Legal

Privacy Policy

Effective date: July 2, 2026

Who we are

Numative ("Numative", "we", "us") provides website analytics with change attribution. We are based in Illinois, United States. For anything in this policy, contact us at support@numative.com.

This policy covers two distinct situations: data we collect from you when you visit our website or hold a Numative account, where we decide how the data is used, and data our analytics service records on our customers' websites, where the customer decides and we process it on their behalf.

Analytics data we process for our customers

When a website owner installs the Numative tracker on their site, we process visitor data on that owner's behalf. The tracker is designed to avoid identifying individuals:

  • No cookies and no persistent identifiers. The tracker sets no cookies and stores nothing on a visitor's device that outlives the browsing session, other than a voluntary opt-out preference.
  • Per event we record: the page URL, the referrer, the event name and any custom properties the site owner sends, the browser and operating system family (for example "Chrome on Windows", never full version strings), a screen-size bucket, approximate location derived from the IP address at collection time, and a visitor identifier.
  • The visitor identifier is a one-way hash of the site, IP address and user agent, salted with a secret that rotates every day and is scoped per site. The same visitor cannot be recognized across days or across sites, and the hash cannot be reversed. Raw IP addresses and user agent strings are not stored with events; they are used transiently to compute the hash, classify bots, derive approximate location and enforce rate limits.
  • Sessions use a random identifier kept in the visitor's own sessionStorage that expires after 30 minutes of inactivity.
  • Change detection sends a numeric fingerprint of the page's own content (title, description, heading, approximate length). It contains no visitor data.
  • Opt-out. Any visitor can exclude themselves from counting on a given site by visiting a page with ?numative_ignore=true appended to the URL.

For sites that connect Google Analytics instead of our tracker, we read reporting data from the GA4 API on the customer's instruction and do not collect anything from that site's visitors ourselves.

If you are a visitor to a website that uses Numative and you have questions about that site's data practices, contact the site owner, who is the controller of that data.

Data we collect about our own users

When you create and use a Numative account, we collect:

  • Account details: name, email address and a hashed password, or your Google sign-in identity.
  • Organization and team data: the organizations you belong to, roles and invitations.
  • The sites you register and everything the product records about those sites: traffic statistics, page snapshots and change history, rankings, backlinks and reports.
  • OAuth tokens for Google integrations you choose to connect (GA4, Search Console). Tokens are limited to read-only scopes and encrypted at rest.
  • Billing status. Payments are handled by Polar as merchant of record; we never see or store full card numbers.
  • Emails we exchange with you, including support requests sent through our contact form.
  • Basic server logs and error reports needed to run and secure the service.

We use this data to provide and improve the service, send the reports and alerts you configure, bill you, and respond to you. We do not sell personal information and we do not use your data for third-party advertising.

Service providers

We use a small set of infrastructure providers to run Numative. Each processes data only as needed to provide its function:

ProviderPurpose
VercelApplication hosting and content delivery
NeonPostgres database (accounts, sites, change history)
TinybirdAnalytics event storage and querying
Trigger.devBackground jobs (crawling, reports, integrations)
PolarBilling and payments, as merchant of record
ResendTransactional and report email delivery
UpstashRate limiting
SentryServer error reporting
GoogleSign-in, GA4, Search Console and Chrome UX Report integrations you connect
DataForSEOBacklink and search ranking data about public web pages

No visitor-level analytics data is shared with DataForSEO, Ahrefs or Google; those integrations concern public web pages and accounts you connect. Data is processed in the United States.

Retention

Analytics data is retained for as long as you keep your site in Numative; keeping history indefinitely is a product feature, not an accident. Deleting a site removes its analytics data, and deleting your account removes your account data, in each case within a reasonable period and subject to records we must keep for legal or billing purposes.

Your rights

You can access and update account information from your account settings, export your analytics data from the product, and delete sites or your entire account. Depending on where you live, you may also have legal rights to access, correct, delete or port personal information. To exercise any of these, email support@numative.com. We respond to every verified request.

Security

All traffic is encrypted in transit. OAuth tokens are encrypted at rest. Passwords are stored only as salted hashes. Access to production systems is limited to what operating the service requires. No system is perfectly secure; if we learn of a breach affecting your data we will notify you as required by law.

Children

Numative is a business tool and is not directed to children under 13. We do not knowingly collect personal information from children.

Changes to this policy

We will post any changes to this policy on this page and update the effective date. For material changes we will notify account holders by email.

Contact

Questions about privacy at Numative: support@numative.com.