  3. No tracking across sites - Each website uses isolated identifiers

CCPA Rights#

Similar to GDPR, typical CCPA rights don't apply because we don't process personal information:

  • Right to know: We don't have personal data about individual consumers
  • Right to delete: Data auto-expires, no personal data to delete
  • Right to opt-out: No personal data sale to opt out of

PECR & ePrivacy Compliance#

The Privacy and Electronic Communications Regulations (PECR) govern cookies and tracking in the UK/EU.

Pulsora is PECR compliant because:

  • No cookies stored in the browser
  • No device storage used
  • Processing happens entirely server-side
  • Visitor consent not required for anonymous server-side processing

Data Retention & Deletion#

Automatic Expiration#

All visitor identifiers expire automatically through salt rotation:

  • Attribution window: 24 hours to 30 days (you choose)
  • After salt rotation: All fingerprints become invalid
  • Result: Visitors can't be tracked beyond your attribution window

Analytics Data Retention#

Aggregated analytics data (pageviews, events, revenue) is retained for:

  • Active accounts: Indefinitely, as long as your account is active
  • Deleted accounts: 90 days, then permanently deleted
  • Inactive accounts: 24 months of inactivity, then deleted

Personal data retention: N/A - we don't collect personal data

Manual Deletion#

You can manually delete your website's analytics data:

  1. Go to Website Settings
  2. Navigate to "Danger Zone"
  3. Click "Delete all analytics data"
  4. Confirm deletion

This permanently removes all pageviews, events, and revenue records for your website.

Data Residency#

Pulsora offers regional data storage to comply with data residency requirements:

  • EU Customers: Data stored exclusively on EU servers (GDPR-compliant infrastructure)
  • Non-EU Customers: Data stored on US/Global servers

You choose your data region when creating your account. Data never leaves your chosen region.

Data Transfers#

  • Within region: Data stays in your chosen region (EU or US)
  • Across regions: You control this via your region selection
  • Third parties: We don't transfer data to third parties

User Rights & Requests#

Handling Data Subject Requests#

When visitors request their data, you can respond:

"We use Pulsora Analytics, a privacy-first analytics service. Pulsora doesn't collect personal data about website visitors. All tracking is anonymous via server-side hashing with rotating identifiers. We don't store IP addresses, device fingerprints, or any information that could identify you personally. Because no personal data exists, there's nothing to retrieve, correct, or delete."

Transparency Report#

Pulsora hasn't received any government requests for user data because:

  1. We don't collect personal data
  2. Anonymous analytics aren't useful for surveillance
  3. We have nothing to provide even if requested

Best Practices for Your Application#

To maintain privacy compliance when using Pulsora:

1. Don't Send Personal Data#

Bad:

// DON'T DO THIS
pulsora.event('signup', {
  email: 'user@example.com', // ❌ PII
  phone: '+1234567890', // ❌ PII
  name: 'John Doe', // ❌ PII
});

Good:

// DO THIS INSTEAD
pulsora.event('signup', {
  plan: 'premium', // ✅ Anonymous
  source: 'google_ads', // ✅ Anonymous
  trial: true, // ✅ Anonymous
});

2. Sanitize URLs#

If your URLs contain sensitive data, exclude them:

// Filter out sensitive query parameters
pulsora.init({
  apiToken: 'pub_...',
  excludeParams: ['email', 'token', 'session_id'],
});

3. Update Your Privacy Policy#

Include a section about analytics:

Example privacy policy language:

Analytics: We use Pulsora, a privacy-first analytics service, to understand how visitors use our website. Pulsora doesn't use cookies or collect personal data. All visitor tracking is completely anonymous via server-side hashing with rotating identifiers. No IP addresses, device fingerprints, or personal information are stored. Learn more: [link to this page]

4. Configure Attribution Windows#

Choose the shortest attribution window that works for your business:

  • 24 hours: Maximum privacy, suitable for content sites
  • 7 days: Balanced approach, good for most businesses
  • 30 days: Longer tracking, suitable for B2B with long sales cycles

Shorter windows = more privacy = more compliance.

Compliance Certifications#

Pulsora is committed to security and compliance:

  • GDPR Compliant - EU data protection regulation
  • CCPA Compliant - California privacy law
  • PECR Compliant - UK/EU cookie & privacy regulations
  • SOC 2 Type II - Coming soon
  • ISO 27001 - Coming soon

Questions About Privacy?#

Can Pulsora track visitors across websites?#

No. Each website uses an isolated salt and website ID. Even if the same visitor visits two Pulsora-tracked websites, their fingerprints will be completely different.

Can you reverse a fingerprint to get the IP address?#

No. SHA256 is a one-way cryptographic hash. Given a fingerprint, it's mathematically infeasible to determine the original IP address + User Agent combination that created it.

What about VPNs and IP changes?#

If a visitor's IP or User Agent changes, they'll get a new fingerprint. This is expected and acceptable—it means more privacy for users, slightly less accurate visitor counts for you.

Can law enforcement request user data?#

They can request, but we have nothing to provide. Pulsora doesn't store personal data, so there's no data to hand over even if legally compelled.

Do you process data with third parties?#

No. All processing happens on Pulsora's infrastructure. We don't use third-party analytics, tracking, or data processors that have access to your analytics data.

Learn More#

Last updated: 2025-01-13

Need help with compliance? Contact privacy@pulsora.co

Popular Pages

Quick Start Guide
Get up and running with Pulsora in 5 minutes
Most Popular
Installation Guide
Install Pulsora via NPM, CDN, or framework-specific setup
Essential
React Hooks
Use Pulsora hooks for seamless React integration
Trending
Stripe Integration
Connect Stripe webhooks for revenue tracking
Popular
Event Tracking
Track custom events and user interactions
How Pulsora WorksArchitecture & Security