Privacy Policy

Last updated: March 20, 2026

Who we are

INSG is a privacy-first web analytics service operated at insg.io. When we say "we," "us," or "our," we mean INSG. When we say "you," we mean you — either as a INSG account holder or as a visitor to a website that uses INSG.

What we collect from website visitors (people visiting sites that use INSG)

When you visit a website that uses our tracking script, we collect the following data for each pageview:

  • Page URL and hostname
  • Referrer URL (the page you came from)
  • Country (derived from the edge server location, not from your IP address)
  • Browser name and operating system
  • Device type (desktop, mobile, tablet)
  • Screen size
  • UTM campaign parameters (if present in the URL)
  • Engagement signals (scroll depth, time on page, clicks)

Session grouping (linking pageviews within a single visit) is done entirely server-side using a daily-rotating anonymous hash. No session token is stored in the browser. The tracker writes nothing to cookies, localStorage, or sessionStorage. The only client-side storage access is a localStorage read to check for the opt-out flag (insg_ignore).

What we do NOT collect from website visitors:

  • IP addresses — processed transiently in memory, combined with a daily rotating salt, and fed into an irreversible counting structure. The IP is never stored, never logged, and cannot be recovered
  • Cookies — we never set any
  • Personal information (names, emails, etc.)
  • Browser fingerprints
  • Cross-site tracking data

All analytics data is irreversibly anonymous. It is mathematically impossible to extract any individual visitor's information from the data we store. We do not create visitor profiles and have no way to identify specific people. For more details, see our privacy technology page.

What we collect from INSG account holders

When you create a INSG account, we collect:

  • Email address (for login and account communication)
  • Password (securely hashed — we cannot read your password)
  • Payment information (processed by Stripe — we do not store card numbers)
  • Site domains you add to your account

This data is stored securely and is used only for providing the INSG service. We do not sell, share, or rent your personal information to third parties.

Cookies

Our tracking script sets zero cookies on your visitors' browsers. The INSG website itself uses a session cookie when you log in to your account — this is a strictly necessary cookie for authentication and does not require consent under GDPR.

GDPR compliance

INSG is designed to be GDPR-compliant by default:

  • We do not process personal data of website visitors
  • We do not set cookies on website visitors
  • We do not track visitors across websites
  • No consent banner is required for our tracking script

For INSG account holders, we process your email address and payment information under the legal basis of contractual necessity (Article 6(1)(b) GDPR) — we need this data to provide you with the service you signed up for.

Your rights (GDPR & CCPA)

If you have a INSG account, you have the right to:

  • Access your personal data (email, account info)
  • Correct inaccurate data
  • Delete your account and all associated data
  • Export your data in a machine-readable format
  • Object to processing of your personal data

If you're a visitor to a website using INSG, we don't have any personal data about you to access, correct, or delete — because all identifiable data is destroyed irreversibly during processing and only anonymous statistical summaries are stored.

To exercise any of these rights, email privacy@insg.io.

Data storage and security

  • Analytics data is stored on globally distributed edge infrastructure
  • Account data is stored in an encrypted database
  • Passwords are securely hashed using industry-standard algorithms — we cannot read your password
  • All data is transmitted over HTTPS
  • Payment processing is handled by Stripe (PCI-DSS compliant)

Third-party services

  • Stripe — payment processing (PCI-DSS compliant)

We do not use Google Analytics, advertising networks, or any other tracking services on insg.io.

Data retention

  • Analytics data is retained according to your plan (Free: 30 days, Standard: 6 months, Pro: 1 year)
  • Retention is enforced by a daily automated process that permanently deletes expired events, aggregate rollups, and archived data — no manual intervention required
  • Account data is retained until you delete your account
  • When you delete your account, all associated data is permanently removed

Data sanitization

All event data undergoes server-side sanitization before storage to prevent accidental collection of personal information:

  • Email patterns are automatically detected and stripped from event data
  • URL query strings are removed from form actions and outbound/download URLs (only hostname and path are retained)
  • DOM snapshots have all visible text redacted (replaced with block characters) and are limited to explicitly opted-in elements via data-hm-paths
  • Copy-text tracking is limited to 20 characters with email pattern redaction applied

These safeguards ensure that even if a visitor accidentally types personal data into a form or URL, it is stripped before reaching our database.

Changes to this policy

We may update this privacy policy from time to time. We'll post the updated version here and update the "Last updated" date. For significant changes, we'll notify account holders by email.

Contact

Questions about this policy? Email privacy@insg.io.