Skip to content
European Data Processing

TrueMetric Privacy Policy

Effective Date: April 26, 2025

Important Notice

This Privacy Policy is for informational purposes only. It does not constitute legal advice. Please consult with a qualified legal professional to ensure your compliance with applicable privacy laws and regulations.

1. Introduction

Welcome to TrueMetric. This Privacy Policy explains how Chelsea AI Ventures Ltd. ("we," "us," or "our") collects, uses, stores, and protects information in relation to our privacy-first analytics service, TrueMetric, our website (truemetric.info), and related services (collectively, the "Services").

Our core philosophy is privacy-first. We aim to provide valuable website analytics while minimizing the collection of personal data, especially concerning visitors to websites that use TrueMetric ("End-Users").

This policy covers:

  • Information collected from End-Users via the TrueMetric tracking script.
  • Information collected from visitors to our own website ("Site Visitors").
  • Information collected from our registered customers ("Customers").

2. Information Collected from End-Users (Via TrueMetric Tracking)

When a website you visit uses TrueMetric analytics, we collect the following information on behalf of our Customer (the website owner):

  • Page URL: The specific page visited.
  • Referrer URL: The address of the link clicked to reach the page.
  • Browser/OS Information: Derived from the User Agent string (e.g., Chrome on Windows).
  • Device Type: Derived from the User Agent string (e.g., Desktop, Mobile).
  • Screen Resolution: The size of the End-User's screen.
  • Derived Geographic Location: Country, region, and city derived momentarily from the IP address (see below).
  • UTM Parameters: Campaign tracking codes if present in the URL.
  • Pseudonymous Daily Visit Identifier (`visitId`): A temporary hash generated from the truncated IP address (discarded), User Agent, website ID, the current date, and a daily rotating salt. This allows counting unique visits within a 24-hour period only.

2.1 Our Pseudonymization Process

To protect End-User privacy while still providing valuable analytics, we employ sophisticated pseudonymization techniques:

  • IP Address Truncation: Before processing, we truncate IP addresses (removing the last octet for IPv4, last 80 bits for IPv6) to reduce identifiability.
  • Ephemeral IP Usage: Even the truncated IP is used only momentarily in memory for geo-location and `visitId` generation, then immediately discarded. No IP address (full or truncated) is ever stored in our database or logs.
  • Daily Identifier Reset: The `visitId` includes the current date and uses a daily rotating salt, ensuring it automatically resets every 24 hours. This prevents tracking users across different days.
  • One-Way Hashing: We use secure, one-way cryptographic hashing (SHA-256) to create the `visitId`, making it impossible to reverse the process to identify individuals.

Crucially, we DO NOT:

  • Use cookies for tracking End-Users.
  • Store End-User IP addresses. IPs are used only ephemerally in memory, then immediately discarded.
  • Collect any personally identifiable information (PII) directly from End-Users via our standard tracking script.
  • Perform cross-site or cross-device tracking of End-Users. Data is siloed per Customer website.

The purpose of collecting this aggregated, anonymized data is solely to provide analytics insights to our Customers about their website traffic.

3. Information Collected from Our Site Visitors (truemetric.info)

When you visit our website (truemetric.info):

  • Analytics: We use our own TrueMetric service to collect the same type of aggregated, anonymized data described in Section 2 to understand our website traffic.
  • Functional Cookies: We may use essential cookies required for website functionality, such as session management if you log in. These are not used for tracking purposes across sites.
  • Contact Forms/Support: If you contact us via forms or email, we collect the information you provide (e.g., name, email, message content) to respond to your inquiry.

4. Information Collected from Our Customers

To provide our Services, we collect the following from our registered Customers:

  • Account Information: Name, email address, company name (optional). Used for login, communication, and service administration.
  • Website Information: Domain(s) of the website(s) where you install the TrueMetric tracking script. Used to configure the service.
  • Billing Information: We use a third-party payment processor to handle payments. We do not store full credit card details ourselves. We may store billing address and transaction history.
  • Usage Data: Information about how you use the TrueMetric dashboard and features, to improve our service.
  • Configuration Preferences: Including privacy settings, data retention periods, privacy dashboard configuration, and preferred legal basis for processing End-User data.

5. Legal Basis for Processing

We support two distinct legal approaches for End-User analytics data, which Customers can choose based on their specific needs and regulatory requirements:

5.1 Legitimate Interest Approach

Our privacy-preserving techniques create a strong case for Legitimate Interest as the lawful basis for processing under GDPR:

  • Strong pseudonymization (daily reset `visitId`, truncated IPs)
  • No storage of IP addresses
  • No cookies or persistent identifiers
  • Data minimization by design
  • Limited geolocation detail
  • Easy opt-out implementation

This approach typically provides higher coverage (approximately 99% of visitors vs. 70-80% with consent banners) and a cleaner user experience. Customers should implement appropriate transparency and opt-out mechanisms.

5.2 Opt-In Consent Approach

For organizations preferring or required to use explicit consent, we fully support an opt-in model:

  • Server-side consent verification
  • No tracking until consent is given
  • Integration with Consent Management Platforms
  • Customizable consent UI

This approach provides maximum compliance certainty in jurisdictions with strict consent requirements.

5.3 Other Legal Bases

For other data types:

  • Customer Data: Performance of a Contract (to provide the Services), Legitimate Interest (communication, service improvement), Consent (for optional marketing communications).
  • Site Visitor Data: Legitimate Interest (website analytics, security), Consent (for non-essential cookies if any, marketing), Performance of Contract (if initiating service signup).

Customers are ultimately responsible as data controllers for ensuring their overall website compliance with applicable privacy laws.

6. How We Use Information

  • To Provide & Improve Services: Operate the analytics platform, generate reports for Customers, administer accounts, improve features.
  • To Communicate: Respond to inquiries, send service updates, billing information, and (with consent) marketing materials.
  • For Billing & Account Management: Process payments and manage customer accounts.
  • For Security & Compliance: Protect against fraud, abuse, and ensure adherence to legal obligations.

7. Data Sharing and Third Parties

We do not sell personal data. We may share information with trusted third-party service providers necessary to operate our Services, under strict confidentiality agreements:

  • Infrastructure Providers: Cloud hosting (e.g., Vercel), Database providers (e.g., Neon) located in the EU for core analytics processing.
  • Payment Processors: For handling customer payments.
  • Geo-IP Lookup Service: To derive location from momentarily used IPs.
  • Other providers for email delivery, customer support platforms, etc.

We only share the minimum information necessary for them to perform their function. We ensure these providers have adequate security and privacy safeguards.

We may also disclose information if required by law, subpoena, or other legal processes, or to protect our rights, property, or safety, or that of others.

8. Data Retention

  • End-User Analytics Data: Customers can configure custom data retention periods through their account settings. By default, we recommend a 12-month retention period, but this can be adjusted based on specific needs and compliance requirements. After this period, analytics data is automatically deleted.
  • Raw Processing Data: Non-aggregated data associated with the momentary processing (like logs containing the `visitId`) is kept for a limited period (7-30 days) for debugging and security before being deleted.
  • Customer Account Data: Retained as long as the account is active and for a reasonable period afterward for legal and operational requirements (e.g., financial records).
  • Site Visitor Data (Forms): Retained as long as necessary to address the inquiry.

9. Privacy Dashboard

TrueMetric provides a public-facing Privacy Dashboard for each website using our analytics service. This feature enhances transparency by allowing End-Users to see:

  • What data is being collected
  • How long data is retained
  • The privacy practices specific to that website
  • Options for controlling data collection

The Privacy Dashboard is accessible to all website visitors without requiring authentication and helps website owners demonstrate compliance with privacy regulations by providing clear, accessible information about their data practices.

10. User Controls and Opt-Out

We respect End-User choices about tracking and data collection:

  • Do Not Track (DNT) Signals: TrueMetric can be configured to respect browser DNT signals.
  • Opt-Out Mechanisms: Customers can implement easy opt-out controls for End-Users through their websites.
  • Consent Management: When using the opt-in approach, End-Users have granular consent options.
  • Privacy Dashboard Access: End-Users can view the public Privacy Dashboard to understand exactly what data is collected.
  • Automatic Daily Reset: By design, the daily `visitId` reset ensures End-Users cannot be tracked beyond a 24-hour period.

End-Users should consult the privacy policy of the specific website they are visiting for details on the available control options for that site.

11. Data Security

We implement appropriate technical and organizational measures to protect information against unauthorized access, loss, destruction, or alteration. These include:

  • Encryption of data in transit (HTTPS) and at rest
  • Role-based access controls for TrueMetric dashboard users
  • Regular security audits and vulnerability testing
  • Secure infrastructure with industry best practices
  • Database security with connection string protection
  • Strong authentication mechanisms

However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

12. Your Rights (GDPR/CCPA)

Depending on your location and relationship with us (End-User, Site Visitor, Customer), you may have rights regarding your personal data:

  • Access: Request access to the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure ('Right to be Forgotten'): Request deletion of your data under certain conditions.
  • Restriction of Processing: Request limitation on how we use your data.
  • Data Portability: Request your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw Consent: Withdraw consent where processing is based on consent.

End-Users: As we do not store identifiable personal data about End-Users long-term, requests related to analytics data collected on behalf of our Customers should generally be directed to the respective website owner (our Customer).

Customers & Site Visitors: To exercise your rights regarding data we hold directly about you, please contact us at privacy@truemetric.info. We will respond within the timeframes required by law.

13. International Data Transfers

Analytics data collected from End-Users via our hosted TrueMetric service is processed and stored within the European Union (EU). If you are a Customer outside the EU, your account information or data submitted via our website may be processed by us or our third-party providers in the EU or potentially other locations. We rely on appropriate safeguards like Standard Contractual Clauses (SCCs) where necessary for such transfers.

14. Self-Hosting

If a Customer uses the TrueMetric self-hosting option, the Customer is solely responsible for the collection, processing, storage, security, and compliance of all data within their own environment according to this policy's principles and applicable laws.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Customers of significant changes via email or within the Service. The "Effective Date" at the top indicates the latest revision. We encourage you to review this policy periodically.

16. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

privacy@truemetric.info

Data Protection Officer
Chelsea AI Ventures Ltd.