Privacy Policy
Last updated: May 28 2025
1 Who We Are
OverpoweredJS (“OPJS”, “we”, “our”) is a browser-fingerprinting and bot-intelligence service operated by Joe Rutkowski, 123 Windermere Ave #192, Greenwood Lake, NY 10925, USA.
Joe Rutkowski — Proprietor support@overpoweredjs.com
2 Scope
This Policy applies when you:
- visit overpoweredjs.com (“Site”);
- load our client script or SDK from
cdn.overpoweredjs.com; - call our API at
api.ovpjs.com; - create a developer account (Firebase Auth / Firestore) to obtain API keys;
- receive support, billing or marketing communications.
It does not cover third-party sites that integrate OPJS; those sites manage their own privacy practices.
3 What We Collect
| Category | Typical data points | Source |
|---|---|---|
| Device & Browser Signals | UA string, screen size, WebGL/WebRTC/Canvas outputs, JS-API behaviour, fonts, timezone, language, OS hints | SDK |
| Network Data | IP, port, ASN, coarse geo, proxy/VPN/Tor flags | Browser + ipapi.is (Standard) or MaxMind (Advanced) |
| Unique IDs | clusterUUID, request/response hashes, auth tokens | Generated |
| Usage & Telemetry | API key, plan tier, call volume, error logs, timings | Generated |
| Account & Billing | Name, company, email, address, Stripe token (no card PAN) | You |
| Support & Comms | Emails, chat threads, GitHub issues | You |
We do not intentionally collect special-category data (GDPR Art 9). If you transmit such data you must have a lawful basis.
4 Why We Use Personal Data
| Purpose | Legal basis (GDPR / UK GDPR) | CPRA category |
|---|---|---|
| Detect, deter & investigate bots/fraud | Legitimate interests Art 6 (1)(f) | Security / fraud-prevention |
| Provide SDK, API, dashboard | Contract performance Art 6 (1)(b) | Service-provider |
| Improve accuracy, debug, improve methodology | Legitimate interests | — |
| Enforce Terms, protect rights | Legitimate interests | — |
| Geo controls, sanctions compliance | Legal obligation Art 6 (1)(c) | — |
| Billing & accounting | Contract; Legal obligation | — |
| Support communications | Legitimate interests; Contract | — |
| Marketing emails (opt-in) | Consent Art 6 (1)(a) | — |
We do not engage in automated decision-making with legal or similarly significant effects (GDPR Art 22).
5 Storage Mechanisms, Browser Signals & GPC
-
Storage. The SDK writes a small first-party entry in
localStorageto assist in identifying a browser.localStoragepersists until you clear site data or the browser purges it (behaviour varies by browser, private mode, or OS storage pressure).- We set no third-party cookies and no identifiers for cross-context advertising.
-
Global Privacy Control (GPC). Because OPJS is a security / fraud-prevention service that neither “sells” nor “shares” data for advertising, GPC signals do not alter our processing. Integrators remain responsible for ensuring they have a lawful basis to invoke OPJS; if their own obligations require honouring GPC, they must refrain from sending personal data to us when prohibited.
6 How We Share Personal Data
| Recipient | Purpose | Location | Safeguards & Certifications |
|---|---|---|---|
| Firebase (Google Cloud) | Auth, Analytics, Firestore | EU primary; Google LLC (US) support | SCCs; Google EU-U.S. DPF; ISO 27001, SOC 2 Type II |
| ipapi.is | IP intelligence (Standard) | EU (Germany) | EU-only processing; GDPR DPA |
| MaxMind, Inc. | IP intelligence (Advanced) | USA | EU-U.S. DPF; SCCs; SOC 2 / ISO 27001 hosting |
| Cloudflare, Inc. | CDN & DDoS | Global | SCC-backed DPA; EU-U.S. DPF; ISO 27001, SOC 2 |
| Stripe | Payments | EU (Ireland) & US | EU-U.S. DPF; SCCs; PCI DSS L1; SOC 2 |
| DigitalOcean, LLC | Hosting (NYC datacenter) | USA | EU-U.S. DPF; SCCs; SOC 2; ISO 27001 |
We do not sell or share personal data for advertising.
7 International Transfers
For EU/UK data we rely on:
- Standard Contractual Clauses (2021) and/or
- vendor EU-U.S. Data Privacy Framework certifications; plus
- TLS 1.3 in transit, AES-256 at rest.
8 Data Retention & Deletion Rights
| Data type | Default retention | Rationale |
|---|---|---|
Fingerprint models, clusterUUIDs, raw logs | Indefinite — reviewed annually | Needed for long-horizon fraud; exempt from erasure under GDPR Art 17 (3)(b)(d) & CPRA §1798.105(d) |
| Account & billing | 7 years | Statutory bookkeeping |
| Support tickets | 3 years | Operational history |
Deletion requests → we pseudonymise, retain only what’s essential for security, and explain any partial refusal.
9 Your Rights
- EEA/UK — access, rectification, erasure (subject to § 8), restriction, objection, portability, withdraw consent.
- California & other U.S. states — know, access, delete, correct; opt-out of sale/share (not applicable).
Email support@overpoweredjs.com. We verify identity and respond within the legal timeframe.
10 Security
- TLS 1.3 & HSTS
- AES-256 encryption at rest
- Cloudflare WAF / DDoS protection
- Regular internal code reviews & patching
- Encrypted off-site backups
11 Children
OPJS is not directed to children under 13. Contact us for prompt deletion if a child’s data is discovered.
12 Policy Updates
Material changes announced ≥ 14 days in advance via dashboard banner or email.
13 Contact
Joe Rutkowski — Privacy
123 Windermere Ave #192, Greenwood Lake, NY 10925, USA
support@overpoweredjs.com