Overview
- All data encrypted in transit via HTTPS/TLS
- IP addresses are never stored — used transiently and discarded
- No cookies, no persistent identifiers, no cross-site tracking
- Authentication via Clerk with multi-factor authentication support
- Automatic data retention and deletion based on plan
- You retain full ownership and control of your data
Data minimisation
Zenith is designed around the principle of collecting only what is necessary for useful analytics. We do not use cookies. We do not generate fingerprints or persistent identifiers. We do not collect personal data from website visitors.
IP addresses are received as part of standard HTTP requests but are never written to our database. They are used only for two transient purposes: geolocation (deriving country and city from server headers) and rate limiting (via an in-memory counter). The IP is discarded after processing.
For a complete list of data points collected, see our Data Policy.
Encryption
- In transit: All connections to Zenith use HTTPS/TLS. The tracking script, collection endpoint, and dashboard are all served over encrypted connections
- At rest: Analytics data is stored in Convex's managed database infrastructure, which provides encryption at rest
Infrastructure
- Application hosting: Vercel — provides global edge network, DDoS protection, and automatic scaling
- Database: Convex — managed backend with built-in access controls and encrypted storage
- Authentication: Clerk — handles all credential storage, password hashing, and session management
Authentication and access control
- Customer authentication is managed by Clerk, which handles password hashing, session tokens, and supports multi-factor authentication
- Dashboard access requires authentication — analytics data is only accessible to the site owner
- Shared dashboard links can be optionally password-protected by the site owner
- All Convex backend functions enforce authorisation checks before returning data
Input sanitisation
The tracking script and collection endpoint implement strict input validation:
- Site IDs are sanitised to alphanumeric characters only
- All string inputs are length-truncated to prevent oversized payloads
- Event types, device types, and country codes are validated against allowlists
- Numeric values (scroll depth, web vitals, revenue) are range-checked and sanitised
- Bot traffic is filtered using user-agent detection
- Spam referrers are blocked
- Duplicate events are deduplicated server-side
Data ownership and portability
- All analytics data belongs to you, the site owner
- We never sell, share, or monetise your data
- Shared dashboards give you control over who can view your data, with optional password protection
Data retention and deletion
- Analytics events are automatically deleted after plan-specific retention periods (6 months for free, 1 year for pro, 2 years for unlimited)
- Retention cleanup runs automatically in scheduled batches
- You can delete individual sites or your entire account at any time from your dashboard
- Account deletion permanently removes all associated data
Incident response
In the event of a security breach affecting customer data, we will notify affected customers within 72 hours via the email address associated with their account, in accordance with GDPR requirements.
Vulnerability disclosure
If you discover a security vulnerability in Zenith, please report it to jack@jacksportfolio.com. We take all reports seriously and will respond promptly.