Privacy Policy
Version 2026-06-29 · Effective as of June 29, 2026
1. What Data We Collect
Himetrica's tracking script collects the following data from your website visitors: a randomly generated visitor ID, session ID, page path, referrer and campaign (UTM) parameters, screen size, and user agent string. Depending on the features you enable, it may also collect custom events you send, web vitals, and frontend error reports. IP addresses are used to derive approximate location (country, city, region) and are not retained in our analytics database. If you enable the Meta Conversions API integration, the visitor's IP address is also transmitted to Meta as described in Section 5. We do not collect personal information such as names or email addresses unless explicitly provided through our identify API.
2. Cookies and Local Storage
In its default configuration, Himetrica identifies visitors with a randomly generated ID stored in the browser's localStorage rather than a cookie. Visitors can clear their localStorage at any time to reset their visitor ID. Depending on the features you enable, Himetrica may set the following first-party cookies:
- hm_vid, hm_sid, hm_sts, hm_ref, hm_utm — set only when you enable cross-subdomain tracking by configuring a Cookie Domain. They store the visitor ID (up to 12 months), session ID and timestamp (30 minutes), referrer, and campaign (UTM) parameters (session), scoped to your root domain, so analytics stay continuous across your subdomains. They are first-party and SameSite=Lax.
- _fbp, _fbc — set only when you enable the Meta Conversions API integration. They store Meta's browser and click identifiers (up to 90 days) and are forwarded to Meta as described in Section 5.
These cookies are set only when you enable the corresponding feature; they are off by default. When you enable a feature that sets cookies or transmits data to a third party, you are responsible for meeting any consent and disclosure obligations that apply to your site and your visitors.
3. How Data Is Used
We use the collected data to provide analytics insights to our customers, including page view statistics, visitor counts, session information, geographic distribution, browser and device breakdowns, and referrer analysis. We do not sell or rent visitor data. We do not share visitor data with third parties for advertising or marketing purposes except where you explicitly enable an advertising integration such as the Meta Conversions API, in which case the data described in Section 5 is shared with that provider at your direction.
When we process personal data on behalf of a customer, we act as their data processor under our Data Processing Agreement.
4. Data Retention
Detailed analytics data (individual page views, events, sessions, web vitals, and frontend errors) is retained based on your subscription plan. Data older than your plan's retention period may be permanently deleted. However, aggregate daily summaries (traffic totals, top pages, sources, countries, and event counts) are preserved beyond the retention period so your historical charts and trend data remain available. Individual session details, visitor timelines, and event properties beyond the retention window will no longer be accessible. When an account is deleted, all associated analytics data is permanently removed within 30 days. You may request early deletion of your data at any time by contacting us.
5. Third-Party Services
We use the following third-party services to operate Himetrica. The providers that process visitor and end-user data on our customers' behalf are also listed, as sub-processors, in Annex II of our Data Processing Agreement:
- Supabase: hosted database and file storage (avatars, logos).
- ClickHouse Cloud: analytics event storage.
- Redis Cloud: cache and processing queues.
- Axiom: operational log processing.
- Cloudflare: content delivery network, reverse proxy, and application firewall in front of our API and tracking endpoints, through which visitor traffic (including the IP address) transits, and page rendering for the website audit feature.
- Vercel: hosting of our web application.
- OpenAI: generating analytics insights and automatically classifying traffic sources and content.
- Resend: transactional emails such as account verification, password resets, reports, and alerts.
- IP geolocation: approximate location (country, region, city) is derived from IP addresses using a local database (MaxMind) and, residually, external lookup services (ip-api.com, ipwho.is). IP addresses are not stored in our analytics database after location is resolved.
- Stripe: payment processing for your subscription. Stripe processes your billing information under its own privacy policy. It handles account data, not visitor data, and is not a sub-processor under the DPA.
- Meta Platforms (only when you enable the Meta Conversions API): when enabled, Himetrica forwards the conversion events you configure to Meta, including the visitor's IP address, user agent, the _fbp and _fbc cookies, and a SHA-256 hashed email and identifier where available, for advertising measurement. This integration is off by default, and the data is processed under Meta's own terms.
Most of these providers process data in the United States. Where personal data is transferred outside Brazil, the transfer is carried out under the safeguards described in Section 9 of our Data Processing Agreement, including the ANPD Standard Contractual Clauses and the providers' own data processing agreements.
6. User Rights
You have the right to:
- Access — request a copy of the data we hold about you.
- Deletion — request deletion of your account and all associated data.
- Export — export your analytics data in a machine-readable format.
To exercise any of these rights, contact us at privacy@himetrica.com.
7. Children's Privacy
The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the version number and effective date at the top of this page. We will notify you of material changes via email or through the Service. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
9. Contact
Himetrica is operated by Yeloy Tecnologia LTDA (CNPJ No. 67.197.218/0001-59). For data about our own account holders and website, Yeloy acts as the data controller. For the visitor and end-user data that our customers collect through Himetrica's tracking script and APIs, our customers are the controllers and Yeloy acts as their data processor under our Data Processing Agreement. If you have any questions about this Privacy Policy, please contact us at privacy@himetrica.com.