EN FR

Privacy Policy

Privacy Policy — Pomelo Analytics

Last updated: December 31, 2025

This policy explains how Pomelo Analytics (“Pomelo”, “we”) processes data:

  1. when you visit pomeloanalytics.com and its subdomains,
  2. when you use the Pomelo Dashboard,
  3. when you browse a website or app that uses Pomelo Analytics to measure its audience.

1) Identity and contact

Pomelo Analytics (a French company) Full legal information is available in our Legal Notice.

Privacy / data rights contact: privacy@pomeloanalytics.com Support: support@pomeloanalytics.com

2) Pomelo commitments (privacy-first)

Pomelo is built and operated to deliver useful audience statistics without tracking people:

  • No cookies and no local storage (localStorage/sessionStorage) for audience measurement.
  • No persistent identifiers: no recognition of a visitor from one day to the next.
  • No cross-site tracking: data is strictly isolated per website/app.
  • No profiling, no targeted advertising, no sale of data.
  • Data minimization and aggregated statistics by default.
  • Do Not Track (DNT) is enforced by default.
  • An opt-out mechanism is available and durably enforced (Section 12).

3) GDPR roles: controller / processor

3.1 Audience measurement for customer websites/apps (Pomelo as Processor)

When a website/app (the “Customer”) uses Pomelo:

  • the Customer is the Controller,
  • Pomelo is the Processor: processing is strictly limited to providing the audience measurement service, under the Customer’s instructions and our Data Processing Agreement (DPA).

3.2 Account, Dashboard, support, security (Pomelo as Controller)

For account management, Dashboard access, support, and security:

  • Pomelo acts as Controller.

4) Cookies, local storage, trackers

4.1 On websites/apps instrumented with Pomelo

Pomelo measures audience without cookies and without local storage (localStorage/sessionStorage). Pomelo does not use advertising identifiers (IDFA/AAID) and does not enable retargeting.

4.2 On pomeloanalytics.com and the Dashboard

The website and Dashboard use only mechanisms strictly necessary for operation, authentication, and security. No advertising trackers are used.

5) Cookieless audience measurement: how it works

5.1 City-level location (via CloudFront)

Geolocation (up to city level when available) comes from CloudFront geolocation headers. Pomelo stores only these fields (city/region/country) to produce aggregated statistics.

5.2 IP address: processing and storage

  • IP addresses transit at the network layer (normal Internet operation).
  • Pomelo’s audience dataset never stores IP addresses in clear text.
  • For session deduplication (Section 5.3), Pomelo uses an IP truncated immediately before any storage and then cryptographically transformed; the IP address is not retained in the dataset.

5.3 Ephemeral session identifier (≤ 4 hours)

To count sessions and prevent duplicate events within a short window, Pomelo computes an ephemeral session identifier:

  • maximum duration: 4 hours,
  • isolated per website/app,
  • non-persistent,
  • no storage on the user’s device,
  • used only for statistics and anti-duplication.

Pomelo does not implement durable fingerprinting (no stable recognition over time).

6) Data processed

6.1 Audience data (visitors of customer websites/apps)

Depending on the Customer configuration, Pomelo processes only audience measurement data:

  • visited page/screen (URL/path, no form contents),
  • timestamp,
  • referrer (optional),
  • location (city/region/country),
  • technical categories (device type, browser, OS),
  • configured events (pageview, conversion, etc.) without direct identifiers,
  • ephemeral session identifier (≤ 4h).

Not collected by design: name, email, phone number, typed contents, sensitive data, advertising identifiers, session replay, keystroke capture.

Customer obligation: configure URLs and events so that personal data is never sent to Pomelo (e.g., URL parameters containing an email, a nominative identifier, or form field contents).

6.2 Account data (Pomelo users)

  • email (account identifier),
  • organization, roles, and settings,
  • subscription/billing information necessary to perform the contract,
  • security logs (authentication, security events).

6.3 Support data

  • support exchanges and associated metadata.

7.1 Audience measurement (Pomelo as Processor)

Purpose: audience and performance analytics and technical diagnostics, exclusively for the Customer. Legal basis: determined by the Customer.

7.2 Account/Dashboard (Pomelo as Controller)

  • Contract performance: providing the service, managing the account and subscription.
  • Legal obligations: accounting and invoicing.
  • Legitimate interests: security, prevention of fraud/abuse, operational reliability.

8) Retention periods

Pomelo applies strict retention periods suited to statistical and security purposes:

  • Ephemeral session identifier: 4 hours maximum.
  • Raw audience data: 25 months maximum, then deletion and/or aggregation.
  • Aggregated statistics: retained for time-series analysis (without identifying visitors).
  • Account data: retained for the duration of the contractual relationship, then archived/deleted in line with legal obligations.
  • Security logs: limited retention with restricted access (Section 11).

9) Recipients and subprocessors (published list)

Pomelo does not sell data and does not share it for advertising purposes.

Pomelo uses the following subprocessors:

  1. Amazon Web Services (AWS) — Europe Purposes: hosting (EU — Sweden/Stockholm), CDN (CloudFront), DNS (Route 53), transactional emails (Amazon SES), and required infrastructure services. Entity: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg.

  2. Mailjet Purpose: sending newsletter/marketing emails to people who voluntarily subscribe. Address: 43 rue de Dunkerque, 75010 Paris, France.

  3. Sentry (EU) — Dashboard only Purposes: technical performance monitoring, crash reporting, and error logging for the Dashboard (not the tracking script). Configuration: EU-region storage and minimization settings (scrubbing/filtering).

  4. Polar (payments) Purposes: payment handling and, depending on configuration, subscription creation/linking. Data concerned: data necessary for subscription (e.g., email, plan identifiers, payment status). (Contractual payment details are described in the Terms/Subscription Terms and Polar documentation.)

10) International data transfers outside the EU/EEA

Audience data is hosted in the European Union (Sweden/Stockholm). Where transfers of personal data outside the EU/EEA may occur within the meaning of the GDPR (notably via certain providers established outside the EU/EEA or covered by an organization located outside the EU/EEA), such transfers are governed by recognized mechanisms:

  • an adequacy decision where applicable (e.g., the EU–US Data Privacy Framework for certified entities), and/or
  • the European Commission’s Standard Contractual Clauses (SCCs).

AWS provides a GDPR DPA including SCCs (2021/914) and indicates Data Privacy Framework coverage via Amazon.com, Inc. Information on applicable safeguards can be requested at privacy@pomeloanalytics.com.

11) Infrastructure and security logging

Pomelo enforces a strict separation:

  • Audience dataset: no clear-text IP addresses, no raw user-agent storage, aggregation-oriented.
  • Security logs: used only to protect the service (abuse, attacks, fraud) and investigate incidents.

Operational policy:

  • By default, Pomelo does not continuously retain detailed edge access logs containing IP addresses (e.g., CloudFront access logs).
  • Security relies on metrics, alerts, and controls (e.g., WAF/rate limiting rules, traffic anomaly detection).
  • In case of an incident, detailed logs may be enabled temporarily, then sanitized (removal/masking of identifying elements) before retention and purged on a short schedule, with restricted “break-glass” access.

12) Opt-out and Do Not Track

12.1 Opt-out

Visitors can opt out of audience measurement via an opt-out mechanism provided by the Customer (a link/button in the Customer’s privacy policy). The opt-out is stored via a first-party opt-out preference cookie and results in a complete stop of collection on that website/app.

12.2 Do Not Track (DNT)

When the browser transmits the Do Not Track signal, Pomelo does not measure audience for that visitor. DNT is enforced by default.

13) Security

Pomelo implements appropriate technical and organizational measures, including:

  • TLS encryption in transit,
  • strict access control (least privilege) and auditability,
  • logical tenant separation,
  • secure secrets management,
  • monitoring and alerting,
  • incident response procedures.

14) Your rights

14.1 Pomelo account users

You may exercise applicable GDPR rights (access, rectification, erasure, restriction, objection, portability where applicable). Contact: privacy@pomeloanalytics.com.

14.2 Visitors of a customer website/app

The Controller is the website/app you visited (the Customer). Requests should be addressed to them first. Pomelo assists the Customer under the DPA where needed.

15) Contact and complaints

Privacy / data rights: privacy@pomeloanalytics.com You may also lodge a complaint with the competent supervisory authority (e.g., the CNIL in France).

16) Changes

Any update to this policy is published with its “last updated” date. Material changes are communicated in the Dashboard when they affect how processing is understood.