Trust, in one page.

Everything stored against a visitor record.

The complete list. If a field isn't mentioned below, we're not collecting it.

• Pageview URL + referrer
  So you can see where traffic comes from. Stripped of querystrings starting with `token`, `password`, `secret`, `apikey`.
• Anonymous visitor ID
  A random 64-bit string stored in `localStorage`. Never shared cross-site. Reset by clearing browser storage.
• Session ID
  A random short ID stored in `sessionStorage` for the duration of a tab. Drops the moment the tab closes.
• Country (from IP)
  Resolved server-side, then the IP is dropped. The IP itself is never stored on disk.
• Device, browser, OS
  Parsed from User-Agent at ingest. Generic categories only ("Desktop · Chrome · macOS"), never the full UA string.
• Page-load time + Web Vitals
  LCP, CLS, INP, FCP, TTFB via the public PerformanceObserver API. No DOM snapshots.
• Click target metadata
  The clicked element's tag, ARIA label, visible text (truncated to 80 chars), CSS selector and click coordinates as percentages of the viewport.
• JavaScript errors
  message + filename + line/column + stack trace. Used for the dev panel.
• Identify payload (only if you call it)
  Whatever your code passes to `identify(email, props)` — entirely under your control. We never auto-fill this.

The stuff most analytics tools quietly do — that we don't.

• ❌ Visitor IP addresses on disk
  IPs are seen by the server only long enough to resolve country, then discarded. They are not in the database, not in the logs we retain.
• ❌ Persistent cookies
  No cookies for tracking. The visitor ID is stored in `localStorage`, the session ID in `sessionStorage`. You do not need a cookie banner for Clycyo alone.
• ❌ Browser fingerprinting
  No canvas hash, no audio fingerprint, no font enumeration, no `clientId`-style cross-site identifier.
• ❌ Cross-site tracking
  Each website has its own isolated visitor space. A visitor on `site-a.com` and `site-b.com` is two independent records, even on the same browser.
• ❌ Form input values
  Click events capture the visible text of the clicked element only. We never read the contents of `<input>`, `<textarea>` or contenteditable fields.
• ❌ Session recordings or DOM snapshots
  No replay of pixels. The "replay" in the dev tab is a synthetic reconstruction from the click + pageview events, never a screen recording.
• ❌ Selling, sharing, ML-training on your data
  Your data is your data. We do not have an ad business. We do not feed customer data into model training.

Five vendors. All disclosed.

Every third party that ever touches a byte of your data. We notify you 30 days before adding any new sub-processor.

The boring, important stuff.

Embed the “Tracked by Clycyo · no cookies” badge.

A small, animated badge for your footer or status page. Tells visitors that you respect their privacy — and gives Clycyo a friendly backlink. Zero JavaScript, zero tracking, just an SVG link.

<a href="https://clycyo.com" target="_blank" rel="noopener" aria-label="Tracked by Clycyo — no cookies">
  <img src="https://clycyo.com/badge-dark.svg" alt="Tracked by Clycyo · no cookies" width="200" height="36" />
</a>

<a href="https://clycyo.com" target="_blank" rel="noopener" aria-label="Tracked by Clycyo — no cookies">
  <img src="https://clycyo.com/badge-light.svg" alt="Tracked by Clycyo · no cookies" width="200" height="36" />
</a>

[![Tracked by Clycyo · no cookies](https://clycyo.com/badge-dark.svg)](https://clycyo.com)

The tracker. 1.1 KB gzipped. No cookies. No banner.

Drop this once in your <head>. Replace YOUR_TRACKING_ID with the UUID you get after creating a site at /register.

<!-- Clycyo · privacy-first analytics, no cookie banner required -->
<script async defer
  src="https://clycyo.com/tracker.js"
  data-tracking-id="YOUR_TRACKING_ID"></script>