Privacy Policy

JAMP ("we", "our", "us") is a website analytics and monitoring service built so you can understand your traffic without surveilling the people who visit your site. The tracking script sets no cookies, stores no IP addresses, and never follows a person from one site to another. We don't sell data to anyone, and your analytics belong to you.

This policy explains what we collect, why, where it lives, and the rights you and your visitors have. It is not legal advice; if you need a signed agreement, see our Data Processing Agreement.

For the analytics we collect about your visitors, you are the data controller and JAMP is your processor: we only handle that data to provide the service to you, on your instructions. Our DPA governs this relationship.

For your own account data (your email, billing, settings), JAMP is the controller.

When you install JAMP, we collect a minimal, anonymous record of each pageview and event:

• No cookies. Nothing is written to the visitor's browser, so no consent banner is required for our tracking.
• No stored IP address. To count unique visitors we compute a daily-rotating hash (HMAC-SHA256) from the IP address and user agent, server-side. The raw IP is never stored, and the hash resets every midnight, so a visitor cannot be recognised from one day to the next.
• What we record: page path, referring domain, browser, operating system, device type, an approximate country (derived from the IP at the edge, then discarded), and any custom events you choose to send. Optional scripts add sampled Core Web Vitals and JavaScript error reports (messages and stack traces are scrubbed of emails, tokens and long numbers before storage).

• Account: your email, a display name, and either a hashed password (bcrypt) or, if you use single sign-on, an identifier from Google or GitHub.
• Configuration: the websites you add, monitoring and alert settings, and any webhook URLs you provide.
• Billing: handled by Stripe. We store your Stripe customer and subscription IDs and your plan, never your card number.

We process visitor analytics to provide the service to you (our legal basis is the performance of our contract with you, and your visitors' data is processed on your instructions as controller). We process your account data to run your account, take payment and send you service emails (contract and legitimate interests). We do not use any of it for advertising.

Analytics events are stored on dedicated servers at Hetzner in Germany, in the EU. Your account database is hosted in the EU on Supabase. The application runs on Vercel's edge network. We keep visitor data in the EU; it does not get shipped to a US cloud for storage.

We share the minimum data needed to run the service with the following providers:

Visitor analytics and your account database stay in the EU. A few operational providers (Stripe, Resend, single sign-on) process limited data in the US. Where that happens, it is covered by Standard Contractual Clauses or the EU-US Data Privacy Framework.

Raw analytics events are retained according to your plan: 90 days on Free, 12 months on Starter, 24 months on Pro and 60 months on Scale. Aggregated daily rollups are kept so your long-term trends survive. Real-user vitals and error records are kept for 90 days. If you delete a site or your account, the associated data is removed.

Our tracking script is cookieless. The JAMP dashboard you log in to uses a single strictly-necessary session cookie to keep you signed in. We use no advertising or third-party tracking cookies, and we measure our own marketing site with JAMP, so there is no consent banner here either.

Traffic is served over TLS. Passwords are hashed with bcrypt. Visitor identity is one-way hashed with a rotating secret and no raw IP is retained. Error messages and stack traces are scrubbed of emails, tokens and long numbers before they are stored.

Under the GDPR and similar laws you can request access to, correction of, deletion of, or a copy of your personal data, and you can object to or restrict certain processing. Email support@jamp.io and we will respond within 30 days. For requests about a specific site's visitor data, the site owner is the controller; we will help them respond.

JAMP is a business tool and is not directed at children. We do not knowingly collect data from children under 16.

If we change this policy we will update the date above and, for material changes, let you know by email. Questions, or want to exercise a right? Email support@jamp.io.