OpenAnalyticsAPI
Features Pricing Docs UTM Builder Meta Tags Checker Speed Test
Sign in Get started

Privacy Policy

Last updated: April 19, 2026

1. Who we are

OpenAnalyticsAPI.com is a web and mobile analytics platform. We are committed to data minimization and privacy by default. We do not sell, share, or transmit your data to third parties for advertising purposes.

2. Data we collect about you (as a customer)

  • Name and email address (for account creation and billing)
  • Billing information (processed by Stripe — we never see raw card numbers)
  • Usage data (API calls, projects created, events processed) for billing and abuse prevention
  • Login session data (cookie on .openanalyticsapi.com)

3. Data we collect on behalf of you (about your end users)

When you install the OpenAnalyticsAPI tracking snippet or SDK on your website or app, we process analytics data about your end users on your behalf. We act as a data processor; you are the data controller.

  • By default, we anonymize IP addresses (last octet set to 0) before storage
  • We use cookieless fingerprinting with a daily-rotating salt — no persistent tracking cookie
  • No data is shared with third parties
  • EU ingest and storage nodes by default for EU customers

4. Data retention

  • Free tier: 90 days of event data
  • Pro: 12 months
  • Business: 24 months
  • Enterprise: custom
  • Account data: retained until account deletion request

5. Your rights (GDPR)

You have the right to access, rectify, erase, restrict, and port your data. To exercise these rights, email privacy@openanalyticsapi.com.

If you are an end user of a website using OpenAnalyticsAPI, contact the website operator (the data controller) directly.

6. Cookies

OpenAnalyticsAPI itself uses one session cookie (oa_session) on the console subdomain for authentication. This is a strictly necessary cookie and does not require consent under GDPR.

The tracking snippet (oa.js) in cookieless mode (default) does not set any cookies on your end users' browsers.

7. Subprocessors

We use a small, deliberately short list of third-party service providers:

  • Stripe (USA / Ireland) — payment processing. Stripe's privacy policy applies to payment data.
  • Our domain registrar — DNS records for openanalyticsapi.com.

All other infrastructure (ingest, query, storage, console, replay storage, alerting, mail relay) runs on VPS instances we operate end-to-end. We do not use AWS, GCP, Azure, or hosted SaaS analytics for any core platform function.

An updated subprocessors list will be maintained at this URL. Material changes will be communicated via email to account owners at least 30 days in advance.

8. Session Replay — masking & acceptable use

Session Replay (available on Pro+) is implemented with rrweb. By default, all <input>, <textarea>, and any element marked with data-oa-mask are masked at capture time on the user's browser, before any data leaves the device.

Customer obligations. As the website operator, you must:

  • Not configure replay to capture passwords, payment card data, health data, government IDs, or other special-category personal data.
  • Add data-oa-mask (or use the API oa.mask(selector)) on any field that displays sensitive information beyond the defaults.
  • Disclose session replay in your own privacy notice where required by local law.

Replay sessions inherit your project retention setting and can be deleted on request via the console or API.

9. Data deletion

  • Project deletion — when you delete a project from the console, associated event data and replay recordings are scheduled for permanent deletion within 30 days.
  • Account deletion — when you delete your account, all projects and event data are scheduled for permanent deletion within 30 days; billing records may be retained for the period required by tax law.
  • End-user data subject requests — if you are an end user of a website using OpenAnalyticsAPI, contact the website operator (the data controller) first. Customers can fulfil DSAR requests through the beta privacy API: GET /v1/projects/{id}/privacy/user/{user_id} returns a sanitized per-user export, and DELETE on the same path queues an asynchronous deletion request. Bulk or out-of-band deletion requests can still be submitted via email to privacy@openanalyticsapi.com and are processed within five business days.

10. Data Processing Agreement (DPA)

A standard Data Processing Agreement is available on request to customers on the Business and Enterprise tiers, and may be made available on Pro on a case-by-case basis. Email privacy@openanalyticsapi.com to request the current version.

11. Contact

Questions? Email privacy@openanalyticsapi.com.

Part of the Open API ecosystem

OpenPushAPI OpenNewsAPI OpenCacheAPI OpenCertAPI OpenGifAPI OpenMailAPI OpenCDNApi OpenCronApi