Skip to main content

Legal

Privacy Policy

How leatmap collects, uses, and protects personal data, in line with the GDPR.

Last updated:

On this page

1. Introduction & Data Controller

leatmap is a privacy-first product analytics platform. We take data protection seriously because the product itself exists to give operators a path to compliant analytics. This Privacy Policy explains what personal data we collect about you, why we collect it, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation (“GDPR”).

Data controller.leatmap is a service operated by SYNTARIE TECH (KvK 90708830, BTW NL004834843B07), a sole proprietorship registered in the Netherlands at van Randwijcklaan 47 C, 3814 AC Amersfoort. SYNTARIE TECH (“we”, “us”, “our”) is the data controller for account data, billing metadata, and service usage data described below. You can reach our privacy team at privacy@leatmap.com.

For Events tracked via the leatmap SDK on a customer’s own site or app:the customer (the operator of that site or app) is the data controller. leatmap acts as the data processor on the customer’s behalf under GDPR Art. 28, governed by our Data Processing Addendum. End users with privacy questions about data collected on a third-party site should contact the operator of that site directly.

2. What Data We Collect

We collect the minimum data necessary to operate the Service. We do not buy or rent personal data from third parties.

Account data

  • your email address;
  • your full name (optional, used in the dashboard UI);
  • authentication credentials (handled via Supabase Auth — we never store plaintext passwords; magic-link tokens are short-lived and single-use);
  • profile preferences (theme, locale, timezone).

Workspace metadata

  • workspace name, slug, and creation date;
  • plan (Hobby / Pro / Business) and billing cadence;
  • workspace member roles and permissions;
  • retention and consent-mode configuration you set.

Billing metadata

Paid Plans are processed by Paddle as Merchant of Record (see section 5). We never see or store your full payment card number or bank details. We receive from Paddle:

  • subscription identifiers, status (active, past-due, cancelled), renewal date, and price;
  • payment metadata sufficient to display your invoice history (e.g., last 4 digits of card, brand, expiration month/year), the country of your billing address, and the transaction currency;
  • tax identifiers (e.g., VAT number) you provide to Paddle for B2B invoicing.

Service usage and operational data

  • server logs from the dashboard, marketing site, and collector (HTTP method, path, status code, IP address, user agent, timestamp), retained for short windows for security and debugging;
  • error reports and stack traces sent to Sentry, scrubbed of obvious personal data on the server before storage;
  • API key usage counts and rate-limiting state.

Marketing site analytics

We use leatmap on leatmap.com itself — we eat our own dogfood. The SDK records page views and a small set of essential UI events (e.g., “clicked pricing CTA”) only after you accept the consent banner. If you decline or ignore the banner, no non-essential analytics events are sent. Vercel also collects aggregated, non-personal Web Vitals data on our marketing site for performance monitoring.

Under GDPR Art. 6, we process personal data on these legal bases:

  • Performance of a contract (Art. 6(1)(b)) — to create and maintain your account, provide the Service, process subscriptions, and communicate about Service operations.
  • Legitimate interests (Art. 6(1)(f)) — to secure our infrastructure, detect and prevent fraud and abuse, debug errors, measure aggregate product usage to inform improvements, and respond to support requests. We have weighed these interests against your rights and freedoms and concluded the processing is proportionate.
  • Consent (Art. 6(1)(a)) — for non-essential marketing-site analytics, optional product newsletters, and telemetry that goes beyond what is strictly necessary. You can withdraw consent at any time from the cookie banner re-open link in the footer or via account settings, with no penalty.
  • Legal obligation (Art. 6(1)(c)) — to retain billing records under Dutch tax law (see section 7) and to respond to lawful requests from authorities.

4. How We Use It

  • to authenticate you and provide access to the dashboard, SDK credentials, and tracked properties under your Workspace;
  • to bill you for Paid Plans through Paddle and reconcile subscriptions;
  • to send transactional email — sign-in links, payment receipts, renewal notices, security alerts, and material policy changes — which you cannot opt out of without closing your account, since these are necessary to operate the Service;
  • to provide customer support when you contact us at the addresses in section 14;
  • to monitor, secure, and improve the Service, including detecting abuse and debugging incidents;
  • to comply with applicable laws and to defend or enforce legal rights in connection with the Service.

5. Sharing & Sub-processors

We do not sell personal data. We share personal data with the sub-processors listed below, each of whom processes data on our instructions and under a data-processing agreement that meets GDPR requirements. We review this list as our infrastructure evolves and notify customers in advance of any material change.

Paddle.com Market Limited
Payment processing, subscription management, tax calculation, and Merchant of Record. Established in the United Kingdom; processes billing data on our behalf and as Merchant of Record under its own controller-status for the payment relationship.
Supabase Inc.
Authentication and database hosting (Postgres). The leatmap dashboard and account data run in Supabase’s EU region (eu-central-1, Frankfurt). Supabase is established in the United States; cross-border transfers are governed by the EU Standard Contractual Clauses.
Fly.io Inc.
Hosting for the leatmap collector (Rust ingest service). Our primary collector region is Amsterdam (ams), keeping Event ingestion within the EU. Fly.io is established in the United States; cross-border transfers are governed by the EU Standard Contractual Clauses.
Vercel Inc.
Hosting for the marketing site (leatmap.com) and dashboard frontend (app.leatmap.com), plus aggregated Web Vitals for performance monitoring. Vercel is established in the United States; we use EU-region serverless functions where available and cross-border transfers are governed by the EU Standard Contractual Clauses.
Functional Software Inc. (Sentry)
Error and performance monitoring for the dashboard, marketing site, and collector. Stack traces are scrubbed server-side before submission. Sentry is established in the United States; cross-border transfers are governed by the EU Standard Contractual Clauses.
Resend (Resend, Inc.)
Transactional email delivery (sign-in links, billing notices, security alerts). Resend is established in the United States; cross-border transfers are governed by the EU Standard Contractual Clauses.

We do not use sub-processors to perform automated decision-making with legal or similarly significant effects on you (GDPR Art. 22).

6. International Transfers

Where personal data is transferred outside the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses (decision 2021/914) supplemented, where appropriate, by additional technical and organisational measures such as encryption in transit and at rest. We do not transfer personal data to jurisdictions that lack an adequacy decision without these safeguards.

7. Data Retention

  • Account data — retained while your account is active. After account closure or subscription termination, retained for an additional 90 days to allow reactivation, then deleted or anonymised.
  • Workspace metadata — retained while the workspace exists and for 30 days after deletion to allow accidental-deletion recovery, then permanently removed.
  • Customer Event data — retained per the retention window configured for the Workspace (default: 30 days on Hobby, 1 year on Pro, 5 years on Business). When a workspace is deleted, Event data is removed within 30 days.
  • Billing records and invoices — retained for seven (7) years from the end of the year in which they were issued, as required by Dutch tax law (Algemene Wet inzake Rijksbelastingen, art. 52).
  • Server logs — retained for 30 days for security and debugging, then deleted.
  • Sentry error reports — retained for 90 days, then deleted.
  • Support correspondence — retained for 24 months from last contact.

8. Your Rights (GDPR Art. 15-22)

You have the following rights with respect to your personal data:

  • Access (Art. 15) — request a copy of the personal data we hold about you;
  • Rectification (Art. 16) — correct inaccurate or incomplete data;
  • Erasure (Art. 17) — request deletion, subject to legal-retention obligations (e.g., billing records);
  • Restriction (Art. 18) — request that we limit processing in specific circumstances;
  • Portability (Art. 20) — receive your data in a structured, machine-readable format, or have it transmitted to another controller where technically feasible;
  • Objection (Art. 21) — object to processing based on legitimate interests, including profiling;
  • Withdraw consent (Art. 7(3)) — for any processing based on consent, at any time, without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@leatmap.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). There is no fee for reasonable requests; we may charge a reasonable fee or refuse manifestly unfounded or excessive requests, with explanation.

You also have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (opens in new tab). We would, however, appreciate the opportunity to address your concerns first.

9. Children’s Privacy

The Service is not directed at, and we do not knowingly collect personal data from, individuals under the age of 16. If you become aware that a child has provided personal data to us, please contact privacy@leatmap.com and we will take prompt steps to delete it.

10. Cookies

We use a small set of cookies and similar technologies. The table below describes what each one does and whether it is essential to the operation of the Service.

Session cookie
Essential. Set when you sign in to the dashboard. Used to keep you authenticated across page loads. HttpOnly, Secure, SameSite strict. Expires when your session expires.
CSRF token
Essential. Set on form pages to prevent cross-site request forgery. HttpOnly, Secure, SameSite strict. Per-request.
Consent state
Essential. Records your choice on the consent banner so we do not re-prompt. Stored in localStorage where supported, otherwise in a cookie. 12 months.
Analytics (leatmap)
Consent-gated. Set only after you accept analytics on the consent banner. Records anonymised page views and a small set of UI events on the marketing site. No cross-site tracking. Up to 12 months.

You can clear cookies at any time from your browser’s privacy settings or via the consent banner re-open link in our footer. Blocking essential cookies will prevent you from signing in.

11. Security

  • all traffic to leatmap services is served over TLS 1.2 or higher;
  • data at rest in our Postgres database is encrypted using AES-256;
  • row-level security (RLS) is enforced on all tenant data, with access scoped to authenticated workspace membership;
  • two-factor authentication (TOTP) is available on all Accounts and recommended for billing administrators;
  • access to production systems is restricted to a small number of named operators with audited credential vaulting and 2FA required;
  • we run automated security scanning on dependencies and commit a fixed bill of materials per release.

12. Breach Notification

In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware of the breach, in line with GDPR Art. 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay per GDPR Art. 34, with the information required by Art. 34(2).

13. Changes to This Policy

We may update this Privacy Policy from time to time as our service and the regulatory environment evolve. For material changes, we will notify the billing contact by email and display an in-product banner at least 30 days before the new version takes effect. Minor edits (typos, clarifications, sub-processor additions of a similar kind) will be reflected by updating the “Last updated” date at the top of this page.

14. Contact

For privacy questions, to exercise your GDPR rights, or to report a suspected breach, contact us at privacy@leatmap.com.

Postal address: SYNTARIE TECH (leatmap), van Randwijcklaan 47 C, 3814 AC Amersfoort, the Netherlands.

leatmap is below the threshold for mandatory designation of a Data Protection Officer under GDPR Art. 37, but the privacy contact above serves as your single point of contact for all data protection matters.