Privacy Policy

OakData is a privacy-conscious web analytics and session replay platform. This policy explains what personal data we collect when you use OakData as a customer, and how we act as a processor for the visitor data our customers ingest through our tracker. It does not govern what our customers themselves do with that data — for that, please consult the privacy policy of the website you visited.

OakData plays two distinct privacy roles depending on whose data is involved.

For our customers (controller)

When you sign up for an OakData account, we are the controller of your personal data (email, billing details, etc.).

For visitor analytics (processor)

When events and session recordings are sent from a customer's website to OakData, our customer is the controller of that data and OakData processes it on their behalf under the customer's instructions. We do not sell, share or use visitor data for any purpose outside of providing the service to that customer.

Account information

• Email address and full name
• Profile picture (if provided via SSO)
• Account creation and last sign-in timestamps
• Active sessions and devices

Billing information

• Payment method and billing address (handled by Stripe — we never see full card numbers)
• Subscription plan, trial status, and invoice history

Product usage

• Websites/projects you create and their settings
• Events ingested and other usage counters used for billing
• Operational logs needed to debug and secure the service

When a customer installs our tracker on their website, the following types of data can be sent to OakData. Customers control what is captured through their tracker configuration.

Analytics events

• Pageviews and custom events with their timestamps
• Page URL, title, path, query string, referrer
• Approximate location derived from IP (country, region, city)
• Browser, OS, device type, and viewport size
• UTM parameters and other marketing attribution
• An anonymous identifier persisted in the visitor's browser, plus any identifier the customer chooses to attach (e.g. a logged-in user id)

Session replay

If a customer enables session replay, we additionally store a recording of the page DOM, mouse movements, clicks and scroll events. By default we mask all text inputs and obey the customer's configured block selectors. Customers can disable replay or further restrict it at any time.

What we don't collect

• Full IP addresses are not exposed in the dashboard; only the derived geo signal is
• Form field contents (masked by default in replays)
• Cross-site identifiers or third-party tracking cookies — our tracker uses first-party storage scoped to the customer's site

• Operate the analytics dashboard, replays, and APIs that our customers use
• Authenticate customers and protect accounts
• Bill subscriptions and enforce plan limits
• Provide support and respond to inquiries
• Detect abuse, fraud, and security threats
• Comply with legal obligations

Payments

Stripe processes all payments. We receive subscription status from Stripe but never your full card details.

Hosting and storage

The application and database run on Supabase and our hosting provider. Session replay recordings are stored as encrypted blobs in object storage. Email delivery is handled by Resend.

Sign-in

We support magic-link email sign-in and Google OAuth. If you use Google to sign in, Google receives the standard authentication metadata necessary to complete the flow.

Analytics events and aggregated metrics are retained according to the data-retention period of the customer's plan. Session replay recordings have a configurable per-project retention window and are purged automatically after that window expires.

When a customer deletes a project, the associated events, replays, and API keys are removed. When a customer deletes their account, we remove personal data and revoke access; residual data is purged within 30 days, except where retention is required by law.

Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted, logged, and protected by multi-factor authentication. We monitor for anomalous activity and rotate credentials regularly.

As an OakData customer you may access, correct, export, or delete your account data at any time from the dashboard, or by writing to us.

If you are a visitor whose data was sent to OakData by one of our customers, please contact that customer first — they are the controller and the right place to exercise access or deletion rights. We will assist them in honouring your request.

We comply with the GDPR, UK GDPR and CCPA. Customers acting as controllers may enter into a Data Processing Agreement with us by contacting legal@oakdata.co. We do not sell personal information and we do not use personal data to train AI models.

We may update this policy from time to time. We will notify customers of material changes by email or through the dashboard, and we will update the date at the top of this page.

Questions about this policy or our privacy practices? Email legal@oakdata.co.