Privacy Policy — PastelTrack

Contents

Acceptance of Terms
Overview
What we collect
Who can see what
PastelTrack admin rights
What we do not collect
How data is stored
Cookies & local storage
Third-party services
For website owners
Your rights
Changes to this policy
Contact

1. Acceptance of Terms

By embedding the PastelTrack tracking snippet on your website, you automatically agree to these Terms of Use and Privacy Policy. No further action is required — the act of installing the code constitutes acceptance. If you do not agree, you must remove the tracking snippet from your site immediately.

This agreement is entered into between you (the website owner, hereafter "Site Owner") and PastelTrack ("we", "us", "our"). By embedding the PastelTrack widget code on any web property, the Site Owner acknowledges and agrees that:

They have read and understood this Privacy Policy and Terms of Use in full.
They accept all conditions described herein, including the administrative rights described in Section 5.
They are responsible for informing their own visitors that PastelTrack analytics is in use on their site.
They grant PastelTrack the right to collect and process visitor data on their behalf as described in this policy.

If the Site Owner is acting on behalf of a company or other legal entity, they represent that they have the authority to bind that entity to these terms.

2. Overview

PastelTrack ("we", "us", "our") is a free, lightweight visitor analytics service for websites. This policy explains how we handle data when our tracking widget is embedded on a website, and when you use the PastelTrack analytics dashboard at pasteltrack.minidu.lk.

The short version: We count visitors and collect basic technical data (IP, OS, browser, country) to help website owners understand their traffic. Full IP addresses are visible only to verified domain owners. Public viewers see only totals. No cookies are set on visitors' browsers. PastelTrack administrators retain certain rights over all registered sites as described in this policy.

By using PastelTrack — either by embedding the widget or by visiting this site — you agree to the practices described in this policy.

3. What we collect

When a visitor loads a page with the PastelTrack widget, our server receives and processes the following data:

Data point	Purpose	Stored?	Who sees it
Page URL visited	Show which pages are being visited	Yes	Owner + Read-only + Admin
Referrer URL	Show where visitors came from	Yes	Owner + Read-only + Admin
Timestamp of visit	Daily and total count tracking	Yes	Everyone
IP address	Session deduplication and visitor identification	Yes	Owner + Admin only
Operating System	Visitor analytics breakdown	Yes	Owner + Read-only + Admin
Browser name	Visitor analytics breakdown	Yes	Owner + Read-only + Admin
Country (via CF-IPCountry)	Visitor geography analytics	Yes	Owner + Read-only + Admin
User-Agent string	Bot detection and OS/browser parsing	Not stored	N/A
Watermark compliance flag	Detect if attribution widget is displayed	Yes	Owner + Admin

All data is aggregated and associated with a site ID (the domain name). Session deduplication uses a SHA-256 hash of IP + User-Agent (stored as a 16-character session key) to prevent page refreshes from counting as new visits within a 30-minute window.

Important: Full IP addresses are stored in the recent visitor log (last 20 entries) and are visible only to the verified domain owner and PastelTrack administrators. Read-only invite links and public viewers cannot see IP addresses — they see ***HIDDEN*** instead.

4. Who can see what

PastelTrack has four access tiers. The data visible depends on how someone accesses your analytics:

🔓 Public

Anyone with your site ID. Sees: total count, online now count, domain name, and whether DNS is verified. No recent visitor list, no IPs, no technical details.

👁️ Read-Only Invite

Anyone with an invite link. Sees: all stats, daily counts, 30-day history, recent visitors with OS/browser/country, but IP addresses are masked as ***HIDDEN***.

🔑 Owner (Full Access)

Verified domain owner via secret key, magic link, or owner access link. Sees: everything including full IP addresses, full recent log, and can manage invites, rotate keys, and generate access links.

🛡️ PastelTrack Admin

The PastelTrack platform administrators. Have elevated access including the ability to view all site data, post notices, and remove sites. See Section 5 for full details.

Domain ownership is verified via DNS TXT records. The owner secret is required for full access. We also support 30-day owner access links and single-use 15-minute magic login links for convenience.

5. PastelTrack administrator rights

By embedding the PastelTrack snippet, you acknowledge and accept the following administrative rights retained by PastelTrack. These rights exist to maintain platform integrity, enforce terms of service, and ensure abuse prevention.

5.1 Site removal

PastelTrack administrators reserve the right to remove any registered site from the platform at any time, without prior notice, for any of the following reasons (including but not limited to):

Violation of these Terms of Use
Abuse of the tracking API or excessive automated requests
Use on sites that facilitate illegal activity, harassment, or harm
Platform maintenance, security incidents, or infrastructure requirements
At the sole discretion of the PastelTrack team

Site removal resets all ownership verification data, accumulated statistics, and stored credentials for the domain. Removed sites may re-register through the standard verification process unless explicitly banned.

5.2 Data access by administrators

PastelTrack administrators have backend access to all data stored on the platform for all registered sites. This includes:

Full visitor logs including IP addresses, page URLs, referrers, OS, browser, and country data
Visit counts, daily totals, and historical analytics for all sites
Site ownership information including hashed secret keys and email hashes
Active invite tokens, access links, and login tokens
Watermark compliance flags and violation counts

Administrative data access is used solely for platform operations: debugging, abuse prevention, security monitoring, and support. We do not use this access for commercial profiling or sell this data to third parties.

5.3 Platform notices

PastelTrack administrators may post notices (maintenance alerts, announcements, warnings) that appear in the analytics dashboards of registered site owners. These notices are used to communicate important platform information.

5.4 Watermark compliance monitoring

The PastelTrack tracking widget includes a watermark compliance check. Each tracking request records whether the PastelTrack attribution widget (the "Powered by PastelTrack" badge) is visible on the page. This compliance flag (wm_ok) is stored per visit and administrators can review the cumulative violation count for any site.

Free tier requirement: The PastelTrack watermark/attribution badge must remain visible on sites using the free tier. Removing or hiding the badge is a violation of these terms and may result in site removal. The number of violations is tracked and visible to administrators.

6. What we do not collect

Names, email addresses, or any personal identifiers from end visitors (only from verified site owners)
Location data beyond country level (no city, region, or GPS coordinates)
Device identifiers or fingerprints
Cookies — we set no cookies on visitors' browsers
Form submissions, keystrokes, or page interaction data
Purchase or financial data of any kind
Social media profiles or cross-site tracking data
Behavioral profiling or interest-based tracking

7. How data is stored

Aggregate visit data and visitor logs are stored in Google Firebase Realtime Database, hosted in the Asia-Southeast region. Data is accessed only via our Cloudflare Worker API, which requires a server-side authentication token — it is never exposed directly to the public.

Data retention

Visit counts & daily totals: Retained indefinitely so website owners can track long-term trends.
Recent visitor log: Retains only the last 20 entries. Older entries are automatically discarded.
Session hashes: Expire after 30 minutes of inactivity and are automatically pruned.
Online status map: Expires after 5 minutes of inactivity.
Login tokens: Magic links expire after 15 minutes. Owner access links expire after 30 days.
Pending verifications: Expire after 24 hours.
Invite tokens: Expire as set by the site owner (up to 168 hours).

We do not sell, share, trade, or transfer any data to third parties for commercial purposes.

8. Cookies & local storage

The PastelTrack widget does not set any cookies or use localStorage/sessionStorage on a visitor's browser. The widget makes a single POST request to our API to register the visit and retrieve the current count, then it's done — no persistent state is written to the browser.

The PastelTrack analytics dashboard (pasteltrack.minidu.lk) itself does not set tracking cookies. It reads data from our API using the site ID in the URL query string.

We use Google Analytics (gtag.js) on the PastelTrack landing page only. Google Analytics may set its own cookies as described in Google's Privacy Policy.

9. Third-party services

PastelTrack uses the following third-party services to operate:

Cloudflare Workers — Hosts our API. Cloudflare may log request metadata (IP addresses) for security and abuse prevention per their own privacy policy. We also use Cloudflare's CF-IPCountry header to determine visitor country.
Google Firebase — Stores aggregated visit data and visitor logs. Owner secrets and hashed secret keys are also stored here for authentication.
Google Fonts — Loads typography for the widget and dashboard. Google Fonts may log the request IP per Google's policy.
Google Analytics — Used on the PastelTrack landing page only, not on sites that embed our widget.
Resend — Used to send transactional emails (magic login links, secret key delivery, key rotation notices) to verified domain owners.

We are not responsible for the privacy practices of these third-party services. We encourage you to review their respective privacy policies.

10. For website owners using PastelTrack

If you embed the PastelTrack widget on your website, you are responsible for informing your visitors that their visit is being counted and that technical data may be collected. We recommend disclosing this in your own privacy policy.

Suggested disclosure text you may adapt:

"This site uses PastelTrack to count visitor traffic and display basic analytics. PastelTrack collects page URLs, referrer URLs, timestamps, IP addresses (visible only to the site owner and PastelTrack administrators), operating system, browser type, and country. No cookies are set. See PastelTrack's privacy policy for details."

Security recommendations

Keep your Secret Key safe. Anyone with your email + Secret Key can access your full analytics.
Rotate your Secret Key immediately if you suspect it has been compromised.
Read-only invite links expire automatically (up to 168 hours). Do not share owner access links publicly.
DNS TXT verification proves domain ownership. Keep your pasteltrack-owner=... TXT record active to maintain access.

Watermark requirement (free tier)

Sites using the free tier of PastelTrack must display the PastelTrack attribution badge ("Powered by PastelTrack") in a visible location on pages where the tracking widget is active. Hiding, removing, or obscuring this badge violates these terms. Violations are recorded automatically and may result in site removal.

11. Your rights

As a visitor to a site using PastelTrack, you have the following rights and options:

Opt-out: If you do not wish to be counted, disable JavaScript in your browser. Our widget requires JavaScript to function.
Data deletion: Because we do not link visits to personal identities, we cannot locate and delete individual visitor records by request. However, session data expires automatically after 30 minutes.

As a website owner:

Delete your data: You can request deletion of all aggregated data for your site ID by contacting us. We will remove it within a reasonable timeframe.
Rotate credentials: You can rotate your owner secret and Secret Key at any time from the dashboard settings.
Revoke access: You can delete invite links and owner access links at any time to revoke access.
Remove your site: You may contact us to have your site fully removed from the platform, including all stored data.

12. Changes to this policy

We may update this Privacy Policy and Terms of Use from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. When we do, we will update the "Last updated" date shown at the top of this page.

Continued use of the PastelTrack tracking snippet after policy changes have been posted constitutes your acceptance of those changes. We encourage you to review this policy periodically.

For significant changes that materially affect how we handle data or your rights as a site owner, we will make reasonable efforts to notify registered owners via the platform notice system.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or PastelTrack's data practices, please get in touch:

Get in touch

Questions about privacy, data deletion requests, or anything else — we're happy to help.

info@minidu.lk

Privacy Policy & Terms of Use