Skip to content
Nalytics

Nalytics

Sign in
Privacy & Security

How Nalytics stores, protects, and removes your data.

This guide summarizes token handling, anonymous event collection, retention controls, and the operational security posture of the product.

Full privacy policyContact security

Token state

Encrypted

OAuth credentials are stored at rest with server-side encryption.

IP storage

None

Country data is derived from infrastructure headers without retaining raw IPs.

Deletion path

Manual

Workspace and account deletion remain explicit user-controlled actions.

On this page

Token storageLeast-privilege accessData collectedRetentionDeletionSecurity practices
Jump to top

Related reading

Open privacy policyTerms of service

Token storage

Access and refresh tokens stay on the server and are protected at rest.

  • Your Notion OAuth access token is encrypted at rest in the database and never stored in plaintext.
  • If Notion provides a refresh token, it is encrypted and stored alongside the access token.
  • Tokens are decrypted only on the server when making authorized Notion API requests on your behalf.

Least-privilege access

The product is designed around explicit, workspace-scoped permissioning.

  • Nalytics requests only the minimum Notion OAuth scopes required to list and identify the pages you choose to track.
  • Only pages you explicitly enable are tracked. Everything else remains untouched.
  • Public embed snippets use a site-specific public identifier instead of exposing internal workspace IDs or page IDs in the browser.

Data collected per event

Event payloads are small and oriented around anonymous analytics rather than identity.

For each page view or reaction event recorded by the embed widget, Nalytics stores:

  • Page URL for the tracked Notion page.
  • Event type such as page_view or reaction.
  • Session identifier stored in session storage and reset on each new browser session.
  • User identifier hash stored anonymously in local storage and not linked to a real identity.
  • Country code derived from infrastructure-level request headers. IP addresses are not stored or logged by Nalytics.
  • Timestamp, optional referrer URL, and browser user agent.

Data retention

Retention follows workspace lifecycle unless you explicitly delete earlier.

  • Analytics events are retained until you delete the workspace.
  • Daily rollup aggregates are stored alongside raw events and removed together.
  • There is no automatic expiry period. You control retention by managing your workspace.

Data deletion

Deletion remains explicit and destructive, with both workspace-level and account-level paths.

  • Delete a workspace from Settings / Advanced to permanently remove pages, events, and analytics data.
  • Delete your account from Profile / Delete profile to remove the account and all owned workspaces.

For manual deletion requests, contact support@nalytics.live.

Security practices

The operational model is intentionally conservative for a lightweight analytics product.

  • All traffic is served over HTTPS.
  • Access tokens are encrypted at rest using server-managed keys.
  • Cookie-authenticated mutation routes reject cross-site origins before any state change is processed.
  • IP addresses are not stored or logged by the application.
  • Session and user identifiers are anonymous and cannot directly identify a real person.
  • Public ingest is rate limited and designed to use shared Redis-backed storage in production.