Privacy Policy
Last updated: April 3, 2026
This Privacy Policy describes how Kontex, operating as identity-js ("we", "us", "our"), collects, uses, and protects information in connection with the identity-js analytics platform ("Service"). We are committed to protecting the privacy of both our customers and their website visitors.
This policy covers two categories of people: (1) Customers — you, the person or entity that has an identity-js account, and (2) End Users — the visitors to websites that use the identity-js tracker.
1. Information We Collect
1.1 Customer Information (Account Holders)
When you create an account, we collect:
- Email address — used for account authentication, billing communications, and service notifications
- Password — stored as a one-way cryptographic hash (bcrypt); we never store or have access to your plaintext password
When you subscribe to a paid plan, payment information is collected and processed exclusively by our payment processor, Paddle.com Market Limited. We do not collect, store, or have access to your credit card numbers, bank account details, or other financial information.
1.2 End User Information (Website Visitors)
When the identity-js tracker is installed on a customer's website, we collect the following technical information from website visitors:
| Data Category | What We Collect | Purpose |
|---|---|---|
| Browser fingerprint | Canvas hash, WebGL renderer, audio context hash, installed fonts count, screen dimensions, color depth, device pixel ratio, CPU cores, device memory, timezone, language, platform | Generate a unique, non-reversible fingerprint hash for returning visitor identification without cookies |
| Browser information | Browser name and version, operating system, mobile/desktop flag, user agent | Device and browser analytics |
| Network information | IP address (used for geolocation, then discarded from query results), approximate geographic location (country, region, city), ISP/organization name | Geographic analytics and bot detection |
| Behavioral data | Mouse movement velocity, click positions, scroll depth, keystroke intervals (NOT actual keystrokes), page visibility changes, session duration | Behavioral analytics, bot detection, frustration scoring |
| Interaction events | Rage clicks, dead clicks, phantom clicks, form abandonment (field names only, NOT field values), text copy events (character count only, NOT copied content), console errors | UX analytics and frustration detection |
| Page context | Page URL, referrer URL, page title | Page-level analytics and visitor journey tracking |
1.3 What We Do NOT Collect
identity-js is designed with privacy at its core. We explicitly do NOT collect:
- Names, email addresses, phone numbers, or any directly identifying personal information of end users
- Actual keystrokes, passwords, or form field values
- The content of copied text (only character count)
- Cookies — we use zero cookies
- Cross-site tracking data — fingerprints are scoped per project/website
- Financial or payment information of end users
- Health, biometric, or sensitive category data
2. How We Use Information
2.1 Customer Data
- To provide and maintain your account and the Service
- To process payments and manage subscriptions (via Paddle)
- To communicate with you about your account, service updates, and support requests
- To enforce our Terms of Service and protect against abuse
2.2 End User Data
- To provide analytics and insights to our customers about their website traffic and user behavior
- To identify returning visitors across sessions using browser fingerprinting (without cookies)
- To detect bots, scrapers, and automated traffic
- To calculate frustration scores and identify UX issues on customer websites
We do NOT use end user data for advertising, profiling, selling to third parties, or any purpose other than providing analytics to the website operator (our customer).
3. Cookie Policy
identity-js does not use cookies, localStorage, sessionStorage, or any browser storage mechanism to track end users. Visitor identification is performed entirely through browser fingerprinting — a technique that analyzes publicly available browser characteristics to generate a hash. This hash is a one-way function and cannot be used to reverse-engineer the original browser characteristics or identify a specific individual.
Because we do not use cookies, websites using identity-js generally do not need to display cookie consent banners specifically for our service. However, website operators are responsible for ensuring their overall privacy compliance.
4. Legal Basis for Processing (GDPR)
For customers in the European Economic Area (EEA) and the United Kingdom, we process personal data under the following legal bases:
- Contract performance (Article 6(1)(b) GDPR) — Processing customer account data is necessary to provide the Service you have subscribed to.
- Legitimate interest (Article 6(1)(f) GDPR) — Processing end user technical data for website analytics serves our customers' legitimate interest in understanding and improving their websites. We have conducted a balancing test and determined that this interest is not overridden by end users' rights, given that: (a) we collect only technical data, not personal identifiers; (b) fingerprint hashes are non-reversible; (c) data is scoped per website and not used for cross-site tracking; (d) data retention is limited.
5. Data Sharing and Third Parties
We do not sell, rent, or trade any personal data to third parties. We share data only in the following limited circumstances:
- Paddle (payment processor) — receives customer billing information to process payments. Paddle acts as the Merchant of Record. See Paddle's Privacy Policy.
- Infrastructure providers — our hosting provider (Railway) processes data on our behalf to provide server infrastructure. They do not have independent access to or rights over the data.
- Legal requirements — we may disclose information if required to do so by law, court order, or governmental request.
6. Data Retention
Analytics data (events, sessions, behavioral data) is retained according to the customer's subscription plan:
- Free plan: 7 days
- Pro plan: 90 days
- Business plan: 1 year
- Enterprise plan: as agreed in the service contract
Data exceeding the retention period is automatically and permanently deleted through a daily cleanup process. Visitor fingerprint records are retained for the duration of the customer's account to support returning visitor identification.
Customer account data (email, hashed password) is retained until the account is deleted. Upon account deletion, all associated data is permanently removed within 30 days.
7. Data Security
We implement appropriate technical and organizational measures to protect data, including:
- All data transmitted between the tracker, API, and dashboard is encrypted using TLS/SSL
- Passwords are hashed using bcrypt with appropriate cost factors
- Browser fingerprints are stored as one-way hashes that cannot be reversed
- API access requires authenticated tokens (JWT)
- Rate limiting is applied to prevent abuse
- Access to administrative functions is restricted to authorized personnel
While we take reasonable precautions, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
8. International Data Transfers
Our servers are hosted in the European Union (via Railway). Data may be processed in the EU and the Republic of Serbia. For transfers from the EEA to Serbia, we rely on appropriate safeguards as required by applicable data protection law.
9. Your Rights
9.1 Customer Rights
As a customer, you have the right to:
- Access your account data through the dashboard
- Rectify your email address by contacting us
- Delete your account and all associated data
- Export your analytics data (available on Business and Enterprise plans)
- Object to processing or request restriction of processing
- Lodge a complaint with your local data protection authority
9.2 End User Rights
End users of websites that use identity-js should contact the website operator (our customer) to exercise their data protection rights. As a data processor acting on behalf of our customers, we will cooperate with such requests.
End users may also contact us directly at the email below, and we will assist in directing the request to the appropriate website operator or process it as required by law.
10. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will promptly delete such information.
11. Data Controller and Processor Roles
For customer account data, identity-js acts as the data controller. For end user analytics data collected on customer websites, identity-js acts as a data processor on behalf of our customers, who are the data controllers. Our customers determine the purposes and means of processing end user data by choosing to install the tracker on their websites.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify customers of material changes via email at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was most recently revised.
13. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how your data is handled, please contact us at:
Kontex (Stevan Andric)
Data Controller, identity-js
Email: andric.stevan@yahoo.com
Website: www.identity-js.com