Privacy Policy

Effective: 1 March 2026 Last updated: 2 April 2026

Introduction

Leakeo ("we", "our", "us") operates the Leakeo platform — a revenue monitoring and incident detection service for ecommerce businesses. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under applicable data protection law.

By using Leakeo, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the platform.

Who we are

Leakeo is an independent software product. For all data protection enquiries, use the in-app support form within your Leakeo dashboard or the contact form.

What we do not track

We do not collect analytics, tracking, or any personal data from visitors to the leakeo.com marketing website. If you browse leakeo.com without signing up, nothing about your visit is recorded or stored by us.

Our data collection applies only to:

Users who create a Leakeo account (see account data below).
Visitors to your ecommerce store, when you install the Leakeo tracking script or connect Stripe/Shopify webhooks (you are the data controller for this data).

Data we collect

We collect two distinct categories of data:

1. Leakeo account data (you are the data subject)

When you create and use a Leakeo account, we collect:

Account information: name, email address, company name, industry, team size, role, and goals provided during onboarding.
Billing information: Stripe customer ID, subscription plan, subscription status, billing history. We do not store payment card numbers — these are handled entirely by Stripe.
Usage data: pages you view within the Leakeo dashboard, session identifiers, last active timestamp, feature interactions (e.g. copying embed code, connecting integrations). This is used for internal product analytics.
Support data: messages or information you send via the in-app support form.
Technical data: IP address (not stored beyond request handling), browser type, and device type for security and error logging purposes.

2. Your customers' data (you are the data controller; we are the processor)

Leakeo processes behavioural and transactional event data from your store on your behalf. The tracking script (v5) collects the following categories of data from your store visitors:

Cookies and local storage

_lk_vid (first-party cookie, 2-year expiry): a randomly generated UUID used to recognise returning visitors across sessions. This cookie is only set when consent is given. If your tracking script includes the data-consent="false" attribute, a session-only visitor ID is stored in sessionStorage instead (see GDPR consent support below). This identifier is not derived from personal information and cannot identify a specific individual.
_lk_uid (localStorage): a user identifier set via the window.leakeo.identify() API, used for cross-device user linking. Only present when explicitly set by your store's code.

Session storage

The following keys are stored in sessionStorage and do not persist beyond the browser session:

_lk_sid — session ID
_lk_sent — event deduplication set
_lk_pc — page count within the session
_lk_ss — session start timestamp
_lk_utm — UTM parameters, referrer hostname, screen dimensions, viewport dimensions, language, and connection type
_lk_type — detected site type (ecom, saas, or unknown)
_lk_vid_nc — no-consent visitor ID (only present when data-consent="false" is set)

Event types

The tracking script collects the following event types from your store visitors. Full page URLs (including query parameters) are transmitted as part of each event.

Core funnel events: page_view, product_view, begin_checkout, checkout_view, purchase (with auto-extracted order value and currency), checkout_form_complete.
Ecommerce behavioural events: add_to_cart, variant_select, add_to_wishlist, product_compare, upsell_click.
Search events: search_query (with query text, truncated to 100 characters).
Form interaction events: form_start and form_abandon. These record which field names were interacted with, time spent on the form, and the last field before abandonment. Field values are never collected.
Engagement events: a per-page behavioural summary including scroll depth, active time on page, click categories, section visibility times, rage click count, and rage click targets.
Session summary events: session_end, including total active time, average scroll depth, click breakdown, form interaction statistics, search count, JavaScript error count, and the last 3 error messages.
SaaS behavioural events: trial_signup, pricing_engage (with per-plan visibility times), cancel_intent, cancel_confirmed, cancel_saved, subscription_change, demo_request.
Identity events: identify (for cross-device user linking via window.leakeo.identify()).

Server-side enrichment

The following data points are derived server-side from request headers and are not sent by the visitor's browser:

Device type (mobile or desktop), browser family, and OS family — derived from the User-Agent header.
Bot detection — derived from the User-Agent header.
Traffic source classification (organic, paid, social, email, campaign, referral, or direct) — derived from UTM parameters and the referrer header.

Webhook data (from Stripe and Shopify — not from visitors)

If you connect Stripe or Shopify integrations, we receive revenue and subscription data directly from those platforms via signed webhooks:

Order IDs, transaction amounts (gross and net), and currencies.
Refund amounts and chargeback amounts.
Subscription lifecycle events: creation, trial start, trial conversion, upgrade, downgrade, and cancellation (including cancellation reason and feedback).
MRR (monthly recurring revenue) changes.
Hashed customer identifiers (SHA-256, first 16 hexadecimal characters only). We do not store plaintext customer email addresses, names, or payment details from your store.
New customer counts (Shopify).

What we do not collect from your store visitors

Customer names, email addresses, phone numbers, or payment details.
Form field values (only field names and types are recorded).
Exact page content or DOM snapshots.
IP addresses are not stored — they are used only for rate limiting and then discarded.
No third-party cookies and no cross-site tracking.
No advertising or marketing cookies.

You are the data controller for this data. We process it solely to provide you with the Leakeo service. The _lk_vid cookie is classified as an analytics cookie and requires consent from your store visitors under GDPR and the ePrivacy Directive. See our Cookie Policy for guidance on your disclosure obligations and our Data Processing Addendum for processing details.

How we collect data

Directly from you: when you sign up, complete your profile, or contact support.
Through the platform: as you navigate the Leakeo dashboard, we record usage events to improve the product.
Via our tracking script: a JavaScript snippet you install on your store sends behavioural and transactional event data to Leakeo servers. The script automatically detects your site type and collects relevant events as described above.
Via webhooks: if you connect Stripe or Shopify, we receive revenue, refund, chargeback, and subscription lifecycle data from those platforms via signed webhooks.
From third parties: Stripe provides billing and subscription data.

Legal bases for processing

Purpose	Legal basis
Providing the Leakeo service (monitoring, incidents, alerts)	Contract performance
Account management and authentication	Contract performance
Billing and subscription management	Contract performance and legal obligation
Product analytics and service improvement	Legitimate interests (improving our platform)
Security monitoring and fraud prevention	Legitimate interests
Responding to support requests	Contract performance / legitimate interests
Compliance with legal obligations	Legal obligation

We do not sell your personal data. We share data only with the following parties:

Stripe: for billing, subscription management, and payment processing.
Google Firebase / Google Cloud: for authentication, database storage (Firestore), and security (App Check). Firebase processes data on our behalf under Google's data processing terms.
Vercel: for hosting and serverless compute. Vercel processes request data on our behalf.
Legal authorities: where required by law, court order, or to protect the rights and safety of Leakeo, our customers, or others.

A full list of our subprocessors is available at leakeo.com/legal/subprocessors.

International data transfers

Our subprocessors (Google Firebase, Vercel, Stripe) may process data outside your country. Where they do, they rely on Standard Contractual Clauses or other recognised transfer mechanisms. Google Cloud and Stripe maintain GDPR-compliant data processing agreements.

You may request details of the specific safeguards in place via the in-app support form.

Data retention

Data type	Retention period
Raw event data (your store visitors)	30 days from collection
Daily aggregated summaries (counters only, no personal data)	Retained indefinitely
Monthly rollup summaries	Retained indefinitely
Revenue events (hashed IDs and amounts only)	Retained indefinitely
Subscription events	Retained indefinitely
Billing and subscription records	7 years (legal obligation)
Account profile data	Duration of account + 30 days after deletion
Usage analytics (internal)	12 months rolling
Support tickets	2 years
Security and access logs	90 days

Your rights

Depending on applicable law, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you.
Rectification: request correction of inaccurate or incomplete data.
Erasure: request deletion of your data (subject to legal retention obligations).
Restriction: request that we limit how we process your data in certain circumstances.
Portability: receive your data in a structured, machine-readable format.
Objection: object to processing based on legitimate interests.
Withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, submit a request via the in-app support form. We will respond within 30 days.

Cookies and consent

We use a minimal set of cookies. The only cookie set by the Leakeo tracking script is _lk_vid, a first-party analytics cookie with a 2-year expiry. No third-party cookies, advertising cookies, or marketing cookies are used.

GDPR consent support: the tracking script supports a consent-aware mode. When you add the data-consent="false" attribute to the script tag, all cookie creation is deferred until your store visitor grants consent via window.leakeo.consent(). Until consent is given, a session-only visitor ID (stored in sessionStorage) is used instead of the persistent cookie, and up to 50 events are queued in memory and flushed only when consent is provided. If consent is never given during the session, no persistent identifiers are written.

See our Cookie Policy for full details.

Security

We implement technical and organisational measures to protect your data, including HTTPS encryption in transit, Firebase authentication, Firebase App Check for request verification, server-side token validation, and signed webhooks. See our Security & Trust page for details.

No transmission over the internet is 100% secure. While we take reasonable steps to protect your data, we cannot guarantee absolute security.

Children's privacy

Leakeo is a business-to-business service and is not directed at individuals under 18. We do not knowingly collect personal data from children.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the platform after changes constitutes acceptance of the revised policy. We recommend reviewing this page periodically.

Contact

For any questions about this policy or to exercise your data rights, use the in-app support form within your Leakeo dashboard, or the contact form on our website.