Leakeo
Back to app

Data Processing Addendum

Effective: 1 March 2026 Last updated: 2 April 2026

Overview

When you use Leakeo to monitor your ecommerce store or SaaS product, Leakeo processes event data generated by your site visitors on your behalf. In this context:

  • You are the data controller — you determine the purposes for which your site visitors' data is collected.
  • Leakeo is the data processor — we process that data only as instructed by you, to provide the revenue intelligence service.

This Data Processing Addendum ("DPA") describes the technical and organisational measures Leakeo has implemented to protect data it processes on your behalf.

Data we process on your behalf

Leakeo processes the following categories of data from your site visitors:

Event types

  • Core funnel events: page_view, product_view, begin_checkout, checkout_view, purchase (with auto-extracted order value and currency).
  • Product interaction events: add_to_cart, variant_select, add_to_wishlist, product_compare, upsell_click.
  • Search events: search_query (with query text, max 100 characters).
  • Form analytics events: form_start, form_abandon (with field names interacted with, time spent, and last field before abandon — field values are NOT collected).
  • Engagement events: engagement (per-page behavioral summary: scroll depth, active time on page, click categories, section visibility durations, rage click count and target selectors).
  • Session summary events: session_end (session summary: pages viewed, duration, average scroll depth, total active time, click breakdown, forms started/completed/abandoned, search count, JS error count, error messages).
  • SaaS lifecycle events: trial_signup, pricing_engage, cancel_intent, cancel_confirmed, cancel_saved, subscription_change, demo_request, checkout_form_complete.
  • Identity events: identify (user ID for cross-device linking).

Visitor identifiers

  • A randomly generated visitor identifier (_lk_vid) stored as a first-party cookie on the visitor's browser. This is a UUID with no personal data — it serves only to recognise returning visitors across sessions.
  • Hashed customer identifiers for transaction deduplication (plaintext email addresses are not stored).
  • User agent strings and session identifiers for bot detection and session deduplication.

Browser context

  • Screen width and height.
  • Viewport width and height.
  • Browser language.
  • Connection type (e.g. "4g", "3g").
  • Referrer hostname.
  • UTM parameters (source, medium, campaign).

Behavioral data

  • Scroll depth per page (0–100%).
  • Active time per page (milliseconds the page had focus).
  • Click classifications (CTA clicks, navigation clicks, product clicks, add-to-cart clicks, other).
  • Rage click detection (3+ rapid clicks in same area — count and target CSS selector).
  • Section visibility durations (how long page sections are in the viewport).
  • Form field names interacted with (NOT form field values).
  • Site search queries (text entered in search inputs, max 100 characters).
  • JS error count and last 3 error messages (for site health monitoring).

Behavioral data (scroll depth, click patterns, section visibility, rage clicks) is aggregated into daily statistical summaries at the time of collection. The aggregated summaries contain only counters and totals — no individual visitor behavior can be reconstructed from the summary data.

Webhook data

  • Stripe: payment amounts, refund amounts, chargeback amounts, subscription lifecycle (creation, trial start/conversion, upgrade, downgrade, cancellation with reason and feedback), MRR amounts, discount amounts, recurring payment failures.
  • Shopify: order amounts, refund amounts, order cancellations, new customer counts, discount amounts.

Full page URLs (including query string parameters) are transmitted as part of event data. If your site includes personal data in URL query parameters (such as email addresses or customer names), that data will be transmitted to Leakeo as part of the event payload. We recommend avoiding the inclusion of personal data in URL parameters where possible.

We do not process special categories of personal data (sensitive data) as part of this service. IP addresses are used for rate limiting during request processing but are not stored.

Processing instructions

Leakeo processes data from your site strictly to:

  • Detect conversion anomalies, behavioral patterns, and revenue leaks across ecommerce and SaaS funnels.
  • Reconcile frontend-tracked events with backend-verified revenue from Stripe/Shopify.
  • Provide form analytics, engagement analysis, and site health monitoring.
  • Generate incidents, alerts, and analytics reports within your Leakeo dashboard.
  • Maintain service integrity and prevent abuse.

We will not use this data for any other purpose, including advertising, profiling, or selling to third parties.

Technical and organisational measures

Leakeo has implemented the following measures to protect data processed on your behalf:

  • HTTPS encryption for all data in transit.
  • Firebase Firestore data isolation — your data is stored under paths scoped to your unique account identifier and is not accessible by other customers.
  • Firebase App Check (reCAPTCHA v3) to verify the integrity of data collection requests.
  • Server-side authentication for all API access.
  • Signed webhook verification to ensure revenue events originate from legitimate Stripe/Shopify sources.
  • Role-based access controls limiting internal access to customer data.
  • 30-day automatic deletion of raw event data.

Sub-processors

We engage the following sub-processors to store and process your data:

  • Google Firebase / Google Cloud — database and authentication (see Subprocessors page).
  • Vercel — serverless hosting and compute.

We will notify you of any intended changes to our sub-processor list by updating the Subprocessors page. You may object to a new sub-processor within 30 days of notification.

Retention and deletion

  • Raw events: automatically deleted 30 days after collection.
  • Daily summaries: retained indefinitely (aggregated counters, no personal data).
  • Monthly rollups: retained indefinitely (aggregated counters, no personal data).
  • Revenue events: retained indefinitely (hashed IDs, amounts, and currencies only).

Upon account termination, all remaining data (including summaries, rollups, and revenue events) is deleted within 30 days.

You may request earlier deletion of your site visitors' data by submitting a request via the in-app support form.

Data subject requests

If your site visitors exercise their data rights (such as erasure or access), you are responsible for handling those requests as the data controller. Where Leakeo can assist — for example, by confirming what data we hold or deleting specific records — we will do so upon your written request via the support form, within a reasonable timeframe and at no additional charge.

Full DPA document

A full, signed Data Processing Addendum is available on request for customers on Growth plans and above. If you require a signed DPA for compliance purposes, please submit a request via the in-app support form.

The full DPA includes Standard Contractual Clauses (SCCs) covering international data transfers to our subprocessors.

Contact

For DPA requests or data processing enquiries, use the in-app support form or the contact form.