Security Practices

Data minimization

Clickport collects only aggregate, non-personal metrics. We do not track individual visitors across sessions or devices. The less data you store, the less there is to protect.

• No cookies set on visitor devices
• No personal data collected from website visitors
• No fingerprinting or cross-site tracking
• No third-party advertising scripts or tracking pixels

IP address handling

IP addresses are used at request time for country-level geolocation and then immediately discarded. They are never written to databases, logs, or any persistent storage.

Visitor identifiers are generated using HMAC-SHA256 with a daily-rotating random salt. The salt changes every 24 hours, making it impossible to link visitors across days or reverse the hash to recover the original IP address.

Encryption

All data is encrypted in transit via HTTPS (TLS 1.2+). Connections without HTTPS are automatically upgraded.

Passwords are hashed with bcrypt before storage. We never store or have access to plain-text passwords.

Server location

All data is stored on servers operated by Hetzner Online GmbH, a German company with data centers in Germany. Your analytics data and account information never leave the EU.

Hetzner maintains ISO 27001 certification covering physical security, access controls, and environmental protections at their data centers.

Infrastructure security

• Automatic security updates enabled on the server operating system
• Firewall configured to allow only necessary ports
• Fail2ban active for brute-force protection on SSH and application endpoints
• Rate limiting on all API endpoints to prevent abuse
• Bot detection and datacenter IP blocklist to filter automated traffic

Access controls

Server access is restricted to the founder only via SSH key authentication. Password-based SSH login is disabled.

No third-party analytics, tracking, or monitoring services run on the Clickport dashboard. We do not use external error tracking tools that could expose customer data.

Data ownership and deletion

Your data belongs to you. We do not sell, share, or monetize it in any way.

You can export all your analytics data as CSV at any time. You can delete individual sites or your entire account from the dashboard settings. Deletion is immediate and permanent.

Sub-processors

We use a minimal number of third-party services:

• Hetzner (Germany): Server hosting and infrastructure
• Resend (USA): Transactional email delivery only. Certified under the EU-US Data Privacy Framework
• Paddle (UK): Payment processing as merchant of record. PCI DSS compliant. Card details never touch our servers

No visitor analytics data is shared with any sub-processor.

Vulnerability disclosure

If you discover a security vulnerability in Clickport, we encourage responsible disclosure. Please report it to security@clickport.io.

Guidelines

• Provide sufficient detail to reproduce the vulnerability
• Allow reasonable time for us to address the issue before public disclosure
• Do not access, modify, or delete data belonging to other users

Scope

The following are in scope: services on clickport.io, the tracker script, and the API.

Out of scope: automated scanner reports, social engineering, denial of service attacks, third-party service vulnerabilities, and issues requiring physical access.

Safe harbor

Security research conducted in good faith and in accordance with these guidelines is considered authorized. We will not pursue legal action against researchers who follow this policy.

Legal documents

For more details on how we handle data:

• Privacy Policy
• Data Processing Agreement
• GDPR Compliance
• Terms of Service

Questions

For security questions or concerns, contact us at security@clickport.io.

Last updated: February 21, 2026.