Privacy Policy

Nalytics (“we”, “us”, “our”) is a Notion integration that provides page analytics through an embeddable feedback widget and a workspace reporting surface. This Privacy Policy explains what data we collect, how we use it, who we share it with, and how you can control or delete it.

By using Nalytics you agree to the practices described in this policy. Questions can be sent to support@nalytics.live.

Nalytics does not read, store, index, or transmit the text, blocks, databases, or any other content inside your Notion pages. Our Notion OAuth connection is used only to:

• Retrieve the list of pages in your workspace so you can select which to track.
• Validate page ownership when you enable or disable tracking.

We request the minimum Notion OAuth scopes required for this purpose. Page content is never accessed beyond the page title and URL needed to identify the page.

Account data

• Email address and display name provided by your sign-in provider.
• Profile avatar URL when available from the provider.

Analytics event data

Collected when a visitor loads a Notion page that has an active Nalytics embed widget:

• Tracked Notion page URL.
• Event type: page_view or reaction.
• Anonymous session identifier stored in the visitor’s browser session storage (not a cookie; cleared when the tab closes).
• Anonymous user identifier hash stored in the visitor’s browser local storage (persists across sessions to deduplicate visitors; not linked to any account or personal identity).
• Country code derived from infrastructure-level request headers. Raw IP addresses are never stored or logged by the application.
• Timestamp of the event.
• Referrer URL when available from the browser.
• Browser user-agent string.

Notion integration data

• Notion OAuth access token, encrypted at rest using AES-256.
• Notion workspace name and workspace ID.
• Refresh token if provided by Notion, also encrypted at rest.
• Page titles and URLs of pages you explicitly enable for tracking.

The Nalytics embed widget uses browser-native storage mechanisms — not HTTP cookies — to maintain anonymous visitor identifiers:

• Session storage holds an anonymous session ID that expires when the browser tab closes.
• Local storage holds an anonymous user hash to deduplicate returning visitors. It contains no name, email, or account information.

The Nalytics dashboard application does not use tracking cookies. Supabase and Stripe may set functional cookies as described in their own privacy policies.

• To display analytics reports — page views, reactions, visitor counts, location summaries, and trend comparisons — to workspace owners.
• To maintain daily rollup aggregates that support fast report queries.
• To authenticate accounts and enforce workspace access controls.
• To make authorized Notion API requests when you use the Pages feature to select and manage tracked pages.
• To process subscription payments through Stripe.

We do not use analytics event data for advertising, behavioral profiling, or any purpose other than providing the reporting service to the workspace owner.

Nalytics does not sell, rent, or trade personal data — including email addresses, visitor analytics, or Notion workspace information — to any third party. If a user provides their email address during account creation or support contact, that address is used only for account-related communications. Marketing communications (if any) will include an unsubscribe mechanism, and we will honor opt-out requests promptly.

Nalytics does not store or log IP addresses. Country information is derived from infrastructure-level headers provided by Vercel’s edge network and processed into a two-letter country code before reaching the application layer. The raw IP address is discarded at the network edge.

We share data only with the following sub-processors necessary to operate the service:

• Supabase — database storage and authentication, hosted in the EU (Frankfurt) region. Governed by Supabase’s Privacy Policy.
• Notion — content integration via OAuth. Governed by Notion’s Privacy Policy.
• Stripe — payment processing. Governed by Stripe’s Privacy Policy.
• Vercel — hosting and edge delivery. Governed by Vercel’s Privacy Policy.

We may disclose data if required by law or a valid legal process, and will make reasonable efforts to notify you unless prohibited from doing so.

Depending on your location, you may have rights under GDPR, CCPA, or other applicable privacy laws, including:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate data.
• Erasure — request deletion of your account and associated data (also available self-serve via Profile / Delete profile in the product).
• Portability — request your data in a machine-readable format.
• Restriction / objection — request that we restrict processing or object to processing in certain circumstances.

To exercise any of these rights, email support@nalytics.live. We will respond within 30 days.

• Analytics events and rollup aggregates are retained until the workspace is deleted by its owner.
• Account data is retained until the user profile is deleted.
• Notion OAuth tokens are deleted immediately when you disconnect your Notion workspace from the Integrations settings.

• Delete a workspace from Settings / Advanced to remove all pages, events, and analytics data for that workspace.
• Delete your account from Profile / Delete profile to remove your account, all owned workspaces, and all associated data.
• Disconnect Notion from Settings / Integrations to revoke the OAuth token and remove stored Notion credentials.

For manual deletion requests, email support@nalytics.live.

Nalytics is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has provided personal data to us, contact support@nalytics.live and we will delete it promptly.

We may update this Privacy Policy periodically. The “Last updated” date above will change when revisions are published. Continued use of Nalytics after changes are posted constitutes acceptance of the revised policy.

Privacy questions, data access or deletion requests, and concerns about this policy can be sent to support@nalytics.live.