Privacy Policy
Last updated: November 15 2025
Effective: November 30, 2025
Annexed to and forming part of the OverpoweredJS Terms of Service.
1 Who We Are
OverpoweredJS ("OPJS", "we", "our") is a browser-fingerprinting and bot-intelligence service operated by OverpoweredJS, LLC, 418 Broadway STE N, Albany, NY 12207 USA.
2 Scope
This Policy applies when you:
- visit overpoweredjs.com ("Site");
- load our client script or SDK from
cdn.overpoweredjs.com; - call our API at
api.ovpjs.com; - create a developer account (Firebase Auth / Firestore) to obtain API keys;
- receive support, billing or marketing communications.
It does not cover third-party sites that integrate OPJS; those sites manage their own privacy practices.
3 What We Collect
| Category | Typical data points | Source |
|---|---|---|
| Device & Browser Signals | UA string, screen size, WebGL/WebRTC/Canvas outputs, JS-API behaviour, fonts, timezone, language, OS hints | SDK |
| Network Data | IP, port, ASN, coarse geo, proxy/VPN/Tor flags | Browser + Synthient (Standard) or MaxMind (Advanced) |
| Unique IDs | clusterUUID, request/response hashes, auth tokens | Generated |
| Usage & Telemetry | API key, plan tier, call volume, error logs, timings | Generated |
| Account & Billing | Name, company, email, address, Stripe token (no card PAN) | You |
| Support & Comms | Emails, chat threads, GitHub issues | You |
We do not intentionally collect special-category data (GDPR Art 9). If you transmit such data you must have a lawful basis.
4 Why We Use Personal Data
| Purpose | Legal basis (GDPR / UK GDPR) | CPRA category |
|---|---|---|
| Detect, deter & investigate bots/fraud | Legitimate interests Art 6 (1)(f) | Security / fraud-prevention |
| Provide SDK, API, dashboard | Contract performance Art 6 (1)(b) | Service-provider |
| Improve accuracy, debug, improve methodology | Legitimate interests | — |
| Enforce Terms, protect rights | Legitimate interests | — |
| Geo controls, sanctions compliance | Legal obligation Art 6 (1)(c) | — |
| Billing & accounting | Contract; Legal obligation | — |
| Support communications | Legitimate interests; Contract | — |
| Marketing emails (opt-in) | Consent Art 6 (1)(a) | — |
We do not engage in automated decision-making with legal or similarly significant effects (GDPR Art 22).
5 Storage Mechanisms, Browser Signals & GPC
-
Storage. The SDK stores a first-party identifier to help recognize a browser across requests. We currently write the value in these locations:
- First-party cookie →
__opjs_id. localStorage→__opjs_id(current).localStorage→__opjs(legacy; retained for backward compatibility).
localStoragepersists until you clear site data or the browser purges it (behaviour varies by browser, private mode, or OS storage pressure).- First-party cookies persist for at most 400 days- however cookie persistence and availability depends on browser policies, with some browsers limiting cookie lifetimes to as little as 7 days. We set no third-party cookies and no identifiers for cross-context advertising.
- First-party cookie →
-
Global Privacy Control (GPC). Because OPJS is a security / fraud-prevention service that neither "sells" nor "shares" data for advertising, GPC signals do not alter our processing. Integrators remain responsible for ensuring they have a lawful basis to invoke OPJS; if their own obligations require honouring GPC, they must refrain from using our service when prohibited.
Site tags on overpoweredjs.com (ads, analytics & support)
These technologies run only on our marketing site (overpoweredjs.com) and are not part of the OPJS SDK/API or our customers' sites.
| Technology (controller) | What it does | Typical data | CPRA category | Legal basis (EEA/UK) |
|---|---|---|---|---|
| Google Tag Manager (Google) | Loads and manages tags; itself does not set cookies | page URL, events used to trigger tags | — | Legitimate interests |
| Google Analytics 4 | Site analytics & performance measurement | page views/events, approximate location, device/browser info; cookies such as _ga, _ga_*, _gid | Analytics | Consent |
| Google Ads (gtag AW-17480904346) | Ad conversion measurement (and related analytics) | page/pixel events, ad click IDs; cookies such as _gcl_* | "Sharing" for cross-context ads | Consent |
| LinkedIn Insight Tag (PID 8019156) | Ad conversion & campaign analytics | page views, IP, LinkedIn cookie IDs | "Sharing" for cross-context ads | Consent |
Stripe (js.stripe.com/basil/stripe.js) | Payment & billing UX; fraud prevention | device/browser identifiers; cookies such as __stripe_sid, __stripe_mid | Service provider | Contract / Legitimate interests |
| Tawk.to live chat | Live chat support | chat content, browser info, IP address | Service provider | Legitimate interests / Consent (where required) |
Opt-outs & controls. Use the on-site Cookie Settings to control Analytics and Advertising categories; where consent is required, these tags only load after you opt in, and if you opt out we prevent non-essential tags from firing. You can also use partner controls (e.g., Google Ads settings, LinkedIn ad preferences) or platform-level choices (NAI/DAA). These site tags do not write OPJS identifiers and do not affect customers' integrations.
6 How We Share Personal Data
| Recipient | Purpose | Location | Safeguards & Certifications |
|---|---|---|---|
| Google LLC / Firebase (Google Cloud) | Auth, Analytics, Firestore | EU primary; Google LLC (US) support | SCCs; EU-U.S. DPF (Google LLC)¹; ISO/IEC 27001; SOC 2 Type II; PCI DSS (GCP infra) |
| Synthient LLC | IP intelligence (Standard) | USA | DPA; SCCs; EU-U.S. DPF |
| MaxMind, Inc. | IP intelligence (Advanced) | USA | EU-U.S. DPF; SCCs; data-center attestations (SOC 2 / ISO 27001) |
| Cloudflare, Inc. | CDN & DDoS | Global | SCC-backed DPA; EU-U.S. DPF; ISO/IEC 27001; SOC 2 Type II; PCI DSS; Global CBPR & Global PRP |
| Stripe, Inc. | Payments | EU (Ireland) & US | EU-U.S. DPF; SCCs; PCI DSS Level 1; SOC 1 & SOC 2 Type II (no public ISO 27001 certification) |
| Google Ireland Ltd. | Analytics (GA4), Ads conversion, Tag Manager | EU & Global | SCCs; ISO/IEC 27001 (Ads/Analytics/Tag Manager); transfers to Google LLC covered by EU-U.S. DPF¹ |
| LinkedIn Ireland Unlimited Company | Ad conversion & campaign analytics | EU & US | SCCs; transfers to LinkedIn Corporation covered by EU-U.S. DPF |
| tawk.to inc. | Live chat support | Global | DPA; SCCs; EU-U.S. DPF |
| DigitalOcean Holdings, Inc. | Hosting (NYC datacenter) | USA | EU-U.S. DPF; SCCs; SOC 2 Type II |
¹ DPF participation is at the U.S. entity level (e.g., Google LLC) and is relied upon for transfers from EU/UK to the U.S.; the EU entity (e.g., Google Ireland) itself isn't DPF-certified.
We do not sell personal data. On overpoweredjs.com only, we may share limited site-usage data with ad partners (Google, LinkedIn) for conversion measurement and campaign analytics; see § 5 "Site tags...".
7 International Transfers
For EU/UK data we rely on:
- Standard Contractual Clauses (2021) and/or
- vendor EU-U.S. Data Privacy Framework certifications; plus
- TLS 1.3 in transit, AES-256 at rest.
8 Data Retention & Deletion Rights
| Data type | Default retention | Rationale |
|---|---|---|
Fingerprint models, clusterUUIDs, raw logs | 12-24 months (longer only for specific security incidents or legal claims; reviewed annually) | Fraud & security (GDPR Art. 5(1)(e) storage-limitation; Recital 49 strictly necessary & proportionate; Art. 17(3)(5) legal-claims carve-out). |
| Account & billing | 7 years | Statutory bookkeeping |
| Support tickets | 24 to 36 months | Operational history |
Deletion requests: We minimize and pseudonymise where possible. If we must retain limited data for security/incident handling or legal claims, we explain scope and basis; otherwise we erase. (Under CPRA/CPRA we may deny deletion where reasonably necessary and proportionate to help ensure security/integrity or detect/resist fraud/illegal acts.)
9 Your Rights
- EEA/UK — access, rectification, erasure (subject to § 8), restriction, objection, portability, withdraw consent.
- California & other U.S. states — know, access, delete, correct; opt-out of sale/share (not applicable).
Email support@overpoweredjs.com. We verify identity and respond within the legal timeframe.
10 Security
- TLS 1.3 & HSTS
- AES-256 encryption at rest
- Cloudflare WAF / DDoS protection
- Regular internal code reviews & patching
- Encrypted off-site backups
11 Children
OPJS is not directed to children under 13. Contact us for prompt deletion if a child's data is discovered.
12 Policy Updates
Material changes announced ≥ 14 days in advance via dashboard banner or email.
13 Contact
OverpoweredJS, LLC
Joe Rutkowski — Privacy
418 Broadway STE N, Albany, NY 12207 USA