Privacy

Privacy commitments for LeetLytics.

Last updated: May 2, 2026. This page describes the product behavior implemented for the freemium launch and should be reviewed before production go-live.

Default stance

Cookieless-first analytics.

LeetLytics is built to show traffic, pages, key events, breakages, health, alerts, and revenue attribution without setting LeetLytics browser cookies by default. Customers may send their own pseudonymous anonymous/session identifiers, but LeetLytics does not require identity stitching for the core dashboard.

Data we process

  • Workspace identifiers, public workspace keys, install settings, and billing state.
  • Journey, page-view, important-click, conversion, breakage, and link-click events that customers choose to send.
  • Low-cardinality attribution fields such as source, UTM source/campaign, ref, via, page path, and link click IDs.
  • Operational records for authentication, Stripe billing sessions/webhooks, Shopify installs/webhooks, and WordPress plugin configuration.

Data not to send

  • Raw URLs with query strings or fragments.
  • Passwords, bearer tokens, API keys, auth headers, cookies, connection strings, or provider payload blobs.
  • Customer emails, payment card data, health data, or other sensitive personal data in event metadata.
  • Session replay, keystrokes, screen recordings, or fingerprinting signals.

Platform installs

Shopify installs use OAuth and encrypted offline token storage on the server. The storefront web pixel receives public settings only. WordPress installs use a public workspace key and render no browser script until configured by the site owner.

Billing providers

Stripe checkout, customer portal, and webhook routes are server-side only. LeetLytics stores billing customer/subscription identifiers and entitlement state, not card numbers. Live billing requires approved provider setup before production use.

Controls

Workspace boundaries are enforced before analytics are stored.

Workspaces support hostname allowlists, excluded path patterns, usage caps, and retention plans. Events from disallowed hosts or excluded paths are rejected or suppressed before dashboard persistence. Conversion API keys are private backend credentials and are not displayed in the browser dashboard.

For access, deletion, security, or privacy questions, contact hello@leet.fyi.