Skip to main content

Privacy Policy

Last updated: May 28 2025

1 Who We Are

OverpoweredJS (“OPJS”, “we”, “our”) is a browser-fingerprinting and bot-intelligence service operated by Joe Rutkowski, 123 Windermere Ave #192, Greenwood Lake, NY 10925, USA.

Joe Rutkowski — Proprietor support@overpoweredjs.com


2 Scope

This Policy applies when you:

  • visit overpoweredjs.com (“Site”);
  • load our client script or SDK from cdn.overpoweredjs.com;
  • call our API at api.ovpjs.com;
  • create a developer account (Firebase Auth / Firestore) to obtain API keys;
  • receive support, billing or marketing communications.

It does not cover third-party sites that integrate OPJS; those sites manage their own privacy practices.


3 What We Collect

CategoryTypical data pointsSource
Device & Browser SignalsUA string, screen size, WebGL/WebRTC/Canvas outputs, JS-API behaviour, fonts, timezone, language, OS hintsSDK
Network DataIP, port, ASN, coarse geo, proxy/VPN/Tor flagsBrowser + ipapi.is (Standard) or MaxMind (Advanced)
Unique IDsclusterUUID, request/response hashes, auth tokensGenerated
Usage & TelemetryAPI key, plan tier, call volume, error logs, timingsGenerated
Account & BillingName, company, email, address, Stripe token (no card PAN)You
Support & CommsEmails, chat threads, GitHub issuesYou

We do not intentionally collect special-category data (GDPR Art 9). If you transmit such data you must have a lawful basis.


4 Why We Use Personal Data

PurposeLegal basis (GDPR / UK GDPR)CPRA category
Detect, deter & investigate bots/fraudLegitimate interests Art 6 (1)(f)Security / fraud-prevention
Provide SDK, API, dashboardContract performance Art 6 (1)(b)Service-provider
Improve accuracy, debug, improve methodologyLegitimate interests
Enforce Terms, protect rightsLegitimate interests
Geo controls, sanctions complianceLegal obligation Art 6 (1)(c)
Billing & accountingContract; Legal obligation
Support communicationsLegitimate interests; Contract
Marketing emails (opt-in)Consent Art 6 (1)(a)

We do not engage in automated decision-making with legal or similarly significant effects (GDPR Art 22).


5 Storage Mechanisms, Browser Signals & GPC

  • Storage. The SDK writes a small first-party entry in localStorage to assist in identifying a browser.

    • localStorage persists until you clear site data or the browser purges it (behaviour varies by browser, private mode, or OS storage pressure).
    • We set no third-party cookies and no identifiers for cross-context advertising.
  • Global Privacy Control (GPC). Because OPJS is a security / fraud-prevention service that neither “sells” nor “shares” data for advertising, GPC signals do not alter our processing. Integrators remain responsible for ensuring they have a lawful basis to invoke OPJS; if their own obligations require honouring GPC, they must refrain from sending personal data to us when prohibited.


6 How We Share Personal Data

RecipientPurposeLocationSafeguards & Certifications
Firebase (Google Cloud)Auth, Analytics, FirestoreEU primary; Google LLC (US) supportSCCs; Google EU-U.S. DPF; ISO 27001, SOC 2 Type II
ipapi.isIP intelligence (Standard)EU (Germany)EU-only processing; GDPR DPA
MaxMind, Inc.IP intelligence (Advanced)USAEU-U.S. DPF; SCCs; SOC 2 / ISO 27001 hosting
Cloudflare, Inc.CDN & DDoSGlobalSCC-backed DPA; EU-U.S. DPF; ISO 27001, SOC 2
StripePaymentsEU (Ireland) & USEU-U.S. DPF; SCCs; PCI DSS L1; SOC 2
DigitalOcean, LLCHosting (NYC datacenter)USAEU-U.S. DPF; SCCs; SOC 2; ISO 27001

We do not sell or share personal data for advertising.


7 International Transfers

For EU/UK data we rely on:

  • Standard Contractual Clauses (2021) and/or
  • vendor EU-U.S. Data Privacy Framework certifications; plus
  • TLS 1.3 in transit, AES-256 at rest.

8 Data Retention & Deletion Rights

Data typeDefault retentionRationale
Fingerprint models, clusterUUIDs, raw logsIndefinite — reviewed annuallyNeeded for long-horizon fraud; exempt from erasure under GDPR Art 17 (3)(b)(d) & CPRA §1798.105(d)
Account & billing7 yearsStatutory bookkeeping
Support tickets3 yearsOperational history

Deletion requests → we pseudonymise, retain only what’s essential for security, and explain any partial refusal.


9 Your Rights

  • EEA/UK — access, rectification, erasure (subject to § 8), restriction, objection, portability, withdraw consent.
  • California & other U.S. states — know, access, delete, correct; opt-out of sale/share (not applicable).

Email support@overpoweredjs.com. We verify identity and respond within the legal timeframe.


10 Security

  • TLS 1.3 & HSTS
  • AES-256 encryption at rest
  • Cloudflare WAF / DDoS protection
  • Regular internal code reviews & patching
  • Encrypted off-site backups

11 Children

OPJS is not directed to children under 13. Contact us for prompt deletion if a child’s data is discovered.


12 Policy Updates

Material changes announced ≥ 14 days in advance via dashboard banner or email.


13 Contact

Joe Rutkowski — Privacy
123 Windermere Ave #192, Greenwood Lake, NY 10925, USA
support@overpoweredjs.com