Security

Security and privacy are at the core of everything we do at Rybbit. Here's how we protect your data and maintain a secure analytics platform.

Visitor Privacy Protection

Your website visitors' privacy is paramount. Here's how we protect it:

• No cookies or local storage used for tracking
• IP addresses are hashed and anonymized
• User-Agent strings are hashed daily with rotating salts
• Raw visitor data is never stored

Infrastructure Security

Hosting

Rybbit is hosted on Hetzner servers located in Germany, within the European Union. Hetzner is ISO 27001 certified and provides:

• Physical security at data centers
• DDoS protection
• Redundant infrastructure
• 24/7 monitoring
• EU-based data processing
• Daily backups

Network Security

Our database servers are not accessible on the open internet. They are protected behind private networks with strict firewall rules, ensuring that only authorized application servers can access them. This significantly reduces the attack surface and protects your data from external threats.

External Services

For session replay storage, we use Cloudflare R2 (object storage). Cloudflare is a trusted infrastructure provider with enterprise-grade security. All replay data is encrypted before storage.

User Authentication & Account Security

We take account security seriously:

• Passwords are hashed and salted
• Each password gets a unique salt - no rainbow table attacks possible
• We never store passwords in plain text
• Sessions expire after 14 days of inactivity
• Secure password reset flows
• Account activity monitoring

Data Ownership & Control

You have complete control over your data:

• You own 100% of your website analytics data
• You can delete your account and all associated data at any time
• You can delete individual sites and their data

Data Deletion

After cancellation or downgrade to free tier, your analytics data will be permanently deleted within 60 days. We recommend exporting your data before cancellation if you wish to retain it. Once deleted, data cannot be recovered.

Payment Security

We never store your payment details. All payment processing is handled by PCI DSS compliant payment processors (Stripe). Your credit card information goes directly to the payment processor and never touches our servers.

Open Source & Transparency

Rybbit is fully open source, which means:

• Our entire codebase is publicly available on GitHub
• Security researchers can audit our code
• We receive community security feedback
• Vulnerabilities are disclosed responsibly
• Regular software updates and security patches

Continuous Monitoring & Updates

We maintain a secure platform through:

• Continuous infrastructure monitoring
• Regular security updates and patches
• Comprehensive automated testing
• Public changelog of all updates
• Dependency vulnerability scanning

Compliance

Rybbit is designed to help you comply with privacy regulations:

• GDPR compliant (no personal data collection)
• CCPA compliant
• PECR compliant (no cookie consent needed)
• Can be used without cookie banners in most jurisdictions

Vulnerability Disclosure

If you discover a security vulnerability in Rybbit, please report it responsibly:

• Email us at hello@rybbit.io
• Provide detailed information about the vulnerability
• Allow us reasonable time to address the issue before public disclosure
• We will acknowledge your contribution publicly (unless you prefer to remain anonymous)

Questions?

If you have any questions about our security practices, please contact us at hello@rybbit.io.