Privacy Policy

Effective date: February 3, 2026
Last updated: February 3, 2026

1. Who we are

This Privacy Policy describes how WhoClickedIt (“we”, “us”, “our”) collects, uses, stores, and discloses information when you use our website, dashboard, tracking tools, and related services (the “Service”).

Contact: WhoClickedIt — privacy@whoclickedit.com
Country: Australia (Victoria)

2. Scope and roles (Important)

The Service has two different audiences:

  • Account users / customers (you): Who sign into the dashboard and configure tracking (including generating tracking links). We process information about you as an account user (including your sign-in identity).
  • End-users / visitors: Who browse websites where the tracking script is installed. We aim to collect anonymous usage analytics about those visitors (not their names, emails, or other direct identifiers), but we still process certain device and behavioral data and assign a persistent identifier in the browser.

Your responsibility as a customer: When you install the tracking script on a website, you are responsible for complying with applicable privacy and cookie laws for that website (e.g., providing notices/consent where required).

You (the customer) agree not to intentionally send personal information to the Service through URLs, page paths, custom event fields, or other data payloads, and you are responsible for implementing any necessary notices/consents on your websites.

3. Information we collect

A) Information about account users (dashboard customers)

When you create and use an account, the Service uses authentication to identify you and show your account email in the dashboard. Depending on how you configure sign-in, we may process:

  • Account identifiers (e.g., email address, UID)
  • Basic account metadata required to provide access

B) Anonymous analytics about website visitors (tracking script)

The tracking script assigns a random visitor identifier stored in the browser (for example, via local storage) to recognize repeat visits and attribute sessions. The script may send event data including:

  • A random/pseudonymous visitor ID
  • A sanitized page location (by default, we store the page path without query strings to reduce the risk of collecting personal information embedded in URL parameters)
  • Attribution data (such as UTM campaign parameters and referrer-derived source information)
  • Device and browser signals (e.g., device category and screen characteristics)
  • Behavioral analytics (e.g., time on page, whether the page was visible, interaction counts)
  • Conversion-related event types (e.g., form_submit, form_start, email_click, phone_click)
  • Email/phone click tracking: When enabled, we record only that an email link or phone link was clicked (for example, { type: "email_click" } or { type: "phone_click" }). We do not store the underlying email address, phone number, or the full link destination as part of these click events.
Important note about “no PII”:

We design the Service to avoid collecting information that directly identifies an individual visitor (such as names, email addresses, phone numbers, or postal addresses) as part of standard analytics.

However:

  • Even with query strings stripped by default, personal information can still appear in a URL path if a website embeds it there (for example, /users/jane.smith@example.com/ or similar).
  • The Service processes analytics provided by the customer’s website and browser environment; customers should avoid embedding personal data in URLs, page paths, or other page content intended for analytics, and should configure their sites accordingly.

C) Tracking-link data you create

If you use the “Create Tracking Link” feature, the Service stores the destination URL and UTM settings you enter (destination, source, campaign, content, full link).

D) Technical request metadata

Our collection endpoint receives typical HTTP request headers (e.g., origin, referrer, and user agent) and uses them for security controls and bot handling. We do not intentionally store IP addresses in our database in the core analytics record. (Note: hosting providers may still log IP addresses at the infrastructure level as part of normal operations.)

4. Cookies, local storage, and similar technologies

We use browser storage to make the tracking work reliably:

  • Local storage: to store a pseudonymous visitor ID (orbit_vid)
  • Session storage: for attribution/session logic (e.g., remembering the traffic source during a session)

We use these technologies strictly to provide analytics functionality (e.g., session attribution and repeat-visitor recognition) and not for cross-site advertising.

5. How we use information

We use information to:

  • Provide the dashboard, reporting, attribution, and activity feed features
  • Detect and reduce bot/scanner traffic and apply basic security filtering
  • Prevent abuse and protect the integrity of analytics (rate limiting / payload safeguards / domain checks)

6. How we store and secure information

Analytics events are written to Firebase / Google Firestore under a customer’s user space, keyed by the customer UID and visitor ID.

We take reasonable steps to secure data, including measures like:

  • Request origin handling and optional domain restrictions
  • Customer-specific allow-listing logic for domains
  • Payload size limits and burst/rate checks

No method of transmission or storage is 100% secure. You use the Service at your own risk.

7. Sharing and disclosure

We do not sell analytics data. We may share information only:

  • With our infrastructure providers (e.g., Firebase/Google Cloud) to host and operate the Service.
  • If required by law, court order, or to protect rights/safety.
  • To prevent fraud, abuse, or security threats.

8. Data retention

We retain information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Because this is a beta product, retention practices may change. Where feasible, we provide deletion controls within the product (e.g., deleting visit records).

9. International data transfers

Our providers may store/process data outside Australia (for example, in the United States or other regions). By using the Service, you consent to such transfers where permitted by law.

10. Your choices and rights

Depending on where you live, you may have rights to access, correct, delete, or object to certain processing.

  • Account users: You can request account deletion at: support@whoclickedit.com.
  • Website visitors: If you believe your personal information was captured in analytics (e.g., due to a URL containing personal data), contact the website operator first; you may also contact us at privacy@whoclickedit.com with details (URL, time, and site) so we can investigate.

11. Children

The Service is not intended for children under 16. Do not use the Service to knowingly collect information from children.

12. Changes to this policy

We may update this Privacy Policy from time to time. Changes take effect when posted. Your continued use means you accept the updated policy.