Privacy Policy

Traffic Lens (“Traffic Lens,” “we,” “us”) is a live web-traffic analytics product operated by Crocent International. Our web dashboard is at www.trafficlens.app and our mobile companion app is published on the Apple App Store and Google Play Store as “Traffic Lens.”

This policy explains what personal information we collect, how we use it, who we share it with, and the choices and rights you have. It applies to three distinct groups:

• Account holders — people who sign up and log in to the dashboard or mobile app to view their traffic data.
• Mobile app users — same individuals as above, accessing Traffic Lens through our iOS or Android app.
• Website visitors — visitors of third-party websites that have installed the Traffic Lens tracker. We process this data on behalf of the website operator (our customer), who is the data controller.

2.1 From account holders and mobile app users

• Account credentials — email address, password (stored as a salted hash by our auth provider), and the company you belong to.
• Profile data — display name, role within your company, and per-user preferences (saved filters, pinned sites, etc.).
• Authentication metadata — sign-in timestamps, IP address of the sign-in attempt, and device/browser identifier — used to detect suspicious activity.
• Diagnostic data — when an unhandled error occurs in the mobile app, we send a crash report (stack trace, OS version, device model, anonymous installation ID) to our error-monitoring provider so we can fix bugs. No screenshots, page contents, or visitor data are included in crash reports.

2.2 From visitors of websites running our tracker

When the Traffic Lens snippet is installed on a third-party website, the snippet sends the following information to our servers each time a visitor loads a page:

• IP address — used to derive coarse geolocation (country, region, city) and to deduplicate sessions. The full IP address is stored.
• User-agent string — to identify browser, OS, and device type, and to filter known bot traffic.
• Referrer URL and UTM parameters — to attribute traffic to its source.
• Page URL and pathname — to compute top-pages and journey metrics.
• An anonymous visitor identifier derived from the IP + user-agent — used to recognise returning visitors within a session window. This identifier is not linked to a real-world identity.
• Session timing — first-seen / last-seen timestamps, dwell time per page.

The tracker does not use third-party cookies, does not read or write the browser fingerprint APIs (Canvas, WebGL, AudioContext), and does not use cross-site identifiers. It does not access form fields, credit-card data, or anything typed by the visitor.

• To provide the dashboard and mobile-app product features (showing traffic, computing analytics, generating reports).
• To authenticate you and keep your account secure.
• To detect and filter automated bot traffic so the metrics our customers see reflect real visitors.
• To diagnose crashes and errors and improve product reliability.
• To respond to support requests and communicate service-related changes.

We do not sell personal information. We do not use your data to train machine-learning models for unrelated purposes. We do not advertise to you based on your traffic data.

• Contract — processing necessary to provide the service you signed up for (account data, dashboards).
• Legitimate interests — fraud prevention, bot filtering, error diagnostics, product improvement.
• Consent — where required by law for visitor tracking, the website operator running the snippet is responsible for obtaining the visitor’s consent before the snippet loads.

We share data only with vendors that help us run the service:

• Supabase (database, auth, edge functions) — hosts the production database and authentication. Servers in the AWS Mumbai region (ap-south-1).
• Vercel (web hosting and edge CDN) — serves the dashboard and the website tracker.
• Sentry (mobile-app error monitoring) — receives crash reports as described in §2.1.
• Apple and Google — as the app-store operators where the mobile app is distributed.

We will disclose information when we are legally required to (e.g. valid subpoena, court order). We do not sell or rent personal information to data brokers or advertisers.

Our infrastructure is in India and the United States. If you access Traffic Lens from outside those jurisdictions, your data will be transferred internationally. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

• Account data — retained while the account is active. Deleted within 30 days of account deletion.
• Visitor session data — retained for as long as the website operator continues their subscription, plus a short rolling window for analytics back-fill. Aggregated metrics may be retained longer in anonymised form.
• Crash reports — retained for 90 days.
• Backups — encrypted backups are retained for up to 30 days.

Depending on your jurisdiction (notably the EEA, UK, California, Brazil, India), you may have the right to:

• Access the personal data we hold about you and receive a copy.
• Correct inaccurate or incomplete data.
• Delete your account and the personal data associated with it.
• Object to or restrict certain types of processing.
• Withdraw consent (where processing is based on consent).
• Lodge a complaint with your local supervisory authority.

To exercise these rights, account holders can use the in-app account-deletion control or email us at the address in §11. Visitors of websites running the tracker should contact the website operator first — they are the data controller.

We use TLS for all data in transit and at-rest encryption for database and backup storage. Access to production systems is limited to a small number of engineers using individual credentials with multi-factor authentication. Row-level security policies on the database isolate each customer’s data from every other customer.

No system is perfectly secure; if we ever experience a breach that affects you, we will notify you in line with applicable law.

Traffic Lens is a B2B product not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a child has given us personal information, email us and we will delete it.

We may update this policy occasionally. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated via the dashboard and, where required, by email.

Questions, complaints, or rights requests: apps@crocentinternational.com.