Security

Last updated: February 1, 2026

Our Approach

Aizen Analytics is built on a simple principle: collect less, protect more. The best way to keep data safe is to not collect it in the first place. We don't store IP addresses, we don't use cookies, and we don't keep persistent identifiers.

What We Don't Store

Before describing how we protect data, it's worth emphasizing what never reaches our database:

  • Raw IP addresses — used transiently for security and geolocation, then discarded
  • Full user agent strings — parsed into browser name, OS name, and device type, then discarded
  • Cookies or local storage identifiers — we don't set any
  • Cross-site or persistent visitor identifiers
  • Referrer URL paths — only the origin domain is stored

Session Hashing

Unique visitors are counted using a one-way hash derived from the visitor's IP address, user agent, and a daily rotating salt. This hash is scoped to a single site and a single day. The daily salt is automatically deleted within 48 hours, making it impossible to reverse-engineer or reconstruct visitor identities after that window.

PII Filtering

Custom event properties are automatically scanned server-side before storage. Values that resemble email addresses, phone numbers, UUIDs, long hex tokens, or IP addresses are silently dropped. This prevents accidental collection of personal data through custom events.

Encryption

  • All data in transit is encrypted via TLS (HTTPS)
  • Database is encrypted at rest
  • Passwords are hashed using industry-standard algorithms (never stored in plain text)
  • Sensitive tokens (such as OAuth credentials for Search Console) are encrypted before storage

Access Controls

  • Authentication is required for all dashboard and API access
  • Team members are invited per-site with role-based permissions
  • Admin endpoints are restricted and authenticated
  • API rate limiting is enforced on all public endpoints

Data Retention

Individual event data is retained for a limited period for detailed analytics and debugging. After that window, data is aggregated into daily counts with no session hashes or individual-level detail. Aggregated data is retained for 3–5 years depending on your plan. When you delete your account, all data is permanently removed within 30 days.

Infrastructure

Aizen is hosted in the United States on secure infrastructure with DDoS protection, automated backups, and monitoring. All traffic is proxied through a CDN with Web Application Firewall (WAF) rules to protect against common attacks.

Browser Privacy Signals

Our tracking script does not currently respond to the Do Not Track (DNT) browser signal. We minimize data collection as described in our privacy policy.

Global Privacy Control (GPC) is treated as an opt-out of the sale or sharing of personal data. Because Aizen does not sell or share analytics data with third parties, GPC does not disable analytics collection.

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly to [email protected]. We take all reports seriously and will respond promptly. Please do not publicly disclose the issue until we've had a chance to address it.

Questions

For security-related questions, contact us at [email protected]

← Back to home