WebmasterID logoWebmasterID
Legal

Data Processing

High-level information about how WebmasterID processes data on behalf of customer sites. Not a full Data Processing Agreement — see contact below to request one.

Last updated

This page is informational. It explains, at a high level, how WebmasterID acts when processing analytics data and how the controller / processor relationship typically applies. It is not a contractual Data Processing Agreement ("DPA"); a formal DPA is available on request and recommended for customers with regulatory obligations under GDPR, UK GDPR, or similar frameworks.

Controller and processor

When you install the WebmasterID tracker on your site, you (the site operator) typically act as the controller for the personal data of your visitors. WebmasterID acts as the processor, processing analytics data on your behalf, on your instructions, and only for the purposes of providing the analytics service. For data we collect about our own customers (e.g. dashboard accounts), we are the controller.

Data categories processed

On behalf of customer sites, WebmasterID processes a narrow set of fields per analytics event:

  • site_id, URL, pathname, referrer.
  • UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term).
  • Browser language and screen width.
  • Event name and timestamp.
  • An anonymised IP (IPv4/24, IPv6/48); raw IPs are not stored.
  • Limited additional event attributes (e.g. document title) where provided.

For AI/search crawlers, a separate bot_visits table holds: site_id, bot identifier and category, pathname, the bot's user-agent string, and timestamp. See /privacy-first-analytics for the full breakdown.

Purposes

Processing is limited to providing analytics aggregates to the customer site that installed the tracker, separating AI/search crawler traffic from human aggregates, and operating, securing, and debugging the WebmasterID service.

Security measures (summary)

  • TLS in transit between the browser, ingest API, and database.
  • Server-side IP anonymisation at the ingestion edge before storage.
  • Customer server-side secrets (wmsk_) are stored as SHA-256 hashes; the plaintext is shown once at site creation and is not retrievable.
  • Strict TypeScript event schemas and Zod validation.
  • DNT / GPC checked client-side and server-side (defense in depth).
  • Production data hosted on Supabase / PostgreSQL; ingest API and dashboard run as Vercel serverless functions.

Subprocessors

The current production subprocessors used to operate WebmasterID are:

  • Supabase — PostgreSQL hosting.
  • Vercel — Hosting for the ingest API, marketing site, and operator dashboard.

The complete subprocessor list will be confirmed in the formal DPA. Material changes will be reflected here in advance of taking effect.

Retention

The current default retention window is 90 days for events and bot visits. Per-site retention overrides are on the roadmap. The formal DPA will specify retention obligations and deletion procedures in detail.

International transfers

Subprocessors may host data in the European Union or the United States depending on project region. Where applicable, transfers rely on standard safeguards (e.g. EU Standard Contractual Clauses). Specific transfer mechanisms will be documented in the formal DPA.

DPA / data-processing contact

To request a formal Data Processing Agreement, ask about subprocessors, or raise a data-protection concern, please contact:

  • HELPERG LLC
  • 30 N Gould St Ste N, Sheridan, WY 82801, United States
  • Email: info@helperg.com

The legal-entity details above are provided as the current point of contact for data-processing matters and will be confirmed in the formal DPA. This page is informational and is not, by itself, a Data Processing Agreement. Final review by qualified counsel is recommended before public SaaS launch.

Related

See also: Privacy Policy, Cookie Policy, Terms, and the Legal index.

← All legal pages