Legal
Privacy Policy
Effective date: July 2, 2026
Who we are
Numative ("Numative", "we", "us") provides website analytics with change attribution. We are based in Illinois, United States. For anything in this policy, contact us at support@numative.com.
This policy covers two distinct situations: data we collect from you when you visit our website or hold a Numative account, where we decide how the data is used, and data our analytics service records on our customers' websites, where the customer decides and we process it on their behalf.
Analytics data we process for our customers
When a website owner installs the Numative tracker on their site, we process visitor data on that owner's behalf. The tracker is designed to avoid identifying individuals:
- No cookies and no persistent identifiers. The tracker sets no cookies and stores nothing on a visitor's device that outlives the browsing session, other than a voluntary opt-out preference.
- Per event we record: the page URL, the referrer, the event name and any custom properties the site owner sends, the browser and operating system family (for example "Chrome on Windows", never full version strings), a screen-size bucket, approximate location derived from the IP address at collection time, and a visitor identifier.
- The visitor identifier is a one-way hash of the site, IP address and user agent, salted with a secret that rotates every day and is scoped per site. The same visitor cannot be recognized across days or across sites, and the hash cannot be reversed. Raw IP addresses and user agent strings are not stored with events; they are used transiently to compute the hash, classify bots, derive approximate location and enforce rate limits.
- Sessions use a random identifier kept in the visitor's own sessionStorage that expires after 30 minutes of inactivity.
- Change detection sends a numeric fingerprint of the page's own content (title, description, heading, approximate length). It contains no visitor data.
- Opt-out. Any visitor can exclude themselves from counting on a given site by visiting a page with
?numative_ignore=trueappended to the URL.
For sites that connect Google Analytics instead of our tracker, we read reporting data from the GA4 API on the customer's instruction and do not collect anything from that site's visitors ourselves.
If you are a visitor to a website that uses Numative and you have questions about that site's data practices, contact the site owner, who is the controller of that data.
Data we collect about our own users
When you create and use a Numative account, we collect:
- Account details: name, email address and a hashed password, or your Google sign-in identity.
- Organization and team data: the organizations you belong to, roles and invitations.
- The sites you register and everything the product records about those sites: traffic statistics, page snapshots and change history, rankings, backlinks and reports.
- OAuth tokens for Google integrations you choose to connect (GA4, Search Console). Tokens are limited to read-only scopes and encrypted at rest.
- Billing status. Payments are handled by Polar as merchant of record; we never see or store full card numbers.
- Emails we exchange with you, including support requests sent through our contact form.
- Basic server logs and error reports needed to run and secure the service.
We use this data to provide and improve the service, send the reports and alerts you configure, bill you, and respond to you. We do not sell personal information and we do not use your data for third-party advertising.
Service providers
We use a small set of infrastructure providers to run Numative. Each processes data only as needed to provide its function:
| Provider | Purpose |
|---|---|
| Vercel | Application hosting and content delivery |
| Neon | Postgres database (accounts, sites, change history) |
| Tinybird | Analytics event storage and querying |
| Trigger.dev | Background jobs (crawling, reports, integrations) |
| Polar | Billing and payments, as merchant of record |
| Resend | Transactional and report email delivery |
| Upstash | Rate limiting |
| Sentry | Server error reporting |
| Sign-in, GA4, Search Console and Chrome UX Report integrations you connect | |
| DataForSEO | Backlink and search ranking data about public web pages |
No visitor-level analytics data is shared with DataForSEO, Ahrefs or Google; those integrations concern public web pages and accounts you connect. Data is processed in the United States.
Retention
Analytics data is retained for as long as you keep your site in Numative; keeping history indefinitely is a product feature, not an accident. Deleting a site removes its analytics data, and deleting your account removes your account data, in each case within a reasonable period and subject to records we must keep for legal or billing purposes.
Your rights
You can access and update account information from your account settings, export your analytics data from the product, and delete sites or your entire account. Depending on where you live, you may also have legal rights to access, correct, delete or port personal information. To exercise any of these, email support@numative.com. We respond to every verified request.
Security
All traffic is encrypted in transit. OAuth tokens are encrypted at rest. Passwords are stored only as salted hashes. Access to production systems is limited to what operating the service requires. No system is perfectly secure; if we learn of a breach affecting your data we will notify you as required by law.
Children
Numative is a business tool and is not directed to children under 13. We do not knowingly collect personal information from children.
Changes to this policy
We will post any changes to this policy on this page and update the effective date. For material changes we will notify account holders by email.
Contact
Questions about privacy at Numative: support@numative.com.