Devlune
webmaster
Get Started Free

Privacy Policy

Last updated: May 17, 2025

This Privacy Policy explains how Devlune Webmaster ("we", "us") collects, uses, and protects data. This policy covers two categories of people:

  • Site Owners — people who create a Devlune Webmaster account and install our scripts.
  • End Users — visitors to websites that use Devlune Webmaster tracking.

1. Data We Collect from Site Owners (You)

  • Account data: Name, email address, hashed password.
  • Billing data: Processed by Stripe/Razorpay. We do not store credit card numbers.
  • Site configuration: Domain names, form configurations, counter settings.

2. Data We Collect from End Users (Site Visitors)

When a visitor loads a page with our tracking script, the following is collected:

Data PointHow StoredPurpose
IP addressSHA-256 hash with daily saltUnique visitor count (non-reversible)
User-AgentSHA-256 hashDevice/browser/OS stats
CountryCountry code (e.g., "US")Geographic analytics
Page URLFull pathPage-level analytics
ReferrerDomain onlyTraffic source tracking
UTM parametersAs provided in URLCampaign tracking
Screen sizeWidth categoryDevice type classification
Form submissionsFull payload as submittedDelivered to Site Owner

3. What We Do NOT Collect

  • ❌ No cookies are ever set on End Users' browsers.
  • ❌ No browser fingerprinting (canvas, WebGL, font enumeration, etc.).
  • ❌ No cross-site tracking or third-party advertising data.
  • ❌ No personal identifiers (name, email) unless voluntarily submitted via forms.
  • ❌ No raw IP addresses are stored — only irreversible hashes.

4. How We Process Data

  • Edge processing: Analytics events are processed at Cloudflare's edge network (200+ locations globally). IP hashing happens at the edge before any data reaches our database.
  • Storage: Processed data is stored in Supabase (PostgreSQL) hosted in the US.
  • Retention: Free: 7 days. Pro: 90 days. Studio: 2 years. Data is permanently deleted after retention expires.

5. Legal Basis (GDPR)

We process End User data under legitimate interest (Article 6(1)(f) GDPR). Our analytics are privacy-preserving by design:

  • No personal data is stored (hashes are non-reversible).
  • No consent banner is required because no cookies are set.
  • The data collected is minimal and proportionate to the purpose (website analytics).

6. Data Sharing

We do not sell, rent, or share data with third parties for advertising. Data is shared only with:

  • Cloudflare — edge compute and CDN (data processor).
  • Supabase — database hosting (data processor).
  • Stripe / Razorpay — payment processing (billing data only).
  • Resend — transactional email delivery.

7. Your Rights (Site Owners)

  • Access: View all your data in the dashboard.
  • Export: CSV export of analytics and form submissions (Pro+).
  • Deletion: Delete your account and all associated data from Settings.
  • Portability: Export your data before deleting your account.

8. End User Rights

Since we do not store personal data (only non-reversible hashes), individual End User data cannot be identified, accessed, or deleted. This is by design — it's the most privacy-preserving approach possible.

If an End User contacts us requesting data deletion, we will confirm that no personally identifiable data exists in our systems.

9. Security

  • All data in transit is encrypted (TLS 1.3).
  • Database access is protected by Row-Level Security policies.
  • API endpoints are rate-limited to prevent abuse.
  • Form submissions are protected by Cloudflare Turnstile.
  • Embed tokens use HMAC-SHA256 signatures with 5-minute TTL.

10. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy. Material changes will be communicated via email 14 days before taking effect.

12. Contact

Data protection inquiries: privacy@devlune.in

Data Controller: DevLune, India.