Privacy Policy

1. Who we are

Heatmap.report is a website analytics service provided by Chat2 Pty Ltd (Australia). In this policy, "we", "us" and "our" refer to Chat2 Pty Ltd; "you" refers to a visitor whose browser interacts with a website that has installed our tracker, or to a customer who has signed up to receive analytics reports.

For questions about this policy, contact devs@chat2.com.

2. What data we collect

When a visitor lands on a website that has installed Heatmap.report's tracking snippet, we collect behavioural and technical data about that browsing session:

• Page views — the URL of each page visited, the page title, and a timestamp.
• Clicks & taps — the screen coordinates of each click and a description of the DOM element clicked (e.g., a button label). We do not record the values typed into form fields.
• Scroll depth — how far down the page the visitor reached, as a percentage.
• Session metadata — referring URL, device type (mobile / desktop / tablet), browser family, screen size, and approximate geography (country and city) derived from the visitor's IP address.
• An anonymous visitor identifier — a random ID stored in a first-party cookie so we can recognise the same browser across pages within a single visit. Reset on cookie expiry or clear.

What we don't collect

• Names, email addresses, phone numbers, addresses, or any other identifying personal information.
• Form field values, password inputs, search query content (only the fact that a search input was used).
• Credit card data or any payment information.
• Health, religious, political, or other sensitive personal data.

3. How we use the data

The data is used solely to produce analytics reports for the customer whose website it was collected from. Specifically:

• Generating monthly PDF reports showing visitor behaviour patterns on the customer's pages.
• Rendering heatmap overlays showing aggregate click density on individual pages.
• Producing session replay storyboards (a sequence of frame snapshots representing typical visitor journeys, with personal identifiers removed).
• Counting conversion events the customer has configured as goals (e.g., booking-form submissions, contact-form completions).

We do not use the data for advertising, sell it to third parties, share it with data brokers, or use it for any purpose unrelated to producing analytics for the customer who collected it.

4. Cookies

Heatmap.report sets first-party cookies on the customer's website to support analytics:

• owa_v — anonymous visitor ID (cookie lifetime: 1 year).
• owa_s — current session ID (cookie lifetime: 30 minutes of inactivity).

See the Cookie Policy for the full list and how to disable them. Heatmap.report respects the browser's Do Not Track header — when DNT is set, we do not initialise the tracker.

5. Lawful basis (GDPR / UK GDPR)

For visitors in the European Economic Area or United Kingdom, our lawful basis for processing this data is legitimate interest (Article 6(1)(f)): the customer who owns the website has a legitimate interest in understanding how visitors interact with their own pages, and the data we collect is non-identifying and minimised to that purpose.

If you are a visitor and you do not want this data to be collected from your sessions, you can:

• Set your browser's Do Not Track header — we will not initialise the tracker.
• Block first-party cookies for the relevant site.
• Use an extension such as uBlock Origin — Heatmap.report respects standard ad-blocker filter lists.
• Email the customer who operates the website to request your visit data be excluded (each customer's data is isolated).

6. Where data is stored

Visitor data is stored on servers operated by Chat2 Pty Ltd in Sydney, Australia. Data is stored in a customer-segregated database — one customer cannot see another customer's data. Backups are kept for 30 days for disaster recovery and then deleted.

7. How long we keep it

Aggregate analytics (counts of page views, sessions, scroll depths) are retained indefinitely so that month-on-month and year-on-year reports remain comparable. Raw event-level data (the underlying click stream) is retained for 13 months and then deleted.

If a customer terminates their service, all their data is deleted from active databases within 30 days and from backups within a further 30 days (60 days total).

8. Sharing & sub-processors

We do not share visitor data with third parties for marketing or sale. We use the following sub-processors strictly to operate the service:

• OpenAI — to generate the analyst-style captions on monthly PDF reports. Only aggregate, summary-level metrics are sent (e.g., "1,500 sessions, 64% mobile, top page /book-now"), never event-level data or anything identifying.
• Let's Encrypt — TLS certificate issuance for the heatmap.report domain.

We do not use any of the major ad networks, data brokers, or "marketing intelligence" platforms.

9. Your rights

If you are a visitor whose browsing data has been collected by Heatmap.report, you have the right under applicable privacy law (GDPR, UK GDPR, the Australian Privacy Act, the California Consumer Privacy Act, and similar regimes) to:

• Request a copy of the data we hold about your sessions (note: because data is anonymised, we typically cannot link it back to you without your IP address and a session timestamp).
• Request deletion of your data.
• Object to further processing of your data.
• Withdraw any consent previously given.

To exercise these rights, email devs@chat2.com or contact the website operator whose site you visited.

10. Children

Heatmap.report is not intended for use on websites directed at children under 13 (or under 16 in the EEA). We do not knowingly collect data from anyone in that age range.

11. Changes to this policy

We may update this policy from time to time. The "Last reviewed" date at the top reflects the most recent revision. Material changes will be flagged in a banner on the landing page for at least 30 days.

12. Contact

Privacy questions, data access requests, complaints: devs@chat2.com.