Home

Privacy Policy

Last updated: April 26, 2026

What we collect

teeny-tiny.tools Analytics is designed to collect the minimum data necessary to produce useful aggregate stats. We do not use cookies, localStorage, browser fingerprints, or cross-site tracking. We do, however, retain a small amount of data that may qualify as personal data under GDPR (notably IP address and User-Agent string). This page describes exactly what is collected, why, and how long it is kept.

For each pageview, the following is collected:

  • Page URL (path, query string, hash) and referrer URL
  • Screen and viewport dimensions
  • Browser language and timezone
  • Time spent on page
  • Device type, browser, and OS (via User-Agent and User-Agent Client Hints)
  • Country (derived from CloudFront edge geolocation)
  • IP address (see "IP and User-Agent" below)

IP and User-Agent

Each request to our collection endpoint is logged with the client IP address, the full User-Agent string, and request headers. These fields are written to encrypted storage (Amazon S3, US East region) and are accessible only to authorized personnel. We retain this raw data for security and abuse prevention — specifically, to investigate scraping, rate-limit evasion, fraud, and infrastructure incidents.

Lawful basis (GDPR Art. 6(1)(f) — legitimate interests): the processing of IP and User-Agent is necessary for our legitimate interest in keeping the service operational, secure, and free from abuse. We assess this interest as not overriding the rights and freedoms of data subjects because (a) the data is not used for advertising, profiling, or cross-site tracking; (b) it is access-controlled and encrypted at rest; (c) it is retained only as long as needed for the stated purposes.

Retention:raw CloudFront logs (containing IP and User-Agent) are retained according to the lifecycle policy on our data bucket. Aggregated, non-identifying analytics (pageview counts, country, device class, etc.) are retained for the duration of your plan's data retention window (currently up to 5 years on the Business plan).

We do not store IP addresses in the analytics database used to render dashboards. For visitor counting we derive a per-day, per-site hash SHA256(IP + User-Agent + date + site), which is one-way and rotates daily so visitors cannot be linked across days or across sites.

What we do NOT collect

  • No cookies or localStorage on visitors' browsers
  • No browser fingerprinting (canvas, font, audio, etc.)
  • No cross-site tracking — each site's data is isolated
  • No advertising identifiers, no data sold to third parties
  • No form input, keystrokes, mouse movement, or session replay

Do Not Track

Our tracker respects the navigator.doNotTrack browser setting. When Do Not Track is enabled, no beacon is sent. Site owners can override this behavior with the data-ignore-dnt attribute.

Data storage and security

Analytics data is stored in Amazon S3 (US East region) and queried via Amazon Athena. All data is encrypted at rest and in transit. Access is restricted via IAM least-privilege policies. Raw CloudFront logs transition to infrequent access storage after 90 days and are archived after 1 year.

Customers in the European Economic Area should note that data is processed in the United States. Transfers rely on the EU–US Data Privacy Framework where applicable, and on Standard Contractual Clauses with our sub-processors (Amazon Web Services, Vercel, Supabase, Stripe).

Dashboard accounts

When you create a teeny-tiny.tools account, we store your email address and (if you use email/password) a hashed password (managed by Supabase Auth). We do not sell or share your account information with third parties.

Sub-processors

  • Amazon Web Services — collection endpoint, data pipeline, storage, query (US East region)
  • Supabase — authentication, dashboard database (US East region)
  • Vercel — dashboard hosting
  • Stripe — payment processing (paid plans only)
  • Resend — transactional email

Your rights (GDPR / UK GDPR / CCPA)

If you are a website visitor whose data we have processed, or a customer of teeny-tiny.tools, you have the right to:

  • Access the personal data we hold about you
  • Request correction or deletion of that data
  • Object to processing based on legitimate interests
  • Request restriction or portability of your data
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@teeny-tiny.tools. Because we hash IP addresses and do not maintain visitor identifiers, we may need additional information (such as approximate visit time and the website you visited) to locate records relating to you.

Data deletion

You can delete your sites at any time from the dashboard settings. Deleting a site stops data collection immediately and removes it from the dashboard. Historical raw logs are retained in S3 under the lifecycle policy described above and are no longer queryable from the dashboard.

To delete your account entirely, or to request deletion of personal data we hold, contact privacy@teeny-tiny.tools.

Cookies and consent

Our tracker does not set cookies or use localStorage on your visitors' browsers. Because we do process IP addresses under legitimate interests, you should still review your local requirements (e.g., ePrivacy Directive guidance in the EU) and disclose this in your own privacy policy. Many sites operating under legitimate interests do not require a consent banner for analytics of this kind, but the assessment is yours to make.

Changes to this policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date.

Contact

For privacy-related questions, contact us at privacy@teeny-tiny.tools.