Legal

Privacy policy

Last updated June 21, 2026

Statlark is revenue-aware web analytics. This policy explains what we collect, why, and the choices you have. It covers our website and the Statlark service.

Two roles

For the analytics we collect on your visitors, we act on behalf of our customers. When a site owner installs Statlark on their website, that owner decides what is collected and why — they are the data controller, and we are their processor. If you are a visitor to a site that uses Statlark, the site owner’s privacy policy governs, and requests about your data should go to them. A data processing agreement (DPA) is available to customers on request.

For our own customers’ account information, we are the controller. That means the email you sign up with and the workspace details you give us. The rest of this policy describes both.

What the tracker collects

When a page on a customer site loads our script, we record, for that site:

  • The page visited and the referring source — including UTM tags and ad-click IDs (gclid, fbclid, msclkid) when present.
  • Approximate location — country, region, and city — derived from the request. We do not store your full IP address.
  • The device type, derived from the browser’s user agent (we don’t store the raw user-agent string).
  • A first-party identifier in a _slk_vid cookie, so return visits from the same browser can be counted as one visitor.
  • Any properties the site owner attaches to a goal or custom event (for example, the destination of an outbound link). These are open-ended, so owners are responsible for keeping sensitive data out of them.

If the site owner chooses to call our identify() function — for example, after a visitor signs in — we also receive the details they pass to link that visitor to a known person. These may include a user id, a name, an email address, a profile-image URL, and any custom traits the owner attaches. Because traits are open-ended and set by the owner, owners are responsible for not sending sensitive personal data.

Payment data from Stripe

If a customer connects their Stripe account, Stripe sends us payment events (for example, a completed checkout or a paid invoice) so we can attribute revenue to the visitor and source that earned it. From those events we keep the amount, currency, a transaction identifier, and the customer email used at checkout. We also retain the complete Stripe event for reconciliation and debugging, which can include other details Stripe includes, such as a billing name or address. We never receive or store a Stripe API key — every event is verified with a per-site signing secret kept encrypted in our vault.

Cookies

Statlark sets a single first-party cookie, _slk_vid, to recognise a returning browser. We do not set third-party cookies and do not track people across sites or sell data to ad networks. Customers are responsible for providing their visitors any notice or consent their jurisdiction requires for analytics.

How we use data

  • To provide the analytics service and attribute revenue to sources.
  • To operate, secure, debug, and improve Statlark.
  • To send transactional email, such as your sign-in codes.

We may use aggregated, de-identified statistics (that don’t identify any person or customer) to understand and improve the product.

Who we share data with

We use a small set of infrastructure providers (sub-processors) to run the service:

  • Supabase — database and authentication.
  • Vercel — application hosting and content delivery, including approximate location derived at the edge for sites that route their tracker through Vercel.
  • Resend — transactional email (sign-in codes).
  • Cloudflare — DNS, and approximate location derived at the edge — both through our default hosted collector (used by the standard one-line install) and when a customer routes their tracker through Cloudflare. The full IP address is used only for this lookup and is never stored.

Stripe processes payments for our customers; we only observe the events they send us. We don’t sell personal data.

How long we keep it

We keep analytics and account data while the account is active. When a workspace or account is deleted, its collected data is removed. You can ask us to export or delete your data at any time — see below.

Your rights

Depending on where you live, you may have rights to access, export, correct, or delete your personal data. Account owners can request an export or deletion of their workspace data; self-serve tools for this are on the way, and in the meantime you can reach us at hello@tamadoggo.com. If you are a visitor to a customer’s site, contact that site owner, who controls the data.

Security

Each customer’s data is isolated at the database level, secrets such as Stripe signing keys are stored encrypted, and we hold no Stripe API keys. No system is perfectly secure, but we take reasonable measures to protect your data.

International transfers

Our providers may process data in regions outside your own. Where that happens, we rely on those providers’ safeguards for international transfers.

Children

Statlarkis a business tool and is not directed to children. We don’t knowingly collect personal data from children.

Changes

We may update this policy as the product evolves. We’ll change the “last updated” date above, and for material changes we’ll give account owners reasonable notice.

Contact

Questions about this policy or your data? Email hello@tamadoggo.com. See also our terms of service.