Privacy Policy

Last updated: March 29, 2026

Who we are

INSG is a privacy-first web analytics service operated by INSG (sole proprietor).

When we say "we," "us," or "our," we mean INSG. When we say "you," we mean you — either as an INSG account holder or as a visitor to a website that uses INSG.

Data Protection Officer

INSG has not appointed a Data Protection Officer. Under Article 37 of the GDPR, a DPO is required when an organization carries out large-scale systematic monitoring of individuals or large-scale processing of special categories of data. INSG does neither — we process only anonymous aggregate analytics data from website visitors and minimal account data from our customers. If you have privacy questions, contact privacy@insg.io.

Purposes and legal basis for processing

We process data for the following purposes:

Processing Activity Purpose Legal Basis (GDPR)
Website visitor analytics Provide traffic and behavior reports to site owners Anonymization — the data we store does not constitute personal data under GDPR Recital 26. IP addresses are processed transiently and immediately transformed via a one-way hash with a daily rotating salt. The output cannot be reversed. Alternatively: Legitimate interest (Art. 6(1)(f)) of the site owner in understanding website performance, balanced against the minimal impact on visitor privacy (no cookies, no persistent identifiers).
Account management Provide the INSG service, process payments, send transactional emails Contractual necessity (Art. 6(1)(b)) — we need your email and payment info to provide the service you signed up for
Shopify e-commerce events Revenue tracking, conversion analysis, cohort reports for store owners Contractual necessity (Art. 6(1)(b)) of the merchant's service agreement + Anonymization for visitor-level data
Shopify customer email (marketing opt-in only) Cohort analysis and lifetime value tracking for opted-in customers Consent (Art. 6(1)(a)) — only processed when the customer has explicitly opted into marketing on the merchant's store. You may withdraw consent at any time (see "Your rights" below).
AI-powered analysis Generate actionable recommendations from aggregate analytics data Contractual necessity (Art. 6(1)(b)) — only aggregate statistical summaries are sent to the AI model. No personal data, visitor identifiers, or raw events.

What we collect from website visitors

When you visit a website that uses our tracking script, we collect the following data for each pageview:

  • Page URL and hostname
  • Referrer URL (the page you came from)
  • Country (determined at the network edge using IP geolocation — the IP address itself is not stored)
  • Browser name and operating system
  • Device type (desktop, mobile, tablet) and screen size
  • UTM campaign parameters (if present in the URL)
  • Page performance metrics (loading speed, visual stability, responsiveness)
  • Outbound link clicks and file download clicks (hostname and path only)
  • Scroll depth milestones (25%, 50%, 75%, 100%)
  • Attention time (seconds spent actively viewing the page)
  • Behavioral signals stored as aggregate rollups: click patterns, scroll behavior, content engagement, page element visibility
  • Click heatmap coordinates (aggregated per page)
  • Page structure snapshots for heatmap overlay (all visible text redacted, form values stripped)
  • Copy-text events (truncated to 20 characters, email addresses automatically redacted)

Session grouping is done entirely server-side. No session token is stored in the browser. The tracker writes nothing to cookies, localStorage, or sessionStorage. The only client-side storage access is a localStorage read to check for the opt-out flag (insg_ignore).

What we do NOT collect:

  • IP addresses — never stored. IPs are processed transiently in server memory, combined with the visitor's User-Agent and a daily rotating salt, then fed into a one-way hash function. The output is an anonymous identifier used for visitor counting. The original IP cannot be recovered. The salt rotates every 24 hours, preventing cross-day tracking. Each site has an isolated salt, preventing cross-site linking.
  • Cookies — we never set any
  • Personal information — no names, emails, phone numbers, or account IDs
  • Browser fingerprints — no canvas, WebGL, font, or hardware fingerprinting
  • Cross-site tracking data — each site has an isolated salt, so visitors cannot be linked across websites

The anonymous identifier is stored alongside each pageview for visitor counting. It persists for the duration of your plan's retention period (Standard: 1 year, Pro: 2 years) and is then automatically deleted.

What we collect from INSG account holders

  • Email address (for login and account communication)
  • Password (securely hashed — we cannot read your password)
  • Payment information (processed by Stripe — we do not store card numbers)
  • Site domains you add to your account

This data is stored securely and used only for providing the INSG service. We do not sell, share, or rent your personal information to third parties.

Shopify integration

Storefront pixel (visitor side)

When a Shopify merchant installs INSG, our web pixel runs inside Shopify's sandboxed customer-events environment. It captures e-commerce funnel events (product viewed, collection viewed, cart updated, checkout started, address submitted, shipping submitted, payment submitted, purchase, search) plus product metadata (product id, name, variant, price, currency). It writes no cookies and no client-side storage. Visitor identity is the same daily-rotating SHA-256 hash used by the rest of INSG (computed from User-Agent, language, screen size, and the day's salt — irreversible, no PII).

The pixel respects Shopify's Customer Privacy API: if the visitor has opted out of analytics, no events are emitted.

Shopify Admin API (merchant side)

On install, INSG performs a one-time historical backfill via the Shopify Admin API: up to 90 days of completed orders. After that, ongoing orders flow in via the orders/paid webhook (when registered).

Per-field disclosure: what INSG ingests from Shopify orders

The Shopify orders/paid webhook payload includes Protected Customer Data fields (email, name, phone, billing/shipping addresses). INSG discards every Protected Customer Data field at the point of receipt — they are dropped in the normalizer (normalizeShopifyWebhookOrder) before any downstream handler runs and before anything is logged or persisted. The full per-field table:

Shopify field INSG handling Purpose
idStoredOrder primary key, deduplication
total_price, subtotal, tax, shipping, discount, currencyStoredRevenue analytics
line_items (product id, title, variant title, quantity, unit price)StoredProduct performance, attribution
refunds (id, amount, reason, timestamp)StoredNet revenue calculation
shipping_address.country_codeStored (country code only)Revenue-by-country breakdown (country alone is non-PII per GDPR Recital 26)
landing_site, UTM parametersStoredMarketing attribution
customer.idHashed (one-way SHA-256 with site-specific salt) → customer_hash; raw id discardedRepeat-buyer detection (cross-order join key)
customer.emailDiscarded
customer.first_name, customer.last_nameDiscarded
customer.phoneDiscarded
billing_address.* (street, city, postal code, etc.)Discarded
shipping_address.* (street, city, postal code, recipient name)Discarded (only country_code retained, see above)
Payment method, card details, transactionsDiscarded (never received — Shopify does not include in webhook)

Cart recovery emails

When INSG detects checkout abandonment (the visitor reached the address step but did not complete payment), it fires a Shopify Flow trigger (insg-checkout-shipping-hesitation) with the opaque checkout_token and the anonymous visitor hash. INSG does not handle the recovery email itself. The merchant configures a Shopify Flow workflow that uses Shopify's own customer record to send the email — the email address never leaves Shopify's boundary, and INSG never sees it.

Sub-processors for Shopify integration data

  • Cloudflare Workers + D1 — runtime + primary storage for normalized order data and shop configuration (region: globally distributed; aggregated metrics only on the storage side)
  • Cloudflare R2 — long-term archive of aggregated event data
  • Stripe — billing for paid INSG plans (does not receive Shopify order data)

We do not transfer Shopify order data to third-party advertising networks, data brokers, AI training providers, or any party other than the sub-processors listed above.

Retention

  • Free plan: 90 days rolling
  • Standard plan: 365 days rolling
  • Pro plan: 730 days rolling
  • On app uninstall, all shop configuration data is deleted within 48 hours; all commerce data within 30 days (per Shopify's GDPR webhook handling)

Shopify GDPR / CCPA webhook compliance

INSG implements Shopify's three mandatory privacy webhooks (customers/data_request, customers/redact, shop/redact) at app.insg.io/webhooks. Because INSG holds no email/name/phone/address for shoppers, customer data requests return only the anonymous customer_hash and any orders linked to it; redact requests delete the hash and its linked rows. Shop-level redact requests delete all data for that store within 30 days.

Cookies

Our tracking script sets zero cookies on your visitors' browsers. The INSG website itself uses a session cookie when you log in to your account — this is a strictly necessary cookie for authentication and does not require consent under GDPR/ePrivacy.

Third-party services and data processors

We use the following third-party services to operate INSG:

  • Cloudflare, Inc. (US) — Infrastructure provider. All analytics data is processed and stored on Cloudflare Workers, D1 (database), KV (cache), R2 (object storage), and Durable Objects. Cloudflare processes data globally at edge locations but persistent storage is in Western Europe (EU). Transfer mechanism: EU Standard Contractual Clauses (SCCs) as part of Cloudflare's Data Processing Addendum.
  • Stripe, Inc. (US) — Payment processing. Receives account holder payment information only. PCI-DSS compliant. Transfer mechanism: EU-US Data Privacy Framework + SCCs.
  • Resend (US) — Transactional email delivery (email reports, account notifications). Receives account holder email address only. Transfer mechanism: SCCs.
  • OpenAI (US) — AI-powered analysis features (Standard and Pro plans). Receives only aggregate statistical summaries — no personal data, visitor identifiers, or raw events. Transfer mechanism: SCCs + OpenAI's Data Processing Addendum.
  • Google — OAuth login only (if you choose Google Sign-In). We receive your email and name; Google receives the OAuth authorization code. Transfer mechanism: EU-US Data Privacy Framework.
  • Shopify — For Shopify App Store merchants only. We receive e-commerce events and order totals via Shopify's pixel and webhook APIs. No customer personal data is transmitted to INSG.

We do not use Google Analytics, advertising networks, or any other tracking services on insg.io.

International data transfers

Our primary database is hosted in Western Europe (EU). Data processing occurs on Cloudflare's global edge network, which means analytics data may transit through non-EU locations during processing. However, all persistent storage (databases, caches, archives) is EU-based.

For third-party processors located outside the EEA (Cloudflare, Stripe, Resend, OpenAI), we rely on EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework as the legal mechanism for data transfers under GDPR Chapter V.

Data retention

  • Analytics events and behavioral rollups: retained per plan (Standard: 1 year, Pro: 2 years). 30-day free trial uses the selected plan's retention.
  • Heatmap snapshots and click data: 90 days regardless of plan.
  • Account data (email, site domains): retained until you delete your account.
  • Payment records: retained by Stripe per their retention policy and applicable tax/accounting laws.

Retention is enforced by a daily automated process that permanently deletes expired events, rollups, and archived data. When you delete your account, all associated data is permanently removed.

Your rights

GDPR rights (EU/EEA/UK residents):

If you have an INSG account, you have the right to:

  • Access — request a copy of your personal data (Art. 15)
  • Rectification — correct inaccurate data (Art. 16)
  • Erasure — delete your account and all associated data (Art. 17)
  • Restriction — request we restrict processing of your data (Art. 18)
  • Portability — receive your data in a structured, commonly used, machine-readable format and transmit it to another controller (Art. 20)
  • Objection — object to processing based on legitimate interest (Art. 21)
  • Withdraw consent — where consent is the legal basis (e.g., Shopify marketing email processing), you may withdraw at any time. Withdrawal does not affect the lawfulness of processing before withdrawal (Art. 7(3)).

If you are a visitor to a website using INSG, we store only anonymous aggregate data that cannot identify you. We do not create visitor profiles and have no way to link analytics data to a specific person.

Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available at edpb.europa.eu.

CCPA/CPRA rights (California residents):

Under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know — you may request what personal information we have collected about you in the past 12 months, including categories, sources, purposes, and third parties.
  • Right to delete — you may request deletion of your personal information.
  • Right to correct — you may request correction of inaccurate personal information.
  • Right to opt out of sale/sharingINSG does not sell or share personal information as defined by the CCPA/CPRA. We do not sell data to third parties, share data for cross-context behavioral advertising, or use data for targeted advertising. There is nothing to opt out of.
  • Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA/CPRA rights. You will receive the same service quality and pricing regardless of whether you exercise your rights.

Sensitive personal information:

INSG does not collect sensitive personal information as defined by the CPRA (Cal. Civ. Code § 1798.140(ae)), including social security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric data, health data, or sexual orientation.

CCPA categories of personal information collected (past 12 months):

  • Identifiers (account holders only): email address. Source: directly from you. Purpose: account management. Shared with: Stripe (payment), Resend (email delivery).
  • Internet or electronic network activity (website visitors): page URLs, referrers, browser type, device type. Source: automatically collected via tracking script. Purpose: provide analytics reports. Shared with: Cloudflare (infrastructure).
  • Geolocation data (website visitors): country only (not precise). Source: IP geolocation at network edge. Purpose: geographic traffic reports. Shared with: Cloudflare (infrastructure).
  • Commercial information (Shopify stores): order totals, product metadata. Source: Shopify Admin API. Purpose: revenue and commerce reports. Shared with: Cloudflare (infrastructure).

To exercise any of these rights, email privacy@insg.io. We will respond within 30 days (GDPR) or 45 days (CCPA).

Automated decision-making

INSG does not make automated decisions about individuals. Our SBDA diagnostic engine analyzes aggregate page-level metrics (bounce rates, click patterns, scroll behavior) to identify conversion issues on websites. These diagnostics are about pages and site performance, not about individual visitors. No profiling of individuals occurs, and no decisions with legal or similarly significant effects are made about any person based on automated processing.

Data sanitization

All event data undergoes automatic server-side sanitization before storage:

  • Email patterns are automatically detected and stripped from event data
  • URL query strings are removed from stored URLs — only hostname and path are kept
  • Page structure snapshots have all visible text redacted and form values stripped
  • Copy-text tracking is truncated to 20 characters with email pattern redaction

Data storage and security

  • Primary database hosted in Western Europe (EU), encrypted at rest
  • All data transmitted over HTTPS
  • Passwords hashed using industry-standard algorithms
  • Payment processing handled by Stripe (PCI-DSS compliant)
  • Account deletion permanently removes all data — events, behavioral data, heatmap data, analysis results, and archives

Compliance

  • GDPR & ePrivacy Directive — No cookies, no client-side storage. No consent banner required for our tracking script.
  • UK GDPR & PECR — Same: no cookies, no client-side storage.
  • CCPA / CPRA — No sale or sharing of personal information. Sensitive PI not collected.
  • LGPD, PIPEDA, POPIA, APPI — Data minimization approach designed for global compliance.

Privacy laws differ in scope, but they all favor data minimization. Consult your privacy counsel for your specific situation.

Changes to this policy

We may update this privacy policy from time to time. We'll post the updated version here and update the "Last updated" date. For significant changes, we'll notify account holders by email.

Contact

Questions about this policy? Email privacy@insg.io.