Privacy.

When a recipient opens a tracked share, we record:

• The email address they enter at the gate, if the share requires one.
• A random fingerprint — a UUID we generate and store in their browser's localStorage. No cross-site value.
• Session metrics: start time, total active time, max scroll depth, sections read with dwell.
• Coarse network metadata: IP-derived country and city (we never store the IP itself), device / OS / browser from the user-agent, referrer URL.

We don't collect keystrokes, mouse positions, third-party trackers, anything from outside the document, or anything that identifies the recipient beyond the email they provided.

Separately from the share-tracking above, the hosted app records a small amount of first-party usage data so we can fix bugs and understand which features get used:

• Product events — when you sign in, upload a document, create or revoke a share, hit the free-tier cap, view the upgrade page, click a CTA, or submit feedback. Stored in a table called app_events. Schema is PostHog-compatible — if we wire PostHog later, we'll port this table over.
• Page views — when your browser loads a page on htmlradar.com. We store the path, referrer, and a random fingerprint (anonymous, generated client-side, never linked to your email unless you're signed in).
• Crash + error reports — when JavaScript on a page throws an error, we capture the message + stack to a error_log table so we can fix it. We do not use Sentry or any third-party error service.
• Feedback — anything you submit through /feedback is stored in a feedback table and emailed directly to the founder. Email field is optional.

No third-party trackers (no Google Analytics, no Segment, no Mixpanel). No advertising cookies. No session replay.

• Document HTML you upload — Cloudflare R2, encrypted at rest in the region of your bucket.
• All other data — Supabase Postgres, encrypted at rest.

Only the document owner can see analytics about their shares. Postgres Row Level Security enforces this at the database layer — an authenticated user querying directly cannot see another user's data.

Operators of the hosted service have technical access to the underlying database for support and abuse investigation. Access is logged and limited.

Sessions and section events are retained for 365 days by default. You can configure shorter retention per document. Deleting a document removes all of its sessions, section events, and uploaded HTML within 24 hours.

Recipients can have their data removed by emailing privacy@htmlradar.com with their email address. All viewer rows and associated sessions linked to that email are removed within 14 days.

A recipient can opt out of tracking by calling window.HTMLRadar.optOut() in the browser console of any tracked page. The opt-out persists in their localStorage and applies to every HTMLRadar link they open in that browser afterwards.

The hosted service uses session cookies for authentication, set when you sign in. Tracked share links may set a temporary cookie when a password is required, scoped to that share. No third-party analytics or advertising cookies.

HTMLRadar is AGPL-3.0 open source. You can audit exactly what the tracker collects and how it's transmitted at github.com/htmlradar/htmlradar.

privacy@htmlradar.com