Privacy Policy

Last updated: March 26, 2026

1. Introduction

UserActivity.ai ("UA.ai", "the Service", "we", "us") is an open source and source-available behavioral intelligence layer for AI coding agents, operated by Roarke Clinton. We provide a lightweight tracker script that site owners embed on their websites to collect anonymous behavioral signals, and an API and dashboard through which site owners analyze that data.

This privacy policy applies to two distinct groups of people:

UA.ai users (site owners) — people who sign up for a UserActivity.ai account, embed the tracker script on their websites, and use the API, MCP server, CLI, or dashboard to analyze behavioral data.
End users (site visitors) — visitors to websites that have the UserActivity.ai tracker installed. End users never interact with UA.ai directly and may not be aware of its presence.

We are committed to collecting the minimum data necessary to provide meaningful behavioral insights, without ever identifying individual people. The tracker script is open source (MIT); analytical tools (core, CLI, MCP server) are source-available under the Elastic License 2.0. You can audit exactly what data is collected and transmitted.

2. Development Preview

UserActivity.ai is currently in Development Preview.

Data handling practices described in this policy may evolve as the product matures. We will update this policy to reflect any material changes. During the preview period, site owners can delete their sites and all associated event data at any time from the dashboard.

3. What We Collect from UA.ai Users (Site Owners)

When you create a UserActivity.ai account and use the Service, we collect:

Email address — provided during signup via Supabase Auth. Used for account authentication and service communications.
Site domain — the domain(s) you register for tracking.
Site configuration — CNAME settings, data retention preferences, and other configuration choices you make within the dashboard.
API usage patterns — which endpoints you call, request frequency, and error rates. Used to maintain service reliability.
Dashboard interactions — how you use the dashboard interface. We use our own tracker on our own site.

This data is used solely to provide and improve the Service. We do not sell it, share it with advertisers, or use it for any purpose beyond operating UserActivity.ai.

4. What We Collect from End Users (Site Visitors)

When you visit a website that has the UserActivity.ai tracker installed, the tracker collects anonymous behavioral signals. No personally identifiable information is collected. Here is an exhaustive list of what is captured:

Behavioral signals

Clicks — target element (tag name, CSS selector), position on page, and timestamp.
Rage clicks — three or more rapid clicks on the same target within two seconds. Indicates user frustration.
Dead clicks — clicks on non-interactive elements. Indicates confusing UI affordances.
Scroll behavior — scroll depth percentage, velocity, direction changes, and pause points.
Page navigation — from-page and to-page (paths only), navigation method (link click, back button, direct entry).
Form interactions — field focus and blur timing, field index and type, number of fields completed versus total, and form submission or abandonment events. Field values are never captured.
JavaScript errors — error message, source file, and line number for uncaught exceptions and failed network requests during a session.
Cursor hesitation — detected when a cursor hovers over an element for two or more seconds without clicking. Indicates confusion or indecision.
U-turns — rapid navigation reversals (e.g., visiting a page then immediately going back). Indicates disorientation.

Session metadata

Session ID — a random UUID generated via crypto.randomUUID(), stored in sessionStorage. It exists only for the lifetime of the browser tab and is never persisted to disk.
Viewport size — browser window dimensions in pixels.
Device type — inferred from viewport (mobile, tablet, desktop). No fingerprinting.
Referrer domain — the domain of the referring page (domain only, not the full URL or path).
Page load time — time to interactive, measured via the Performance API.

Visitor identification

An optional first-party cookie (__ua_vid) with SameSite=Lax may be set to detect return visits. This cookie contains a random identifier and is used solely to distinguish new visitors from returning visitors on the same site. It is not used for cross-site tracking, is not shared with any third party, and expires after one year.

Page context

Page URL — path only. Query parameters are stripped by default to prevent accidental capture of sensitive data in URLs.
Page title — the contents of the <title> element.

5. What We Do Not Collect

UserActivity.ai does not collect any of the following — by design, not by policy:

×Keystrokes or form field values
×Names, emails, phone numbers, or any personally identifiable information
×IP addresses — used transiently for network transport only, never stored or logged
×Cross-site tracking data — the tracker operates on a single domain only
×Session recordings, screen captures, or screenshots
×Advertising identifiers or marketing pixels
×Location data beyond what can be inferred from referrer domain
×Browser fingerprints or hardware identifiers
×Login state or authentication tokens from the tracked site

6. How End Users Can Opt Out

End users have multiple ways to prevent data collection:

Do Not Track (browser setting)

If your browser sends the Do Not Track signal (navigator.doNotTrack === "1"), the UserActivity.ai tracker does not initialize at all. No script runs, no events are captured, no cookies are set. We honor DNT unconditionally.

Programmatic disable

Site owners can call window.useractivity.disable() at any point to immediately stop all tracking for the current session. This can be wired to a consent banner, a user preference toggle, or any custom logic.

Browser-level blocking

Blocking useractivity.ai/tracker.js via an ad-blocker, content blocker, or browser privacy settings prevents all data collection entirely. The tracker cannot initialize if the script is never loaded.

7. How We Use Data

We use the data we collect for the following purposes only:

To provide behavioral analysis to site owners through the dashboard, API, MCP server, and CLI.
To generate aggregated, anonymous insights including frustration scores, scroll depth analysis, navigation pattern detection, and engagement metrics.
To maintain, monitor, and improve the reliability and performance of the Service.

We commit to the following:

✓We do not sell data to anyone, for any reason.
✓We do not use data for advertising or ad targeting.
✓We do not share individual-level behavioral data with third parties.
✓We do not build user profiles across different websites.
✓We do not use end-user data to train machine learning models.

8. Third-Party Providers

We use a minimal set of infrastructure providers to operate the Service. Each provider processes data only as necessary to provide their service to us.

Provider	Purpose	Data Processed
Supabase	Database and authentication	Stores event data and user accounts. US-based infrastructure.
Vercel	Hosting, edge functions, CDN	Serves the website, API endpoints, and tracker script. Global edge network.
Resend	Transactional email	Sends account-related emails (e.g., authentication, notifications) if applicable.
Communications	Feedback widget	A feedback button on this marketing site operated by comms.roarke.io. Collects data only when you submit: your message, category, email (if provided), page URL, and browser info. Does not set cookies.

We do not use any advertising networks, marketing analytics platforms, data brokers, or customer data platforms. There are no hidden third-party scripts loaded by the tracker.

Provider terms and changes

Each provider operates under its own privacy policy. These policies may change independently of ours. Current provider privacy policies:

Supabase Privacy Policy (updated March 16, 2026)
Vercel Privacy Policy (updated March 17, 2026; effective March 31, 2026)
Resend Privacy Policy

Each provider acts as a data processor for your behavioral event data — meaning they process it on our behalf and under our instructions, not for their own purposes. However, their own privacy policies govern their relationship with us as their customer (e.g., our account email and usage patterns).

We monitor provider terms for material changes. If a provider's practices become incompatible with the commitments in this policy, we will migrate to an alternative provider and notify you.

Provider disclosures (as of March 31, 2026)

Vercel: Vercel's privacy policy (effective March 31, 2026) permits sharing de-identified data with AI business partners for model training and improvement on non-Enterprise plans. We have opted out of AI training where dashboard controls are available. Vercel explicitly states that data processed at customer direction (i.e., your behavioral event data flowing through our API) is governed by their Data Processing Addendum, not their general privacy policy.

Supabase: Supabase's privacy policy (updated March 16, 2026) permits sharing customer contact identifiers with advertising and marketing partners. This applies to our account data (email address), not to your behavioral event data, which Supabase processes as a data processor on our behalf.

Hosting tier: During the Development Preview, we operate on standard (non-enterprise) hosting tiers. We do not currently have enterprise-grade Data Processing Agreements with all providers. As the service scales, we will establish formal DPAs. We believe transparency about where we are is more valuable than implying protections we don't yet have.

9. Your Rights

Regardless of where you are located, we extend the following rights to all users. These rights apply equally to UA.ai users (site owners) and end users of tracked sites:

Right to know — you can ask what data we hold about you.
Right to access — you can request a copy of your data.
Right to correction — you can request that inaccurate data be corrected.
Right to deletion — you can request that your data be deleted. Site owners can delete their sites and all associated event data directly from the dashboard at any time.
Right to data portability — you can request your data in a machine-readable format.
Right to object to processing — you can object to our processing of your data.
Right to complain to a supervisory authority — if you believe your data rights have been violated, you have the right to lodge a complaint with a data protection authority.
Right to non-discrimination — we will never discriminate against you for exercising any of these rights.

To exercise any of these rights, contact us at team@useractivity.ai. We will respond within 30 days.

10. Data Retention

Event data — retained according to the site owner's plan tier. During the Development Preview, the default retention period is 90 days. Site owners can configure retention to 30, 60, 90, or 180 days.
Account data — retained while the account is active. Upon account cancellation, account data and all associated site and event data are deleted.
Server logs — rotated regularly and not stored long-term. Server logs may contain IP addresses transiently but these are not correlated with event data.

11. Cookies

UserActivity.ai uses a minimal number of cookies, all of which are strictly necessary or first-party:

Cookie	Purpose	Duration	Set By
`sb-*-auth-token`	Supabase authentication session for dashboard users	Session	Supabase
`__ua_vid`	Return visitor detection (first-party, optional)	1 year	Tracker

—No analytics cookies.
—No advertising cookies.
—No third-party cookies.
—No consent banner is required — the Supabase auth cookie is strictly necessary for dashboard functionality, and the tracker cookie is first-party and optional.

12. Security

We implement the following security measures to protect your data:

TLS encryption in transit — all data transmitted between the tracker, API, and dashboard is encrypted via HTTPS/TLS.
Encryption at rest — all data stored in Supabase is encrypted at rest.
Row-level security (RLS) — all database tables enforce row-level security policies ensuring that site owners can only access their own data.
Service-role key isolation — the service-role key that bypasses RLS is never exposed to the client and is used only in server-side API routes.
API key authentication — all analysis endpoints require a valid API key, scoped to a specific site.

13. International Transfers

Data is stored in the United States via our infrastructure providers (Supabase and Vercel). If you are located outside the United States, your data will be transferred to and processed in the US.

For users in the European Union, European Economic Area, or United Kingdom, these transfers rely on Standard Contractual Clauses (SCCs) as implemented by our infrastructure providers. You can request copies of the relevant SCCs by contacting us.

14. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you via dashboard notification or email (for registered site owners).

We encourage you to review this policy periodically. Continued use of the Service after changes are posted constitutes acceptance of the updated policy. If you disagree with changes, you may delete your account and all associated data at any time.

15. Contact

If you have questions about this privacy policy, want to exercise your data rights, or have concerns about how your data is handled, contact us at:

team@useractivity.ai

Roarke Clinton
UserActivity.ai

This privacy policy is adapted from Basecamp's open-source policies, available under a Creative Commons Attribution 4.0 International license.