millimetric
Sign inStart free

Privacy Policy

Last updated: May 17, 2026

  • EU / EEA
  • United Kingdom
  • United States
  • California

This Privacy Policy explains how Millimetric ("Millimetric", "we", "us") collects, uses and shares personal data when you (a) visit our marketing site at millimetric.ai, (b) use our hosted analytics product (the "Service"), or (c) when an end user visits a website or application that uses the Service ("Visitor").

Millimetric is designed to collect the minimum data necessary to count and attribute traffic. We do not set cookies on Visitors. We do not store raw IP addresses. We do not build cross-site behavioural profiles, and we do not sell or share personal data with advertising networks.

1. Who is the controller / processor

For our marketing site, our customer accounts, and any data we collect about you, the customer or prospect, Millimetric is the data controller (or "business" under CCPA).

For analytics data we collect about Visitors on our customers' sites and apps, Millimetric acts as a data processor (or "service provider" under CCPA) on behalf of the customer. The customer is the controller and is responsible for posting their own privacy notice to their Visitors.

2. What we collect

From you, our customer or prospect

  • Account data: email, name, hashed password (or OAuth identifier), team/role.
  • Billing data: company name, billing address, last 4 digits of payment card, tax IDs. (Card data is handled directly by our payment processor; we never store full card numbers.)
  • Support data: any content you send us in emails, chat, or bug reports.
  • Product usage data: API requests, dashboard logins, audit-log events, IP and user agent of admin sessions.

From Visitors of customer sites/apps using the Service

For each tracked event, the Service receives:

  • An anonymous ID generated in the Visitor's browser and stored in localStorage under mm_aid. This is not a cookie and is not transmitted between domains.
  • Page URL (without query parameters that look like PII), referrer URL, document title.
  • UTM parameters, click-IDs (gclid, fbclid, etc.), and the attribution source/medium derived from them.
  • Coarse user-agent data: browser family, OS family, device type. We do not collect a unique browser fingerprint.
  • Coarse geographic data: country, region, city (derived from IP at ingestion time).
  • The Visitor's IP address is used at ingestion only to derive country/region and to apply abuse rate limits. It is discarded within seconds and never written to long-term storage.
  • Any custom event properties the customer explicitly passes via the API. The customer chooses what to send.

What we do not collect

  • Cookies on the Visitor's browser.
  • Cross-site identifiers, advertising IDs, or device fingerprints.
  • Raw IP addresses at rest.
  • Form input values, keystrokes, or session recordings.

3. Why we use it (legal bases)

For customers / prospects in the EU and UK, our legal bases under GDPR / UK-GDPR are:

  • Contract (Art. 6(1)(b)): to provide the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse, debug issues, and improve our product. We balance these interests against your rights.
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting and audit requirements.
  • Consent (Art. 6(1)(a)): only where required, such as for optional marketing emails. You can withdraw consent at any time.

For Visitor analytics, the customer is the controller and chooses the legal basis. Because the Service operates without cookies, fingerprinting or behavioural profiling, many customers rely on legitimate interests rather than consent. Note that the SDK does write a first-party mm_aid identifier to localStorage for audience measurement, which is storage on terminal equipment under the EU/UK ePrivacy rules; whether a consent banner is required for your use case is a determination you make in your own jurisdictional analysis.

4. Who we share data with

We use a small set of carefully chosen subprocessors. The current list lives at millimetric.ai/legal/subprocessors and we will notify customers of changes at least 30 days in advance.

We do not sell personal data. We do not "share" personal data for cross-context behavioural advertising as defined under CCPA/CPRA.

5. International transfers

Customer ingestion is routed through the Cloudflare edge network. Long-term event storage is in an EU region by default; US-region storage is available on request. Transfers from the EU or UK to the US are protected by the Standard Contractual Clauses (and UK Addendum) and the EU-US Data Privacy Framework where applicable.

6. Retention

  • Account data: kept for the lifetime of the account, deleted within 30 days of account closure.
  • Billing data: kept for the period required by tax law (typically 7–10 years).
  • Event data: kept for the retention window of your plan (30, 90, or 365 days). After that, raw events are deleted; aggregate counters may be retained indefinitely.
  • Server logs: 30 days.

7. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data.
  • Delete your personal data ("right to erasure").
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent where consent was the legal basis.
  • Lodge a complaint with a supervisory authority (the ICO in the UK, your local DPA in the EU, or the relevant authority in your jurisdiction).

To exercise any of these rights, email privacy@millimetric.ai. For Visitor-data requests, contact the customer whose site you visited; we will assist them where required.

8. California notice (CCPA / CPRA)

California residents have additional rights described in our CCPA / CPRA Notice, including the right to know, the right to delete, the right to correct, and the right to limit the use of sensitive personal information. We do not sell or share personal information.

9. Children

The Service is not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

10. Security

We use industry-standard practices: TLS in transit, encryption at rest, least-privilege IAM, SSO and MFA for staff, audit logging, and quarterly access reviews. No system is perfectly secure; if you discover a vulnerability, please report it to security@millimetric.ai.

11. Changes

We will post any changes here and update the "Last updated" date. For material changes affecting Visitor data processing, we will notify customers by email at least 30 days in advance.

12. Contact

Millimetric, Inc.
Email: privacy@millimetric.ai
For EU representation: see our GDPR Notice.
For UK representation: see our UK-GDPR Notice.