Sign inCreate Free Account
Privacy

Privacy Policy

How UserTrail collects, uses, and protects information across our website, dashboard, and analytics platform.

Last updated: June 6, 2026

Overview

This Privacy Policy explains how UserTrail collects, uses, stores, and protects information when you use our website, dashboard, tracking script, and related services.

UserTrail provides website analytics tools such as heatmaps, session replay, funnels, journeys, forms, and surveys. Customers are responsible for telling their own visitors how they use UserTrail on their websites.

Information we collect

  • Account information such as name, email address, authentication details, and site/team membership.
  • Site information such as website domain, tracking settings, team permissions, and configuration choices.
  • Usage information from the dashboard, including pages accessed, product actions, support requests, and diagnostic logs.
  • Visitor behaviour data collected through the tracking script, which may include page URLs, clicks, scroll depth, movement samples, device/browser metadata, approximate city/country derived from IP address, session identifiers, survey responses, and form interaction metadata.
  • Contact information and message content when you contact us or submit support requests.

Information we avoid collecting

  • Passwords and payment fields should not be collected by the tracking script.
  • Customers can mark private elements or fields for masking.
  • We aim to minimise collection of direct personal data where behavioural analytics can work without it.

How we use information

  • Provide, secure, and improve the UserTrail service.
  • Process analytics events and generate reports for customers.
  • Manage accounts, authentication, teams, billing, and support.
  • Detect abuse, troubleshoot errors, and protect platform reliability.
  • Communicate service updates, support responses, and important account information.

GDPR roles and customer responsibilities

For visitor analytics collected on customer websites, the customer is typically the controller and UserTrail acts as a processor. For UserTrail account, billing, security, product usage, and support data, UserTrail may act as an independent controller.

  • Customers are responsible for identifying and documenting the lawful basis for using UserTrail on their websites.
  • Customers are responsible for providing clear privacy notices to visitors.
  • Customers should obtain consent before non-essential analytics or tracking where required.
  • Customers should configure masking, private-element exclusions, retention, and access controls before collecting production visitor data.
  • Customers are responsible for responding to visitor data rights requests where they are the controller.

Data Processing Agreement

The UserTrail Data Processing Agreement is incorporated into the UserTrail subscription terms where a customer uses UserTrail to process personal data from website visitors.

UserTrail processes customer personal data only to provide the service, follow customer configuration, comply with applicable law, protect the service, and fulfil written customer instructions.

  • Customer personal data may include website interaction data, page URLs, clicks, scroll depth, movement samples, session identifiers, device/browser metadata, timestamps, referrers, customer-configured survey responses, and form interaction metadata.
  • UserTrail uses reasonable technical and organisational measures intended to protect confidentiality, integrity, and availability.
  • Authentication and role-based permissions restrict dashboard access.
  • Staff do not have direct access to customer data as part of normal operations.
  • Database backups are performed daily.
  • On termination or written request, UserTrail will delete or return customer personal data where technically feasible, subject to legal obligations, security logs, backups, and legitimate retention needs.

Cookies and tracking

UserTrail may use cookies or similar technologies for authentication, security, preferences, analytics, and tracking functionality. Non-essential visitor analytics may require consent depending on applicable law and customer configuration.

Sharing and subprocessors

We may share information with infrastructure, hosting, email, security, payment, and support providers where needed to operate the service. We do not sell personal data.

Current subprocessors include DigitalOcean for cloud servers, object storage, managed infrastructure, and database/storage hosting; Private Email for email hosting and message delivery; and Stripe for payment processing, billing, invoices, payment method handling, fraud prevention, and related payment services.

UserTrail may update subprocessors when providers are added, replaced, or removed. When subprocessor information changes, UserTrail will send customers an email notice that this Privacy Policy has been updated.

International transfers

Personal data may be processed in locations where UserTrail, its infrastructure providers, or subprocessors operate. Transfer requirements depend on where customers, visitors, UserTrail infrastructure, and subprocessors are located.

Where required, UserTrail will rely on applicable safeguards such as adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Agreement or UK Addendum, and supplementary technical and organisational measures.

Customers should assess whether visitor data transferred through UserTrail creates restricted transfer obligations and should avoid sending sensitive or unnecessary personal data through UserTrail.

Security and incident response

  • Access to dashboard data is authenticated.
  • Team permissions restrict who can read, write, administer, or own a site.
  • Infrastructure should be configured with internal-only databases, protected secrets, and least-privilege access.
  • Production access is limited to operational needs and should follow least-privilege controls.
  • UserTrail follows a standard incident response process: identify and triage the issue, contain the incident, investigate scope and impact, remediate the cause, restore normal service, document findings, and improve controls.
  • Where a personal data breach is confirmed, UserTrail assesses whether notification is legally required and will notify affected customers without undue delay where UserTrail acts as processor.

Retention

We keep information for as long as needed to provide the service, meet legal obligations, resolve disputes, and enforce agreements. Customers should configure and document appropriate retention periods for visitor analytics data.

Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or receive a copy of your personal data. To make a request, contact us at info@usertrail.io.

Contact

If you have privacy questions, contact UserTrail at info@usertrail.io.