Privacy Policy
Last updated: October 10 2025
1 Who We Are
OverpoweredJS (“OPJS”, “we”, “our”) is a browser-fingerprinting and bot-intelligence service operated by Joe Rutkowski, 123 Windermere Ave #192, Greenwood Lake, NY 10925, USA.
Joe Rutkowski — Proprietor support@overpoweredjs.com
2 Scope
This Policy applies when you:
- visit overpoweredjs.com (“Site”);
- load our client script or SDK from
cdn.overpoweredjs.com; - call our API at
api.ovpjs.com; - create a developer account (Firebase Auth / Firestore) to obtain API keys;
- receive support, billing or marketing communications.
It does not cover third-party sites that integrate OPJS; those sites manage their own privacy practices.
3 What We Collect
| Category | Typical data points | Source |
|---|---|---|
| Device & Browser Signals | UA string, screen size, WebGL/WebRTC/Canvas outputs, JS-API behaviour, fonts, timezone, language, OS hints | SDK |
| Network Data | IP, port, ASN, coarse geo, proxy/VPN/Tor flags | Browser + ipapi.is (Standard) or MaxMind (Advanced) |
| Unique IDs | clusterUUID, request/response hashes, auth tokens | Generated |
| Usage & Telemetry | API key, plan tier, call volume, error logs, timings | Generated |
| Account & Billing | Name, company, email, address, Stripe token (no card PAN) | You |
| Support & Comms | Emails, chat threads, GitHub issues | You |
We do not intentionally collect special-category data (GDPR Art 9). If you transmit such data you must have a lawful basis.
4 Why We Use Personal Data
| Purpose | Legal basis (GDPR / UK GDPR) | CPRA category |
|---|---|---|
| Detect, deter & investigate bots/fraud | Legitimate interests Art 6 (1)(f) | Security / fraud-prevention |
| Provide SDK, API, dashboard | Contract performance Art 6 (1)(b) | Service-provider |
| Improve accuracy, debug, improve methodology | Legitimate interests | — |
| Enforce Terms, protect rights | Legitimate interests | — |
| Geo controls, sanctions compliance | Legal obligation Art 6 (1)(c) | — |
| Billing & accounting | Contract; Legal obligation | — |
| Support communications | Legitimate interests; Contract | — |
| Marketing emails (opt-in) | Consent Art 6 (1)(a) | — |
We do not engage in automated decision-making with legal or similarly significant effects (GDPR Art 22).
5 Storage Mechanisms, Browser Signals & GPC
-
Storage. The SDK stores a first‑party identifier to help recognize a browser across requests. We currently write the value in these locations:
- First‑party cookie →
__opjs_id. - First‑party cookie →
__opjs_sid. localStorage→__opjs_id(current).localStorage→__opjs(legacy; retained for backward compatibility).
localStoragepersists until you clear site data or the browser purges it (behaviour varies by browser, private mode, or OS storage pressure).- Cookie persistence and availability depend on their configured expiration and browser policies. We set no third‑party cookies and no identifiers for cross‑context advertising.
- First‑party cookie →
-
Global Privacy Control (GPC). Because OPJS is a security / fraud-prevention service that neither “sells” nor “shares” data for advertising, GPC signals do not alter our processing. Integrators remain responsible for ensuring they have a lawful basis to invoke OPJS; if their own obligations require honouring GPC, they must refrain from using our service when prohibited.
Site tags on overpoweredjs.com (ads, analytics & support)
These technologies run only on our marketing site (overpoweredjs.com) and are not part of the OPJS SDK/API or our customers’ sites.
| Technology (controller) | What it does | Typical data | CPRA category | Legal basis (EEA/UK) |
|---|---|---|---|---|
| Google Tag Manager (Google) | Loads and manages tags; itself does not set cookies | page URL, events used to trigger tags | — | Legitimate interests |
| Google Analytics 4 | Site analytics & performance measurement | page views/events, approximate location, device/browser info; cookies such as _ga, _ga_*, _gid | Analytics | Consent |
| Google Ads (gtag AW‑17480904346) | Ad conversion measurement (and related analytics) | page/pixel events, ad click IDs; cookies such as _gcl_* | “Sharing” for cross‑context ads | Consent |
| LinkedIn Insight Tag (PID 8019156) | Ad conversion & campaign analytics | page views, IP, LinkedIn cookie IDs | “Sharing” for cross‑context ads | Consent |
Stripe (js.stripe.com/basil/stripe.js) | Payment & billing UX; fraud prevention | device/browser identifiers; cookies such as __stripe_sid, __stripe_mid | Service provider | Contract / Legitimate interests |
| Tawk.to live chat | Live chat support | chat content, browser info, IP address | Service provider | Legitimate interests / Consent (where required) |
Opt‑outs & controls. Use the on‑site Cookie Settings to control Analytics and Advertising categories; where consent is required, these tags only load after you opt in, and if you opt out we prevent non‑essential tags from firing. You can also use partner controls (e.g., Google Ads settings, LinkedIn ad preferences) or platform‑level choices (NAI/DAA). These site tags do not write OPJS identifiers and do not affect customers’ integrations.
6 How We Share Personal Data
| Recipient | Purpose | Location | Safeguards & Certifications |
|---|---|---|---|
| Firebase (Google Cloud) | Auth, Analytics, Firestore | EU primary; Google LLC (US) support | SCCs; Google EU-U.S. DPF; ISO 27001, SOC 2 Type II |
| Synthient | IP intelligence | USA | SCCs + EU-U.S. DPF |
| MaxMind, Inc. | IP intelligence (Advanced) | USA | EU-U.S. DPF; SCCs; SOC 2 / ISO 27001 hosting |
| Cloudflare, Inc. | CDN & DDoS | Global | SCC-backed DPA; EU-U.S. DPF; ISO 27001, SOC 2 |
| Stripe | Payments | EU (Ireland) & US | EU-U.S. DPF; SCCs; PCI DSS L1; SOC 2 |
| Google Ireland Ltd. | Analytics (GA4), Ads conversion, Tag Manager | EU & Global | EU‑U.S. DPF; SCCs |
| LinkedIn Ireland Unlimited Company | Ad conversion & campaign analytics | EU & US | EU‑U.S. DPF; SCCs |
| tawk.to inc. | Live chat support | Global | DPA; SCCs |
| DigitalOcean, LLC | Hosting (NYC datacenter) | USA | EU-U.S. DPF; SCCs; SOC 2; ISO 27001 |
We do not sell personal data. On overpoweredjs.com only, we may share limited site‑usage data with ad partners (Google, LinkedIn) for conversion measurement and campaign analytics; see § 5 “Site tags…”. You can opt out via the Cookie Settings and applicable regional choices.
7 International Transfers
For EU/UK data we rely on:
- Standard Contractual Clauses (2021) and/or
- vendor EU-U.S. Data Privacy Framework certifications; plus
- TLS 1.3 in transit, AES-256 at rest.
8 Data Retention & Deletion Rights
| Data type | Default retention | Rationale |
|---|---|---|
Fingerprint models, clusterUUIDs, raw logs | Indefinite — reviewed annually | Needed for long-horizon fraud; exempt from erasure under GDPR Art 17 (3)(b)(d) & CPRA §1798.105(d) |
| Account & billing | 7 years | Statutory bookkeeping |
| Support tickets | 3 years | Operational history |
Deletion requests → we pseudonymise, retain only what’s essential for security, and explain any partial refusal.
9 Your Rights
- EEA/UK — access, rectification, erasure (subject to § 8), restriction, objection, portability, withdraw consent.
- California & other U.S. states — know, access, delete, correct; opt-out of sale/share (not applicable).
Email support@overpoweredjs.com. We verify identity and respond within the legal timeframe.
10 Security
- TLS 1.3 & HSTS
- AES-256 encryption at rest
- Cloudflare WAF / DDoS protection
- Regular internal code reviews & patching
- Encrypted off-site backups
11 Children
OPJS is not directed to children under 13. Contact us for prompt deletion if a child’s data is discovered.
12 Policy Updates
Material changes announced ≥ 14 days in advance via dashboard banner or email.
13 Contact
Joe Rutkowski — Privacy
123 Windermere Ave #192, Greenwood Lake, NY 10925, USA
support@overpoweredjs.com