Privacy Policy

This Privacy Policy describes how exstats.com ("Exstats", "we", "us") collects, uses, discloses, and protects personal data when you use our website and services (the "Service").

1. Who we are

The Service is operated by exstats.com. For privacy questions or requests, contact [email protected].

2. Data we collect

• Account Data: name, email address, and avatar where provided by your authentication provider (Google) via Firebase Authentication. We also store basic account metadata.
• Usage and Analytics Data: event-level and aggregated usage information collected via Google Analytics 4 (GA4) and the Meta (Facebook) Pixel. This may include device and browser information, general location (from IP), pages viewed, features used, and referral data.
• Logs and Diagnostics: IP addresses, device/browser information, timestamps, and error details captured in our application logs and through Sentry for debugging and reliability.
• Payments: we use Stripe to process payments. We do not store full payment card numbers on our servers. Stripe processes payment data as an independent controller where applicable.
• Communications: email address and message content when you contact us. If you opt in to marketing, we record your marketing preferences. We send transactional emails and service notifications.

3. How we collect data

• Authentication: Firebase Authentication (Google and Email OTP) provides account data you choose to submit.
• Cookies and similar technologies: GA4 and the Meta Pixel set cookies or use similar identifiers to collect usage data. See Section 6.
• Diagnostics: Sentry captures application errors and performance signals.

4. How we use data

• Provide, secure, and maintain the Service.
• Monitor performance, fix bugs, and improve features.
• Analyze usage trends and audience metrics.
• Process payments and prevent fraud.
• Send transactional messages and, where permitted, marketing communications.
• Comply with legal obligations and enforce terms.

Legal bases (EEA/UK users): contract performance, legitimate interests (e.g., security, analytics), consent where required (e.g., non‑essential cookies/marketing), and legal obligations.

5. Sharing and disclosures

We do not sell personal data. We share personal data with service providers that process it on our behalf or as required by law.

• Firebase Authentication (account and auth): Privacy
• Google Analytics 4 (analytics): How Google uses information from sites or apps
• Meta Pixel (ads/measurement): Meta Privacy Policy
• Sentry (error monitoring): Privacy
• Cloudflare (security/proxy/CDN): Privacy Policy
• Stripe (payments): Privacy Policy

These providers may process personal data as independent controllers or processors, depending on the service and context.

6. Cookies and similar technologies

We use a consent management platform (CookieYes CMP) to present choices and obtain consent for non‑essential cookies where required by law. GA4 and the Meta Pixel may set cookies or use similar identifiers for analytics and advertising measurement. You can change your preferences at any time via the CookieYes "Cookie Settings" link on our site and through your browser settings.

7. Payments

Payments are processed by Stripe. We do not store full payment card numbers. Stripe may collect and process personal data for fraud prevention and regulatory compliance. See Stripe’s privacy notice linked above.

8. Data retention

We keep personal data only as long as needed for the purposes described in this Policy, to provide the Service, to comply with legal obligations, or to resolve disputes. When no longer needed, we delete or anonymize data.

9. Your rights

Depending on your location, you may have the right to request access, correction, deletion, restriction, or portability of your personal data, to object to certain processing, and to withdraw consent at any time. California residents also have the right to know, delete, correct, and to opt out of certain disclosures that may be considered a “sale” or “sharing” for cross‑context behavioral advertising. We will not discriminate against you for exercising your rights.

To submit a request, contact us at [email protected]. We may need to verify your identity before acting on a request.

10. Marketing communications

We send transactional emails related to your account and Service. We may send marketing emails where permitted by law. You can opt out at any time by using the unsubscribe link in those emails or by contacting us.

11. International data transfers

We may transfer and store personal data in jurisdictions that may not provide the same level of data protection as your home jurisdiction. Where required by law, we use appropriate safeguards for such transfers, including standard contractual clauses between us and our service providers.

12. Security

We use technical and organizational measures designed to protect personal data, including HTTPS/TLS in transit, access controls, and least‑privilege permissions. No method of transmission or storage is completely secure.

13. Children

The Service is not directed to individuals under 16. If you believe a child has provided us with personal data, contact us to request deletion.

14. Do Not Sell or Share (California)

We do not sell personal data for money. Certain analytics and advertising disclosures may be considered "sharing" under California law. You can manage your preferences via the CookieYes banner and settings on our site and your browser or device settings. You may also contact us to exercise your rights.

15. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new effective date. If changes are material, we will provide additional notice as required by law.

16. Contact

Questions or requests: [email protected].