Privacy Policy

Effective date: 26 February 2026
Last updated: 26 February 2026
Version: 1.0

Summary

CompactSaaS provides web analytics and related services to businesses ("Customers"). Our Customers add a tracking script to their websites, and we collect data about their website visitors ("End Users") to provide analytics dashboards and reports.

This policy covers:

Customers — people who create a CompactSaaS account and use our dashboard
End Users — visitors to our Customers' websites whose activity is collected by our analytics service

We collect the minimum data necessary to provide our services. We do not sell personal information. We do not use cookies for tracking. We do not collect form inputs or passwords from End Users.

Key facts:

End User IP addresses are never stored — they are used only to generate a hashed session identifier and are then discarded
Analytics data is stored in the United States (AWS us-east-1 region)
End User analytics data is automatically deleted after 90 days by default
You can contact us at privacy@compactsaas.com for any privacy enquiry

1. Who we are

CompactSaaS is operated by Compact SaaS Pty Ltd (ABN 75 680 223 965, ACN 680 223 965). Our contact details for privacy enquiries are:

Email: privacy@compactsaas.com
Postal address: 81-83 Campbell Street, Surry Hills NSW 2010, Australia

In this policy, "we", "us", and "our" refers to CompactSaaS. "You" refers to either a Customer or an End User, depending on context.

2. Personal information we collect

2.1 Information about Customers (account holders)

When you create a CompactSaaS account, we collect:

Information	Purpose	Source
Email address	Account authentication, billing notifications, service communications	Provided by you during sign-up
Name (contact name or team display name)	Account identification, billing records	Provided by you during onboarding
Phone number (optional)	Account contact	Provided by you during onboarding
Country and industry	Business classification for billing	Provided by you during onboarding
Company size	Business classification	Provided by you during onboarding
Tax ID (e.g. ABN)	Tax compliance, invoicing	Provided by you during onboarding
Billing address	Invoicing, tax calculation	Provided by you during onboarding
Payment method details	Processing payments	Collected by Stripe (our payment processor) — we do not store card numbers

We also generate and store:

A unique team identifier and user identifier
Subscription status and billing cycle information
API keys (stored as SHA-256 hashes only — the plaintext key is shown once at creation and never stored)

2.2 Information about End Users (website visitors)

When an End User visits a Customer's website that has our tracking script installed, we collect:

Information	Purpose	Stored?
IP address	Used solely to generate a hashed session identifier	No — discarded immediately after hashing, never written to our database
Page URL and page title	Analytics (which pages are visited)	Yes — retained per retention policy
Referrer URL	Analytics (where visitors came from)	Yes
User agent string	Browser, operating system, and device type detection	Yes
Screen resolution	Device analytics	Yes
Browser language	Language analytics	Yes
Country, region, and city	Geographic analytics	Yes — derived from CloudFront edge headers, not from IP address lookups
UTM parameters	Marketing campaign attribution	Yes, if present in the URL
Custom event name and event data	Custom analytics events defined by the Customer	Yes — event names truncated to 100 characters, data values to 500 characters

What we do NOT collect from End Users:

We do not use cookies, localStorage, or any browser-based persistent identifiers
We do not collect form inputs, passwords, search queries typed into forms, or any text entered by the End User
We do not collect email addresses, names, or any directly identifying information about End Users
We do not fingerprint devices beyond the user agent string
We do not track End Users across different Customers' websites
We do not collect sensitive information (health, political, religious, ethnic, or sexual orientation data)

2.3 Session identification

We generate a session identifier by computing a SHA-256 hash of the website ID, IP address, user agent, and a monthly rotating salt. This produces a pseudonymous identifier that cannot be reversed to recover the original IP address. The salt rotates monthly, so the same visitor produces a different session identifier each month.

2.4 Automatically collected technical information

When Customers use our dashboard or API, our infrastructure automatically logs:

Request timestamps and HTTP method/path (in AWS CloudWatch Logs)
Error information when something goes wrong (sent to our self-hosted error tracking service)

3. How we collect personal information

3.1 Directly from Customers

We collect Customer information when you:

Create an account (email, password — managed by AWS Cognito)
Complete your business profile (name, phone, country, industry, company size, tax ID, billing address)
Add a payment method (handled by Stripe — we receive a token, not card details)
Contact us for support

3.2 From End Users via the tracking script

Our Customers install a JavaScript tracking script on their websites. When an End User loads a page, the script sends a request to our tracking endpoint containing the data described in Section 2.2.

The tracking script:

Runs only on page load and navigation events (or when the Customer triggers a custom event)
Does not set cookies or use localStorage
Does not read or transmit form field values
Does not access the DOM beyond the page URL, title, and referrer
Can be blocked by standard ad blockers or browser privacy settings

3.3 From third parties

AWS CloudFront provides geographic location (country, region, city) based on the End User's IP address at the network edge. We receive only the resolved location, not the IP address used to determine it.
Stripe provides payment status, subscription events, and invoice data via webhooks. Stripe's handling of payment information is governed by Stripe's privacy policy.

4. How we hold and protect personal information

4.1 Storage location

All data is stored in Amazon Web Services (AWS) infrastructure in the us-east-1 (Northern Virginia, United States) region. This means personal information about both Customers and End Users is transferred to and stored in the United States.

See Section 7 for more information about overseas disclosure.

4.2 Security measures

We implement the following security controls:

Encryption at rest: All databases (DynamoDB) are encrypted using AWS Key Management Service (KMS). Archival storage (S3) uses dedicated KMS encryption keys.
Encryption in transit: All data transmission uses TLS (HTTPS). Our tracking endpoint, dashboard, and APIs all require HTTPS.
Access control: Customer authentication uses AWS Cognito with optional multi-factor authentication (TOTP). API access uses SHA-256 hashed API keys. Administrative access requires a super-admin role.
Cross-account isolation: Our CI/CD pipeline, staging environment, and production environment run in separate AWS accounts with cross-account IAM roles and external ID verification.
S3 bucket security: All S3 buckets block public access and have versioning enabled.
Tenant isolation: Each Customer's analytics data is partitioned by team ID in our database. Customers cannot access other Customers' data. API key authentication enforces tenant boundaries at the authoriser level.

4.3 Data retention

Data type	Retention period	Deletion method
End User analytics events	90 days by default (configurable per website)	Automatic DynamoDB TTL expiration
End User analytics rollups (aggregated daily summaries)	Indefinite (no individual-level data)	N/A — contains only aggregate counts
End User sessions	90 days (follows event retention)	Automatic DynamoDB TTL expiration
Customer account data	Retained while account is active	Deleted on account closure
Billing and usage records	13 months	Automatic TTL expiration
Tax and invoice records	7 years (tax compliance)	Automatic TTL expiration
API keys	Retained until revoked by Customer	Customer-initiated deletion

When analytics events expire, they are permanently deleted from our database. For websites with unlimited retention, raw events are archived to encrypted S3 storage (AWS KMS) before deletion from the primary database.

5. Purposes for collection, use, and disclosure

5.1 Customer information

We collect, use, and hold Customer information for the following purposes:

Providing our service: Account authentication, dashboard access, API access, analytics processing
Billing: Creating and managing subscriptions, processing payments, generating invoices, usage metering (via Stripe)
Service communications: Sending verification codes, password resets, team invitations, anomaly alerts, and billing notifications (via AWS SES)
Support: Responding to enquiries and resolving issues
Security: Detecting and preventing unauthorised access, fraud, and abuse
Legal compliance: Tax reporting, responding to lawful requests

We do not use Customer information for marketing purposes beyond service-related communications. We do not sell Customer information.

5.2 End User information

We collect and use End User information solely to provide analytics services to our Customers. Specifically:

Analytics processing: Counting page views, tracking sessions, calculating bounce rates, identifying traffic sources, generating geographic and device breakdowns
Real-time metrics: Showing active visitors and current pages (data retained for 1 hour in our real-time cache)
Usage metering: Counting page views and events for billing purposes (we count the number of events, not the content)

We do not:

Use End User data for our own marketing or advertising
Build profiles of End Users across different Customers' websites
Sell, rent, or trade End User data
Use End User data for any purpose other than providing analytics to the Customer whose website the End User visited

5.3 Disclosure to third parties

We disclose personal information to the following categories of recipients:

Recipient	Information shared	Purpose	Location
Amazon Web Services (AWS)	All data (as infrastructure provider)	Hosting, compute, storage, email delivery	United States (us-east-1)
Stripe	Customer name, email, team ID, tax ID, billing address, payment method	Payment processing, subscription management, invoicing	United States

We do not disclose End User analytics data to any third party. Analytics data is only accessible to the Customer who owns the website.

We may disclose personal information if required by law, regulation, or legal process (such as a court order or lawful request from a government authority).

6. Accessing and correcting your personal information

6.1 Customers

You have the right to request access to the personal information we hold about you, and to request correction of any information that is inaccurate, out of date, incomplete, or misleading.

To make a request, contact us at privacy@compactsaas.com. We will respond within 30 days.

You can also directly access and update much of your information through the CompactSaaS dashboard:

Account profile and contact details
Business classification and tax ID
Billing address
Team members and their roles
API keys (create, view metadata, revoke)

6.2 End Users

If you are an End User and wish to access or correct personal information we hold about you, please contact us at privacy@compactsaas.com. Because we do not collect directly identifying information about End Users (no names, emails, or accounts), we may need to work with the relevant Customer to identify the data associated with your visit.

Note that our analytics data is pseudonymous — session identifiers are hashed and cannot be reversed to identify you. Geographic data is approximate (city-level at most). We do not hold enough information to identify a specific individual from our analytics data alone.

6.3 Refusal of access

We may refuse access to personal information in limited circumstances permitted by the Privacy Act, such as where providing access would pose a serious threat to the life or health of any individual, or would unreasonably impact the privacy of other individuals. If we refuse a request, we will provide written reasons.

7. Overseas disclosure

All personal information we collect is stored and processed in the United States (AWS us-east-1 region, Northern Virginia). This applies to both Customer account data and End User analytics data.

Our third-party service providers are located in:

Provider	Country	Safeguards
Amazon Web Services	United States	AWS Data Processing Addendum; SOC 2, ISO 27001 certified
Stripe	United States	Stripe Data Processing Agreement; PCI DSS Level 1 certified

We rely on contractual controls (data processing addendums) with our infrastructure providers to ensure that personal information is handled consistently with the Australian Privacy Principles.

If you are located in Australia, your personal information will be transferred to the United States when you use our service. By using CompactSaaS, you acknowledge this transfer. If you are a Customer deploying our tracking script on a website with Australian visitors, you should disclose this overseas transfer in your own privacy policy and collection notices.

8. Complaints

If you believe we have breached the Australian Privacy Principles or handled your personal information inappropriately, you can make a complaint by contacting us at:

Email: privacy@compactsaas.com
Postal address: 81-83 Campbell Street, Surry Hills NSW 2010, Australia

We will:

Acknowledge your complaint within 5 business days
Investigate the complaint and provide a response within 30 days
If we cannot resolve the complaint within 30 days, we will inform you of the reason for the delay and provide an expected timeframe

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Postal address: GPO Box 5218, Sydney NSW 2001

9. Our Customers' obligations

CompactSaaS acts as a data processor on behalf of our Customers. Our Customers are data controllers who determine the purpose of collecting analytics data about their End Users.

If you are a CompactSaaS Customer, you are responsible for:

Including information about your use of CompactSaaS in your own privacy policy
Providing appropriate collection notices to your End Users (such as cookie banners or privacy notices) that disclose the use of third-party analytics
Ensuring that your use of our analytics service complies with applicable privacy laws in your jurisdiction
Notifying us if you deploy our tracking script on a website that may collect sensitive information (such as a health, counselling, or religious services website)

If you deploy our tracking script on a website where the subject matter could reveal sensitive information about visitors (for example, a mental health service), you should obtain express consent from your End Users before enabling analytics tracking, as the mere act of visiting such a website may constitute sensitive information under the Privacy Act.

10. Cookies and tracking technologies

CompactSaaS does not use cookies for analytics tracking.

Our tracking script does not set cookies, use localStorage, use sessionStorage, or use any other browser-based persistent storage mechanism. Each page view is an independent request. Session identification is performed server-side using a hash of the visitor's IP address and user agent (see Section 2.3).

Our Customer dashboard (the CompactSaaS web application) uses standard authentication cookies managed by AWS Cognito for maintaining your login session. These are strictly necessary for the functioning of the dashboard and are not used for tracking or analytics purposes.

11. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

Update the "Last updated" date at the top of this policy
Notify Customers via email or dashboard notification for significant changes

We encourage you to review this policy periodically.

12. How to contact us

For any questions, concerns, or requests related to this privacy policy or our handling of personal information:

Email: privacy@compactsaas.com
Postal address: 81-83 Campbell Street, Surry Hills NSW 2010, Australia

This privacy policy was last reviewed on 26 February 2026. It applies to the CompactSaaS service operated by Compact SaaS Pty Ltd (ABN 75 680 223 965).