Privacy Policy

Last updated: April 2, 2026

1. Introduction

Spectabas ("we," "us," or "our") operates the web analytics platform at www.spectabas.com (the "Service"). This Privacy Policy describes how we collect, use, store, and protect information when you use our Service, whether as a site owner ("Customer") or as a visitor to a website that uses Spectabas for analytics ("End User").

Spectabas is based in Kent County, Michigan, United States. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2a. Customer Account Data

When you create a Spectabas account, we collect your email address and an encrypted password. If you enable two-factor authentication, we store TOTP secrets and/or WebAuthn credential public keys. If you connect ad platform integrations (Google Ads, Microsoft Ads, Meta Ads), we store encrypted OAuth2 tokens.

2b. Analytics Data (End Users)

When an End User visits a website that uses Spectabas, our tracker script collects the following data. The exact data depends on the GDPR mode configured by the site owner:

Both Modes:

  • Page URLs visited and referrer URLs
  • Browser type, version, and operating system
  • Device type and screen dimensions
  • Country, region, and city (derived from IP address via local geo databases)
  • Timestamp of each event
  • UTM campaign parameters (if present in the URL)
  • Ad platform click identifiers (gclid, msclkid, fbclid — if present in the URL)
  • Page load performance metrics (Core Web Vitals, navigation timing)

GDPR-Off Mode (cookie-based):

  • A first-party cookie (_sab) containing a random identifier for visitor recognition
  • Full IP address used for geolocation lookup, then discarded after processing
  • UTM parameters persisted in browser sessionStorage for session-level attribution

GDPR-On Mode (cookieless):

  • No cookies are set
  • Visitor identification uses a privacy-preserving browser fingerprint (hash of non-identifying browser characteristics — not stored as raw signals)
  • IP addresses are anonymized before any storage or geolocation lookup
  • Tracking parameters (UTM, gclid, etc.) are stripped from stored URLs

2c. What We Do NOT Collect

  • We do not use third-party cookies or cross-site tracking
  • We do not collect personal names, email addresses, or payment information from End Users (unless the site owner uses the server-side identify API)
  • We do not participate in ad networks or sell data to any third party
  • We do not use the collected data for any purpose other than providing analytics to the site owner

3. How We Use Information

We use collected information solely to:

  • Provide web analytics dashboards and reports to Customers
  • Generate aggregate statistics about website traffic and visitor behavior
  • Send transactional emails (account verification, password resets, email reports)
  • Sync ad spend data from connected advertising platforms
  • Maintain and improve the Service

We do not sell, rent, or share analytics data with any third party. Each Customer's data is isolated and accessible only to authorized users of that Customer's account.

4. Data Retention

  • Analytics events: Retained for up to 2 years from the date of collection, then automatically deleted.
  • Account data: Retained for as long as your account is active. Upon account deletion, all associated data is removed within 30 days.
  • Ad platform tokens: Encrypted OAuth2 tokens are stored for the duration of the integration connection. Upon disconnection, tokens are immediately replaced with encrypted tombstone values.
  • API access logs: Request/response logs are retained for 30 days, then automatically purged.

5. Data Security

We implement the following security measures:

  • All data transmitted over HTTPS with TLS encryption
  • Ad platform OAuth2 tokens encrypted at rest using AES-256-GCM
  • Passwords hashed using bcrypt
  • Two-factor authentication supported (TOTP and WebAuthn/passkeys)
  • API keys stored as SHA-256 hashes (plaintext never retained)
  • Regular security audits with documented findings and fixes
  • Rate limiting on authentication and collection endpoints

6. End User Opt-Out

End Users (website visitors) can opt out of Spectabas tracking at any time. Site owners can provide an opt-out mechanism using Spectabas.optOut() in the JavaScript API. When opted out, a _sab_optout cookie is set, and no further data is collected from that browser. The noscript pixel also respects this opt-out cookie.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the General Data Protection Regulation:

  • Right of access: Request a copy of the data we hold about you
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure: Request deletion of your data
  • Right to restriction: Request we restrict processing of your data
  • Right to data portability: Request your data in a machine-readable format
  • Right to object: Object to our processing of your data

To exercise these rights, contact us at howdy@spectabas.com. We will respond within 30 days.

8. Your Rights Under CCPA

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell personal information)
  • Non-discrimination for exercising your rights

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us at howdy@spectabas.com.

10. International Data Transfers

Spectabas is hosted in the United States (Ohio region). If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

For privacy inquiries, data requests, or to exercise your rights, contact us at:

Spectabas
Kent County, Michigan, United States
howdy@spectabas.com