bases

Privacy Policy

Last updated: May 11, 2026

39bases is a privacy-first analytics service. This policy describes what data we collect, how we use it, and how to control it. There are two audiences here: customers (people who sign up for 39bases to track their own sites) and visitors (people who view sites that have the 39bases snippet installed). The policies are different for each.

For visitors of sites using 39bases

If you are browsing a website that uses 39bases for analytics, here's what happens when our snippet runs in your browser:

  • No cookies are set. The snippet does not read or write any cookies on your device. There is no consent banner because there is nothing to consent to.
  • Your IP address is never stored. When a pageview reaches our servers, we use your IP only to look up which country the request came from (using a locally-hosted MaxMind GeoLite2 database), then immediately discard the IP. It is never written to disk, never logged, and never sent to any third party.
  • You are not identified across sites, sessions, or days. We compute a one-way hash (SHA-256) of your IP, user-agent, the site you are visiting, and the current UTC date. This hash lets the site owner see how many unique people visited on a given day without us — or them — ever knowing who you are. The hash rotates every 24 hours, so the same person on day 1 and day 2 looks like two different visitors. Cross-site tracking is impossible by construction.
  • What gets stored. For each pageview we record: the path on the site (e.g. /pricing), the referring URL if present, your country, the daily visitor hash described above, your user-agent string, and the timestamp. Event records are deleted after 90 days.
  • No third parties. The snippet does not load any external resources, send any data to ad networks, or share data with any analytics partners. The only network call it makes is to our own server.

For 39bases customers

If you have a 39bases account, we collect the data needed to operate your subscription:

  • Account data. Your email address (used for magic-link authentication), the timestamp of your sign-up and verification, the sites you've added (name, domain), and an audit log of significant actions (logins, plan changes, cancellations).
  • Billing data. If you upgrade to Pro, we store the Stripe customer ID and subscription ID associated with your account. Payment card data never touches our servers — Stripe handles all card collection and storage on their PCI-compliant infrastructure.
  • Session data. When you sign in, we set one cookie named session_token. It is HTTP-only, Secure, SameSite=Lax, expires after 30 days of inactivity, and rotates with use. We do not set any other cookies. We do not use third-party session tools.
  • Operational logs. Standard request logs (path, method, status code, timing, request ID) are retained for up to 30 days for debugging and abuse prevention.

Subprocessors

We use the following services to operate 39bases. Each handles a narrow slice of data on our behalf:

  • Stripe (payment processing) - card details, billing address, customer email for receipts. Privacy policy.
  • Resend (transactional email) - your email address and the contents of magic-link, welcome, and billing emails. Privacy policy.
  • Railway (application hosting) - operates the API servers and database. Privacy policy.
  • Vercel (dashboard frontend hosting). Privacy policy.
  • Netlify (marketing site hosting). Privacy policy.
  • MaxMind GeoLite2 - the geo-IP database is hosted locally; no data is sent to MaxMind at runtime.

Your rights

You can:

  • Access your data - your dashboard shows everything we have on file. Email hello@39bases.com for a machine-readable export.
  • Delete your account - email hello@39bases.com with the address registered on your account. We process deletions within 14 days; account data, sites, and all associated event records are removed.
  • Cancel your subscription - via the billing page in your dashboard, or by emailing us. See the Terms of Service for refund details.
  • Control marketing email - we don't send any. The only emails you'll receive are operational: magic-link sign-in, welcome and setup nudges during your first week, and billing receipts.

If you are in the EU/UK and want to exercise rights under GDPR, or in California under the CCPA/CPRA, the legal basis is the same as above: email us and we'll honor the request. We are not large enough to need a Data Protection Officer; the founder handles requests directly.

Security

Transport is HTTPS everywhere. Customer data is encrypted at rest by our hosting providers. Magic-link tokens and session tokens are stored as SHA-256 hashes; the raw token never persists in our database. Passwords don't exist because we use magic links.

Changes to this policy

If we make material changes we'll email all active customers at least 14 days in advance and update the "Last updated" date at the top. For non-material clarifications we'll update the date only.

Contact

Questions, requests, or concerns: hello@39bases.com.