Privacy Policy
Last updated 13 June 2026. This is how askbowtie handles data — written to be read, not to hide behind.
askbowtie ("we", "us") builds a lightweight analytics and error-monitoring tracker, bowtie.js, that site owners embed on their sites and query through their AI agent over MCP. This policy covers two things: the data we hold about you as an askbowtie customer, and the data the tracker collects from visitors to the sites that run it.
The short version
- No cookies by default. The tracker sets no cookies and uses no cross-site identifiers. A session is a random id held in the browser's
localStoragefor 30 minutes of activity — it is not a tracking cookie and does not follow anyone across sites. - No personal data is collected by design. We never capture form input values, and click text is scrubbed for emails, phone numbers, and card numbers before it leaves the page.
- We don't sell data, run ads, or share with data brokers. Ever. There is no second business model here.
- You can export or delete your data by emailing support@askbowtie.com.
Data we hold about you (the customer)
| What | Why |
|---|---|
| Your email address and any linked sign-in identities (e.g. Google) | To create your account and sign you in. We use passwordless sign-in, so we never store a password. |
| The domains you add and their settings | To know which sites to track and how to interpret conversions for each. |
| Connector grants (Google Search Console, Google Ads) if you connect them | Stored encrypted at rest; used only to pull your own search and ads data into your dashboard. Revoke any time in settings or at your Google account. |
| MCP API tokens you create | Stored only as a hash. The raw token is shown once and never again. |
| Support emails you send us | To answer you. |
What the tracker collects from your visitors
When a visitor loads a page on a site running bowtie.js, the tracker records anonymous usage and error data so the site owner can see what's working and what's broken:
- Page paths viewed, referrer, and page title (title and referrer are length-limited and scrubbed)
- A 30-minute session id from
localStorage(not a cookie, not cross-site) - Clicks — recorded as element context (tag, id, class, link target) only. Never the text inside, never input values.
- Errors: JavaScript errors, failed network requests, broken resources, content-security-policy violations, and rage clicks
- Performance metrics (Core Web Vitals: LCP, CLS, INP/FID, TTFB)
- Marketing attribution on session start: UTM parameters and ad click ids (e.g.
gclid) present in the page URL - Custom events and conversions the site owner chooses to send via the tracker's API (the site controls exactly what those contain)
Derived from the network request, not stored as identity
- Approximate country — from an edge header (country only; not city, not a precise location)
- Browser, OS, and device type — parsed from the User-Agent string
- IP address — used transiently for rate-limiting and the country lookup. It is not written to the event record.
Optional visitor identity
A site owner can call bowtie.identify() with their own identifier (for example a user id or a hashed email) to connect a visitor's sessions — useful for funnels that complete across multiple visits. This is off by default. When a site uses it, that identifier belongs to the site owner and is collected under their relationship with their visitor, not ours. Sites that never call it stay fully cookieless and identifier-free.
Roles: who controls the data
For data collected on a customer's own site, the site owner is the data controller and askbowtie is the data processor — we process that data only to provide the analytics service to them, on their instruction. The site owner is responsible for having a lawful basis to run analytics and for their own visitor-facing privacy notice. For data about askbowtie customers themselves (your account), askbowtie is the controller.
Cookies
askbowtie.com itself uses one essential, first-party cookie to keep you signed in to your dashboard. That is the only cookie. The tracker we distribute sets none. Because no tracking cookies are involved, sites running only bowtie.js generally do not need a cookie-consent banner for it — though you should confirm your own obligations.
Where data lives and who else touches it
Data is stored on Cloudflare's infrastructure. We use a small number of processors strictly to run the service: Cloudflare (hosting and edge), and an email provider (Resend) to send sign-in links, alerts, and the reports you ask for. If you connect Google Search Console or Google Ads, we exchange data with Google on your behalf to pull your own metrics. We do not use any advertising or data-broker services.
How long we keep it
We keep your account data for as long as your account is active. Analytics and error data is retained to power your dashboard and historical comparisons; operational logs (uptime checks, resolved alerts) are pruned automatically on a rolling basis. You can ask us to export or delete your data at any time, and we'll action it.
Your rights
Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict its processing. To exercise any of these, email support@askbowtie.com. We'll respond within a reasonable time and won't make you jump through hoops.
Children
askbowtie is a tool for site owners and is not directed at children. We don't knowingly collect personal data from anyone under 16.
Changes
If we change this policy materially, we'll update the date above and, for significant changes, notify account holders by email. Continued use after a change means you accept the updated policy.
Contact
Questions, requests, or concerns: support@askbowtie.com.