Skip to content
tinystat← back

privacy policy

Last updated: March 13, 2026

tinystat is a privacy-first web analytics service. We built it specifically so you never need a cookie consent banner. This policy explains exactly what data we collect, how we handle it, and what we do not do.

What We Collect

When a visitor loads a page with the tinystat script, we record the following data points:

  • Page URL (path only, query parameters stripped of personal identifiers)
  • Referrer URL (the page the visitor came from)
  • Country (derived from IP address via server-side lookup, then the IP is discarded)
  • Device type (desktop, mobile, or tablet — derived from User-Agent header)
  • Browser name (e.g. Chrome, Safari — derived from User-Agent header)
  • Timestamp of the page view

What We Do Not Collect

We do not collect, store, or process any personal data. Specifically, tinystat:

  • Does not use cookies of any kind
  • Does not use localStorage or sessionStorage
  • Does not fingerprint browsers or devices
  • Does not track users across websites
  • Does not track users across sessions
  • Does not collect names, email addresses, or any identifying information
  • Does not collect or store raw IP addresses

How IP Addresses Are Handled

IP addresses are used for two purposes and then immediately discarded:

1. Country lookup. We perform a server-side geolocation lookup to determine the visitor's country. Only the country code is stored. The IP address is never written to disk or database.

2. Unique visitor estimation. To approximate unique visitors without identifying anyone, we create a keyed hash (HMAC-SHA256) of the IP address using a server-side secret combined with the current date. Only a short prefix of the hash is stored. This makes it mathematically impossible to reverse the hash back to the original IP address. Because the date is part of the input, the same visitor produces a completely different hash the next day, preventing any form of cross-day tracking.

The raw IP address is never stored, logged, or transmitted to any third party.

Data Retention

Raw page view events are aggregated into hourly buckets and then deleted. We do not retain individual event records. The aggregated data (page view counts, referrer counts, country counts, device breakdowns) is retained for the lifetime of your account. If you delete your account, all associated analytics data is permanently deleted immediately.

GDPR Compliance

tinystat does not process personal data as defined by the General Data Protection Regulation (GDPR). We do not use cookies, we do not track individuals, and we do not build user profiles. As a result, no consent banner is required when using tinystat on your website.

Under GDPR, analytics tools that do not process personal data are exempt from the ePrivacy Directive's consent requirements. tinystat falls squarely within this exemption.

Bot Filtering

To ensure accurate analytics, we automatically detect and discard requests from known bots and crawlers (such as search engine crawlers and AI scrapers) based on the User-Agent header. Bot requests are silently dropped and never recorded in your analytics data.

Rate Limiting

We employ rate limiting on our data collection endpoint to prevent abuse and protect the integrity of your analytics data. Requests that exceed the rate limit are temporarily rejected. No visitor data is stored or logged as part of rate limiting.

Third-Party Services

We use a small number of third-party services to operate tinystat:

  • Supabase — database hosting and authentication. Aggregated analytics data is stored in Supabase. No personal visitor data is sent to Supabase.
  • Vercel — application hosting and edge functions. Vercel processes incoming HTTP requests but tinystat does not instruct Vercel to log or retain visitor IP addresses.
  • Stripe — payment processing for paid plans. Stripe handles all payment data directly. tinystat does not store credit card numbers or billing details.
  • Upstash — rate limiting infrastructure. Only IP addresses are temporarily held in memory for rate-limit counting and are automatically evicted. No analytics or visitor data is sent to Upstash.

Data Location

Analytics data is stored in Supabase's cloud infrastructure. Your data may be processed in data centers operated by Supabase and its underlying cloud providers. We select regions that comply with applicable data protection regulations.

Data Sales

We do not sell, rent, trade, or otherwise share your analytics data or your visitors' data with any third party. Period.

Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify account holders by email and update the "Last updated" date at the top of this page.

Contact

If you have questions about this privacy policy or how tinystat handles data, email us at support@tinystat.site.