Privacy Policy

Status: DRAFT — Not yet reviewed or finalized.

Baldwin MN LLC ("OpenGander," "we," "us," or "our") operates a privacy-first marketing analytics platform that helps businesses understand how users interact with their websites and digital properties. This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with our website at opengander.com, our application at app.opengander.io, our browser SDK, our APIs, and all related services (collectively, the "Service").

This Privacy Policy applies to three categories of individuals:

• Customers: Businesses and individuals who sign up for an OpenGander account, configure domains, and use our dashboard and analytics tools.
• Authorized Users: Individuals granted access to a Customer's OpenGander account, including employees of agencies and their downstream clients.
• End Users: Visitors to websites and digital properties where a Customer has installed the OpenGander SDK or tracking code.

By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information from Customers and Authorized Users

When you create an account or are invited to an account, we collect:

• Account Information: Email address, name, organization name, and billing information.
• Authentication Data: Magic link tokens and session identifiers (we do not collect or store passwords).
• Organization Data: Domain names, tenant configuration, team member roles, and invitation records.
• Usage Data: Dashboard interactions, feature usage, and API call logs.
• Communications: Support requests, feedback, and correspondence with our team.

1.2 Information Collected via the SDK from End Users

When a Customer installs the OpenGander SDK on their website, the SDK collects the following data from End Users who visit that website:

• Page View Data: URLs visited, page titles, referrer URLs, and navigation timestamps.
• Performance Metrics: Core Web Vitals including Largest Contentful Paint (LCP), First Input Delay (FID), Cumulative Layout Shift (CLS), Time to First Byte (TTFB), and Interaction to Next Paint (INP).
• User Interaction Data: Click events (element type, element text, CSS selectors), form submission events (form identifiers only, not form field contents), and scroll depth.
• Error Data: JavaScript error messages, error types, and stack traces.
• Marketing Attribution Data: UTM parameters (source, medium, campaign, term, content), traffic source classification, and referrer information.
• Session Data: Session identifiers (randomly generated), session duration, and page sequence within a session.
• Device and Browser Information: Browser type and version, operating system, screen resolution, viewport size, and device category (desktop, mobile, tablet).

1.3 Information We Do NOT Collect from End Users

OpenGander is designed with privacy at its core. The SDK does not collect:

• Names, email addresses, phone numbers, or other personal contact information of End Users.
• Form field contents, keystrokes, or text input.
• Credentials, passwords, or authentication tokens belonging to End Users.
• Financial information such as credit card numbers, bank account details, or Social Security numbers.
• Precise geolocation (GPS coordinates).
• Cross-site browsing history or activity on websites other than the Customer's instrumented properties.

Our OpenTelemetry Collector includes automated PII filtering that strips email addresses, phone numbers, Social Security numbers, and credit card numbers from telemetry data before it reaches our database.

1.4 Consent and Tracking Technologies

The OpenGander SDK includes a mandatory consent module that presents End Users with a clear choice before any data collection begins. The consent experience is determined automatically based on the End User's detected jurisdiction:

• Strict Consent Jurisdictions (EU/EEA, UK, Brazil, South Korea, Japan, India, South Africa, and others with comprehensive data protection laws): A full-page consent gate is displayed. No data is collected, no tokens are fetched, and no information is stored on the End User's device until they explicitly accept.
• Standard Consent Jurisdictions (United States, Canada, Australia, and others): A consent banner is displayed. No data is collected until the End User explicitly accepts or declines.
• Do Not Track: If the End User's browser sends a Do Not Track signal, the SDK does not initialize and no consent prompt is shown. Zero data is collected.
• Unknown Jurisdiction: If the End User's jurisdiction cannot be determined, the SDK defaults to strict (full-page gate) as a fail-safe.

Jurisdiction detection uses the End User's browser timezone (via Intl.DateTimeFormat) and language settings. This detection does not involve IP geolocation lookups, third-party services, or the transmission of any data prior to consent.

The SDK uses first-party localStorage to remember the End User's consent decision and to maintain a session identifier during a visit. We do not use third-party cookies. We do not participate in cross-site tracking or advertising networks. For a complete list of all data stored on End User devices, see our Storage Disclosure. The session identifier expires after 30 minutes of inactivity (configurable by the Customer). The consent decision is stored separately from analytics data and can be revoked by the End User at any time.

This consent module is not optional. It is included in every OpenGander SDK installation and cannot be disabled by Customers. Customers may customize the consent text and visual theme but may not bypass, remove, or reduce the consent level below what the End User's jurisdiction requires.

1.5 Information from Integrations

Customers may choose to connect third-party analytics platforms (such as Google Analytics 4 or Cloudflare Analytics) to OpenGander. When enabled, we ingest aggregated analytics data from those platforms as authorized by the Customer. We do not access the Customer's third-party accounts directly; the Customer provides API credentials that we use solely to retrieve the authorized data.

2. How We Use Information

2.1 Customer and Authorized User Information

We use Customer and Authorized User information to:

• Provide, operate, and maintain the Service.
• Authenticate users and manage account access and permissions.
• Process billing and payments.
• Communicate about the Service, including service announcements, security alerts, and support responses.
• Improve and develop new features for the Service.
• Enforce our Terms of Service and protect against fraud, abuse, and unauthorized access.
• Comply with legal obligations.

2.2 End User Information

End User data collected via the SDK is processed for the sole purpose of providing analytics to the Customer who installed the SDK. Specifically, we use End User data to:

• Generate aggregated analytics reports and dashboards for Customers (page views, traffic sources, performance metrics, user journey flows).
• Calculate marketing attribution and conversion funnels.
• Identify website performance issues (slow page loads, JavaScript errors).
• Detect anomalous traffic patterns.

We do not use End User data to build individual user profiles, serve advertisements, sell to third parties, or for any purpose unrelated to providing the Service to the Customer.

3. How We Share Information

3.1 With Customers and Their Authorized Users

End User analytics data is made available to the Customer who installed the SDK and to the Authorized Users within that Customer's account. Under our multi-tenant model:

• A parent organization (such as a marketing agency) may have access to analytics data across its child organizations (its agency clients), as configured in their account.
• Child organizations (agency clients) have access to their own analytics data and may grant access to their own team members.
• Access is governed by role-based access controls (RBAC) configured by account administrators.

3.2 With Service Providers

We share information with third-party service providers who assist us in operating the Service, including:

• Cloud Infrastructure: Amazon Web Services (AWS) for hosting and compute (currently US-East-1 region).
• Email Delivery: AWS SES or Mailgun for transactional emails (magic links, invitations, notifications).
• Payment Processing: Stripe (Stripe Privacy Policy) for billing and subscription management. Stripe receives only the billing information necessary to process transactions.

These service providers are contractually obligated to use information only as directed by us and in accordance with this Privacy Policy.

3.3 For Legal Reasons

We may disclose information if required to do so by law or in the good faith belief that such action is necessary to:

• Comply with a legal obligation, subpoena, court order, or governmental request.
• Protect and defend the rights or property of OpenGander.
• Prevent or investigate possible wrongdoing in connection with the Service.
• Protect the personal safety of users of the Service or the public.

3.4 Business Transfers

If OpenGander is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

3.5 No Sale of Personal Information

We do not sell, rent, or trade personal information to third parties for their marketing or advertising purposes. We do not share personal information with data brokers.

4. Data Retention

• Customer and Authorized User Account Data: Retained for the duration of the account relationship, plus 90 days after account closure to allow for reactivation or data export.
• End User Analytics Data (Telemetry): Retained for 30 days in our primary analytics tables, after which it is automatically deleted via time-to-live (TTL) policies.
• Integration Data (GA4, Cloudflare): Retained for 90 days via TTL policies.
• Audit Logs: Retained for 365 days for security and compliance purposes.
• Waitlist and Marketing Data: Retained until the individual requests removal or until no longer needed for the purpose for which it was collected.

Customers may request earlier deletion of their data by contacting us at [email protected].

5. Data Security

We implement commercially reasonable technical and organizational measures to protect information, including:

• Encryption in Transit: All data transmitted between the SDK and our servers, and between our servers and your browser, is encrypted using TLS.
• Encryption at Rest: All stored data is encrypted at rest using AES-256 via AWS-managed encryption (EBS volume encryption and S3 server-side encryption).
• Short-Lived Tokens: Browser telemetry tokens have a 5-minute time-to-live with origin and IP binding, preventing token reuse and replay attacks.
• PII Filtering: Automated stripping of email addresses, phone numbers, Social Security numbers, and credit card numbers from telemetry data at the collector level.
• Access Controls: Role-based access controls with four permission levels. Tenant isolation ensures Customers can only access their own data and, where configured, their child tenant data.
• Audit Logging: All sensitive actions (user management, role changes, impersonation) are logged for security monitoring.
• Rate Limiting: API endpoints are rate-limited to 100 requests per minute per IP address.
• Infrastructure Security: Our infrastructure runs in AWS with network segmentation. The ClickHouse analytics database resides in a private subnet with no direct public access.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Data Location and Transfers

All data is currently processed and stored in the United States (AWS US-East-1, Northern Virginia). If you are located outside the United States, please be aware that your information will be transferred to and processed in the United States.

For Customers subject to the European Union General Data Protection Regulation (GDPR) or similar international data protection laws, we will enter into a Data Processing Agreement (DPA) upon request. Contact [email protected].

7. Your Rights and Choices

7.1 Customers and Authorized Users

You may:

• Access and Update: Access and update your account information through the dashboard settings.
• Export: Request an export of your analytics data by contacting [email protected].
• Delete: Request deletion of your account and associated data by contacting [email protected]. Deletion will be processed within 30 days, subject to any legal retention requirements.
• Manage Team Access: Add, remove, or modify team member access and roles through account settings.

7.2 End Users

Because OpenGander does not collect personal contact information from End Users and relies on pseudonymous session identifiers, we generally cannot identify or contact End Users directly. End Users who wish to exercise data protection rights should contact the website operator (our Customer) who installed the SDK.

If you are an End User and wish to opt out of OpenGander analytics on a specific website, you may:

• Use your browser's "Do Not Track" signal. The OpenGander SDK always honors Do Not Track — if your browser sends this signal, the SDK does not initialize and zero data is collected.
• Use a browser extension that blocks analytics scripts.
• Contact the website operator directly to inquire about their data practices.

7.3 Rights Under Specific Laws

• California Residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale of personal information (we do not sell personal information). To exercise these rights, contact [email protected].
• European Economic Area, UK, and Swiss Residents (GDPR/UK GDPR): You have the right to access, rectification, erasure, restriction of processing, data portability, and the right to object to processing. Our lawful bases for processing are contract performance (for Customers), legitimate interests (for analytics), and consent (where applicable). To exercise these rights, contact [email protected].

8. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children. If a Customer uses the SDK on a website directed at children, the Customer is responsible for ensuring compliance with the Children's Online Privacy Protection Act (COPPA) and similar laws, including obtaining any required parental consent.

9. Third-Party Websites

The Service may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to read the privacy policies of any third-party websites you visit.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify Customers of material changes by email or by posting a prominent notice on our website at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Baldwin MN LLC
Email: [email protected]
Website: https://opengander.com

For data protection inquiries, contact us at [email protected].