Data & Privacy
Learn what data VitalSentinel collects and how we handle privacy.
VitalSentinel is designed with privacy in mind. This page explains what data we collect, how we handle it, and how to maintain compliance.
Privacy by Default
VitalSentinel's tracking scripts are privacy-focused:
- No cookies by default - Works without consent banners
- No personal data - We don't collect PII
- No cross-site tracking - Each domain is isolated
- IP anonymization - IP addresses are not stored
What Data is Collected
VitalSentinel App Users
When you create a VitalSentinel account, we collect:
Account Information:
- Email address (used for login and notifications)
- Password (securely hashed, never stored in plain text)
- First and last name
- Timezone and theme preferences
- Profile picture (retrieved from Gravatar based on your email)
- Two-factor authentication settings (if enabled)
Workspace Data:
- Workspace name and configuration
- Team member emails, roles, and invitation status
Billing Information:
- Subscription plan and status
- Usage metrics (page views, events, domains against plan limits)
- Payment methods and invoices (processed and stored by Stripe, not VitalSentinel)
Third-Party Services:
- Stripe - Handles all payment processing. We don't store credit card numbers.
- Google OAuth - Used only if you connect Google Analytics or Search Console integrations.
App Analytics:
- We use our own RUM and Web Analytics scripts on the VitalSentinel dashboard
- The same privacy-by-default principles apply (no cookies, anonymous data)
- We do not sell or share your account data with third parties
For complete details, see our Privacy Policy.
Website Visitors (Tracking Scripts)
The following data is collected about visitors to your website when you install our tracking scripts.
RUM Script
The Real User Monitoring script collects:
Performance Data:
- Core Web Vitals (LCP, CLS, INP, TTFB, FCP)
- Navigation timing metrics
- Resource loading times
- JavaScript errors
Session Data:
- Session ID (anonymous, regenerated per page load)
- Page URLs visited (sanitized)
- Timestamps
Device Data (anonymous):
- Browser type and version
- Operating system
- Screen resolution
- Device type (mobile/desktop)
- Network connection type
Engagement (optional):
- Scroll depth
- Time on page
- Click patterns (anonymous)
Web Analytics Script
The Web Analytics script collects:
Traffic Data:
- Page views
- Referrer URL
- UTM parameters
- Traffic source classification
Session Data:
- Session ID (anonymous)
- Pages per session
- Session duration
Device Data (same as RUM)
E-commerce (if applicable):
- Product views
- Cart actions
- Purchases (no payment details)
What We Don't Collect (By Default)
- Names, emails, or personal identifiers
- IP addresses (hashed and discarded)
- Passwords or sensitive form data
- Payment card information
- Health or financial data
- Precise location (city-level only)
The Web Analytics script has an optional identify() method that allows you to associate user data (like email or user ID) with analytics events. This is opt-in and requires explicit implementation by your developers. If you use identify(), ensure you have proper consent for collecting that data.
Data Handling
Transmission
- All data is encrypted in transit (TLS)
- Direct connection to our servers
- No third-party data sharing
Storage
- Encrypted at rest
- Stored in secure cloud infrastructure
- Access controlled and audited
- Regular security assessments
Retention
Data is retained based on your plan:
| Plan | Retention |
|---|---|
| Free | 12 months |
| Starter | 16 months |
| Freelancer | 16 months |
| Agency | 24 months |
| Enterprise | Custom |
After retention period, data is automatically deleted.
Deletion
You can delete data by:
- Removing a domain (deletes all associated data)
- Canceling your workspace subscription (data deleted after grace period)
- Requesting account deletion (removes everything)
GDPR Compliance
VitalSentinel is designed for GDPR compliance.
No Consent Required (Default)
With default settings:
- No cookies
- No persistent identifiers
- Anonymous data only
- No consent banner needed
With Consent (Enhanced Features)
If you want returning visitor tracking:
- Get user consent
- Call
grantConsent('persistent') - Persistent visitor IDs enabled
- Follow your consent requirements
Data Subject Rights
For GDPR compliance, users have rights to:
- Access their data
- Delete their data
- Object to processing
Since we don't collect personal data by default, these rights typically don't apply to our analytics data.
Data Processing Agreement
Enterprise customers can request a DPA for compliance purposes.
Other Privacy Regulations
CCPA (California)
VitalSentinel does not:
- Sell personal information
- Share data for cross-context advertising
- Collect sensitive personal information
PECR (UK/EU Cookie Law)
Default configuration requires no cookies, so PECR consent is not needed for basic tracking.
Other Regions
Our privacy-by-default approach generally satisfies:
- Brazilian LGPD
- Canadian PIPEDA
- Australian Privacy Act
Best Practices
For Maximum Privacy
- Use default configuration (no storage)
- Don't enable persistent tracking
- Use lower sample rates to reduce data collection
- Mask text and selectors if needed
For GDPR Compliance
- Use default (no-cookie) mode
- Only enable persistent storage with consent
- Provide opt-out mechanism
- Update your privacy policy
Privacy Policy Updates
Add to your privacy policy:
We use VitalSentinel to monitor website performance and analytics. By default, this service does not use cookies or collect personal information. Anonymous performance and usage data is collected to improve our website. For more information, see VitalSentinel's privacy documentation.
Script Configuration for Privacy
Maximum Privacy
<script
src="https://rum.vitalsentinel.com/rum.js"
data-key="YOUR_ID"
data-mask-text="true"
data-mask-selectors="true"
data-filter-query-params="true"
async
></script>Standard (Default)
<script
src="https://rum.vitalsentinel.com/rum.js"
data-key="YOUR_ID"
async
></script>With Consent Management
<script
src="https://analytics.vitalsentinel.com/analytics.js"
data-key="YOUR_ID"
data-storage="none"
async
></script>
<script>
// Option 1: Call grantConsent when your cookie banner fires
document.addEventListener('your-cookie-consent-event', function() {
window.VitalSentinelAnalytics.grantConsent('persistent');
});
// Option 2: Dispatch the built-in event (handled automatically)
// window.dispatchEvent(new CustomEvent('vs-analytics-consent', {
// detail: { level: 'persistent' }
// }));
</script>Opt-Out for Visitors
Provide an opt-out mechanism for Web Analytics tracking:
// Opt out of Web Analytics tracking
window.VitalSentinelAnalytics.optOut();
// Resume tracking
window.VitalSentinelAnalytics.optIn();
// Check opt-out status
const isOptedOut = localStorage.getItem('vs-opted-out') === 'true';For RUM, you can respect the browser's Do Not Track setting by conditionally loading the script:
// Only load RUM if Do Not Track is not enabled
if (navigator.doNotTrack !== '1') {
// Load RUM script
}Security
Our Security Practices
- Regular penetration testing
- Encrypted data at rest and in transit
- Access logging and monitoring
- Incident response procedures
Reporting Vulnerabilities
If you discover a security issue:
- Email: security@vitalsentinel.com
- Do not publicly disclose until resolved
- We'll acknowledge within 24 hours
Contact
For privacy questions:
- Email: privacy@vitalsentinel.com
- DPA requests: legal@vitalsentinel.com