Privacy & Data
Data Collected
| Data Point | Purpose | Storage |
|---|---|---|
| IP address | Fingerprinting, geolocation | Server-side only (anonymized) |
| User-Agent | Fingerprinting, device type | Server-side |
| Screen resolution | Fingerprinting | Sent on install |
| Timezone | Fingerprinting | Sent on install |
| Language | Fingerprinting | Sent on install |
| Platform | Device type | Sent on install |
The SDK does not collect:
- Cookies from other domains
- Browser history
- Form inputs
- DOM content
localStorage Keys
All keys are prefixed with __ahq_:
| Key | Purpose |
|---|---|
__ahq_installed | Flag indicating install was already tracked |
__ahq_attribution | Cached attribution result (JSON) |
__ahq_queue | Pending events queue (JSON) |
__ahq_session_id | Current session UUID |
__ahq_session_start | Session start timestamp |
__ahq_session_pvs | Page views in current session |
__ahq_user_id | Identified user ID |
GDPR Compliance
- IP anonymization — Last octet zeroed during fingerprint matching
- No third-party cookies — No cross-site tracking
- HTTPS only — All data sent over encrypted connections
- User control — Users can clear attribution data by clearing localStorage
- Incognito fallback — Falls back to in-memory storage if localStorage is unavailable
- No PII in fingerprint — Fingerprint hash is a one-way SHA-256, not reversible to identify individuals
Data Retention
- Events: Stored in ClickHouse with 90-day retention
- Raw events: Archived to S3, moved to Glacier after 90 days, deleted after 2 years
- Click records: DynamoDB TTL of 7 days (matching attribution window)
- localStorage: Persists until cleared by user or browser
Bundle Size
The SDK is ~2.9 KB gzipped (UMD). It has zero runtime dependencies. With ESM imports and tree-shaking, only the methods you import are included.