Zenith

Legal

Data Policy

Last updated 10 February 2026

Zenith provides website analytics without collecting personal data or personally identifiable information (PII), without using cookies, and in full compliance with GDPR, PECR, and other privacy regulations. This page explains exactly what data we collect and how it is processed.

What data is collected

For every pageview, we collect the following data points. Each is derived from standard HTTP request headers or the page context — no additional fingerprinting techniques are used.

  • Page URL and path — The page being visited
  • Referrer — The page that linked to the current page (from the HTTP Referer header)
  • Browser — Derived from the User-Agent header (e.g. Chrome, Firefox)
  • Operating system — Derived from the User-Agent header (e.g. Windows, macOS)
  • Device type — Desktop, mobile, or tablet (derived from the User-Agent header)
  • Country and city — Approximate location derived from server-side geolocation headers, not stored IP addresses
  • Screen dimensions — Width and height of the visitor's screen
  • Language — The browser's preferred language setting
  • UTM parameters — Campaign tracking parameters if present in the URL (utm_source, utm_medium, utm_campaign, utm_content, utm_term)

Optional auto-tracked events

Site owners can optionally enable additional event tracking. When enabled, these events collect:

  • Click tracking — Button text and CSS selector of clicked elements (internal links and buttons only)
  • Outbound link tracking — The URL and link text of clicks to external websites
  • Form submission tracking — Form action URL, HTTP method, and form ID (no form field values are collected)
  • Scroll depth — How far down the page a visitor scrolled (as a percentage)
  • Web Vitals — Core Web Vitals performance metrics (LCP, CLS, INP, TTFB, FCP)
  • Frustration signals — Rage clicks (rapid repeated clicks on the same element) and JavaScript errors

How IP addresses are handled

IP addresses are never stored in our database. When a request arrives at our collection endpoint, the IP address is used for two transient purposes:

  1. Geolocation — Country and city are derived from server-side headers (e.g. Vercel's edge network). Only the resulting country code and city name are stored.
  2. Rate limiting — To prevent abuse, we rate-limit requests by IP. This uses an in-memory counter that is never persisted.

After these two operations, the IP address is discarded. It never reaches our database.

How sessions work

Zenith does not use cookies or persistent identifiers. Instead, a random session ID is generated using crypto.randomUUID() and stored in the browser's sessionStorage.

  • Session IDs are random — they contain no information about the visitor
  • Sessions expire after 30 minutes of inactivity
  • Closing the browser tab permanently destroys the session
  • There is no way to link sessions across different websites, devices, or browser tabs

Data ownership

All analytics data belongs to you, the site owner. We do not sell, share, or monetise your data in any way. You retain full ownership and can export or delete your data at any time.

For more on how we protect your data, see our Security page. For our full privacy policy, see our Privacy Policy.