Privacy Policy

1. Introduction

ActionLab Analytics ("ActionLab," "we," "us," or "our") operates a web analytics platform available at actionlabanalytics.com. This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your data.

ActionLab is designed from the ground up to be privacy-first. Our tracking is cookie-free, does not store IP addresses, does not use fingerprinting, and does not collect any personally identifiable information from the visitors of websites that use our service. No consent banner is required for visitor tracking because we do not process personal data of website visitors.

This policy covers two distinct categories of individuals:

• Website visitors -- people who browse websites that have installed the ActionLab tracking snippet.
• Registered users (customers) -- people who create an ActionLab account to view their analytics dashboards and manage their sites.

2. Information We Collect

2.1 Visitor Analytics Data

When a website installs our tracking snippet, we collect the following non-personal, aggregated data about each page view or custom event:

• Page URL and path
• Referrer URL
• Device type (desktop, mobile, tablet)
• Browser name and version
• Operating system
• Screen width
• Country, region, and city (derived from a server-side GeoIP lookup)
• UTM parameters (source, medium, campaign, term, content)
• Custom event names and properties defined by the site owner

Sessions are identified using a random UUID stored in the browser's sessionStorage, which is scoped to the individual browser tab and automatically cleared when the tab is closed. This is not a cookie and cannot be used to track visitors across tabs, sessions, or websites.

GeoIP lookups are performed server-side at the moment the event is received. The visitor's IP address is used transiently for this lookup and is never written to disk, stored in any database, or included in log files. Only the resulting country, region, and city are retained.

2.2 Registered User Account Data

When you create an ActionLab account, we collect:

• Name
• Email address
• Password (stored as a one-way bcrypt hash; we never store your plaintext password)
• Organization name (if provided)
• Billing information (processed and stored by Stripe; we do not store credit card numbers)

Account data is stored in PostgreSQL and is used solely to authenticate you, manage your sites, and provide the analytics service.

3. Information We Do NOT Collect

ActionLab is specifically designed to avoid collecting personal data from website visitors. We do not collect, store, or process any of the following from visitors:

• Cookies -- we set zero cookies of any kind (no first-party, no third-party, no tracking cookies)
• IP addresses -- IPs are used transiently for GeoIP lookup and immediately discarded; they are never stored
• Names, emails, or any personal identifiers
• Browser fingerprints -- we do not compute or store canvas, WebGL, font, or any other fingerprints
• Form contents -- we never read, intercept, or transmit data entered into forms
• Cross-site tracking identifiers -- our session identifier is a random UUID in sessionStorage, scoped to a single tab, and cannot be used to correlate activity across sites or sessions

Because we do not collect personal data from website visitors, ActionLab does not require a cookie consent banner under GDPR, CCPA, or PECR. Site owners using ActionLab can remove their consent banners for analytics purposes.

4. How We Use Information

4.1 Visitor Analytics Data

• Displaying aggregated analytics dashboards to site owners (page views, unique visitors, referrers, top pages, device breakdowns, geographic distribution)
• Powering the Explorer features (event analysis, funnels, cohorts, flow analysis, and segments)
• Generating AI-powered insights and recommendations (when enabled by the site owner) using aggregated, non-personal summaries

4.2 Registered User Data

• Authenticating your account and managing sessions
• Sending transactional emails (verification, password reset, team invitations)
• Processing billing and subscriptions through Stripe
• Providing customer support
• Enforcing our terms of service and preventing abuse

We do not sell, rent, or share your data with third parties for advertising or marketing purposes. We do not display ads. We do not build user profiles for ad targeting.

5. Data Storage and Security

Analytics event data is stored in ClickHouse, a columnar database optimized for fast aggregation queries. Account and organizational data is stored in PostgreSQL. Both databases are access-controlled and not publicly accessible.

We implement the following security measures:

• All data in transit is encrypted via TLS (HTTPS)
• Passwords are hashed using bcrypt with a per-user salt
• JWT-based authentication with short-lived tokens
• Role-based access controls for team and organization management
• Rate limiting on all API endpoints and authentication routes
• Content Security Policy (CSP) headers on the dashboard
• API keys are hashed before storage and can be rotated at any time
• Input validation and parameterized queries to prevent injection attacks

While we take reasonable measures to protect your data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

6. Third-Party Services

ActionLab integrates with the following third-party services. These integrations are used only when applicable and are subject to each provider's own privacy policy.

6.1 Anthropic (Claude API)

When AI insights are enabled, we send aggregated, non-personal analytics summaries (such as top pages, traffic trends, and referrer distributions) to the Anthropic Claude API to generate actionable recommendations. No visitor-level data, IP addresses, or personal information is included in these requests. Anthropic's API data usage policy applies: anthropic.com/privacy.

6.2 Stripe

We use Stripe to process subscription payments. When you subscribe to a paid plan, your payment information is collected and processed directly by Stripe. We do not store credit card numbers on our servers. Stripe's privacy policy: stripe.com/privacy.

6.3 Resend

We use Resend to send transactional emails to registered users (account verification, password resets, team invitations). Only your email address and the email content are shared with Resend. No visitor analytics data is transmitted. Resend's privacy policy: resend.com/legal/privacy-policy.

6.4 MaxMind GeoIP

We use MaxMind's GeoIP database for server-side geographic lookups. The visitor's IP address is used in-memory for the lookup and is immediately discarded. Only the resulting country, region, and city values are stored. MaxMind's privacy policy: maxmind.com/en/privacy-policy.

6.5 Google (GA4 Import)

ActionLab offers an optional Google Analytics 4 import feature that allows you to migrate your historical GA4 data into ActionLab. This requires you to authenticate with your Google account via OAuth2. We request read-only access to your GA4 reporting data. The imported data is stored in your ActionLab account and subject to this privacy policy. We do not retain your Google OAuth tokens beyond the duration of the import session. Google's privacy policy: policies.google.com/privacy.

7. Data Retention

Analytics event data is retained according to your subscription plan:

• Free plan: 180 days
• Pro plan: 1 year
• Enterprise plan: 2 years

When event data exceeds your retention window, it is permanently deleted from our ClickHouse databases. Deletion occurs automatically on a rolling basis.

Registered user account data is retained for as long as your account is active. If you delete your account, we will delete your personal data and all associated analytics data within 30 days. Some data may be retained longer if required by law or for legitimate business purposes (such as billing records).

8. Your Rights

8.1 For Website Visitors

Because ActionLab does not collect personal data from website visitors, there is no personal data to access, correct, delete, or port. We do not maintain any records that could identify an individual visitor. This is by design.

8.2 For Registered Users (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of access -- request a copy of the personal data we hold about you
• Right to rectification -- request correction of inaccurate data
• Right to erasure -- request deletion of your personal data
• Right to restriction -- request that we limit processing of your data
• Right to data portability -- request your data in a structured, machine-readable format
• Right to object -- object to processing of your data for certain purposes

Our lawful basis for processing registered user data is contractual necessity (to provide the service you signed up for) and legitimate interest (to secure and improve the platform).

8.3 For Registered Users (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to know -- request disclosure of the categories and specific pieces of personal information we have collected
• Right to delete -- request deletion of your personal information
• Right to opt out of sale -- we do not sell personal information to third parties, so there is nothing to opt out of
• Right to non-discrimination -- we will not discriminate against you for exercising your rights

To exercise any of these rights, contact us at privacy@actionlabanalytics.com. We will respond within 30 days.

9. Children's Privacy

ActionLab does not knowingly collect personal information from children under the age of 16. Our service is intended for use by businesses and website operators. If you believe a child under 16 has created an ActionLab account, please contact us at privacy@actionlabanalytics.com and we will promptly delete the account.

Regarding website visitors: since our tracking does not collect any personal data, it does not implicate COPPA or equivalent children's privacy regulations with respect to visitor tracking.

10. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. If the changes are significant, we will notify registered users by email or through an in-dashboard notice.

We encourage you to review this policy periodically. Your continued use of ActionLab after changes are posted constitutes your acceptance of the revised policy.

11. Contact

If you have any questions about this privacy policy, your data, or your rights, you can reach us at:

We aim to respond to all privacy-related inquiries within 30 days.