Legal

Privacy Policy

Last updated: February 2026

1. Who is VulpaSoft?

VulpaSoft (“we”, “us”, “our”) operates a privacy-first behavioral analytics platform. This Privacy Policy explains how we collect, use, and protect data when you use our service or when your website visitors are tracked using our SDK.

We are committed to full compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the ePrivacy Directive.

2. What data does VulpaSoft collect?

What we collect
  • Page URL and path
  • Click positions and scroll depth
  • Device type and viewport size
  • Referrer URL and UTM parameters
  • Anonymous visitor ID (daily hash)
What we don't collect
  • IP addresses (hashed + discarded)
  • Names, emails, or any PII
  • Form input content (masked)
  • Cookies or persistent trackers
  • Cross-site tracking data

VulpaSoft Customers (dashboard users)

When you create an account, we collect:

  • Email address
  • Password (hashed, never stored in plain text)
  • Project and domain information you provide
  • Billing information (processed by Stripe)

3. How is the data used?

  • Analytics data: To generate behavior maps, scroll maps, session replays, and other analytics reports for our customers.
  • Account data: To provide and maintain your account, send service-related communications, and process payments.

We never sell, share, or monetize analytics data. Your data is used solely to provide the analytics service to you.

4. Does VulpaSoft use cookies?

The VulpaSoft SDK uses zero cookies. We do not set any cookies on your visitors' browsers. Our visitor identification uses a privacy-friendly fingerprinting method based on a daily-rotating hash that cannot be used to track users across days or across websites.

The VulpaSoft dashboard may use essential cookies for authentication (session management). These are strictly necessary and do not require consent under GDPR.

5. Where is the data stored?

All data is stored exclusively in Frankfurt, Germany (EU). Our infrastructure providers are:

  • Supabase (Frankfurt) — Database, authentication, storage
  • Tinybird (Frankfurt) — Analytics data processing
  • Upstash (Frankfurt) — Caching and deduplication
  • Vercel (Frankfurt) — Application hosting
  • Stripe (EU processing) — Payment processing

Data never leaves the European Union. A full list of sub-processors is available on our Compliance page.

6. How long is data retained?

Analytics data is retained according to your plan:

  • Free: 7 days
  • Build: 30 days
  • Grow: 60 days
  • Expand: 90 days (customizable)

Account data is retained for the duration of your account and deleted within 30 days of account closure.

7. What are my rights?

Under GDPR, you have the right to:

  • Access your data at any time via the dashboard
  • Export all data with one click from Settings
  • Delete all data with one click from Settings
  • Rectify your account information
  • Object to processing (contact us)
  • Port your data to another provider

8. Is a DPA available?

Yes. A Data Processing Agreement (DPA) is available for all customers. You can download it from your Settings page after creating an account, or download it directly here.

9. How is the data secured?

We implement appropriate technical and organizational measures to protect data, including:

  • Encryption in transit (TLS) and at rest
  • IP anonymization before storage (irreversible SHA-256)
  • PII auto-masking in session replays
  • Row-level security for data isolation between customers
  • Regular security audits and dependency updates

10. Who can I contact?

For privacy-related inquiries, contact us at privacy@vulpasoft.com.

For data protection officer inquiries: dpo@vulpasoft.com

See our full compliance details

Learn about our GDPR compliance architecture and sub-processors.

View compliance page