Skip to main content

Overview

Cryptique is designed with privacy in mind. This guide covers data handling practices, compliance features, and how to configure privacy settings for your team.

Data Collection

What Cryptique Collects

Automatically collected:
  • Page views and navigation
  • User interactions (clicks, scrolls, form submissions)
  • Device and browser information
  • Geographic location (approximate, from IP)
  • Session data
  • Wallet connections (when detected)
  • On-chain transactions (for tracked contracts)
Not collected:
  • Form field values (only metadata)
  • Passwords or sensitive credentials
  • Credit card numbers
  • Personal health information
  • Full IP addresses (not stored)

Default Properties

All automatically captured properties are listed in Default Properties. 
What's captured:
├── country: "US" (approximate)
├── city: "San Francisco" (approximate)
├── device_type: "desktop"
├── browser_name: "Chrome"
└── ...

What's NOT captured:
├── IP address (used for geo, then discarded)
├── form_values (only form metadata)
└── sensitive_data

Privacy by Design

IP Address Handling

Cryptique uses IP addresses for geolocation but does not store them: 
Request comes in with IP: 192.168.1.1
├── Geolocation lookup → "San Francisco, US"
├── IP discarded (not stored)
└── Event stored with location only

Data Minimization

We collect only what’s necessary:
  • Element text is truncated (not full page content)
  • Copied text is limited to 100 characters
  • Form values are excluded (only form metadata)
  • Input changes track field names, not values

Pseudonymization

User identifiers are pseudonymous by default: 
Anonymous user: anon_abc123xyz
Identified user: user_provided_id (your choice)
You control what identifying information to associate with users. Wallet addresses follow the same principle: they are stored as pseudonymous identifiers and are only associated with a user profile when the End-User explicitly connects their wallet. See “Wallet Address Handling” below.

Wallet Address Handling

Wallet addresses (e.g. 0x1234...abcd) are stored as-is and are pseudonymous by nature — they identify a wallet, not a named individual, unless the user explicitly links additional identity information (such as an email address via Cryptique.identify()). Important considerations:
  • Blockchain transaction data is publicly available. Anyone can look up a wallet’s history on a block explorer. Cryptique aggregates this public data; it does not expose anything that isn’t already on-chain.
  • Cryptique does not use heuristics or clustering to deanonymize wallets. A wallet address is only linked to a user profile when the End-User explicitly connects their wallet.
  • Under GDPR, wallet addresses may be considered personal data if they can be linked to an identified individual. If your End-Users are in the EEA, ensure your privacy policy discloses wallet address collection and that you have a lawful basis for processing it.
  • Wallet addresses are subject to the same retention periods as other profile data (default 24 months, configurable).
Cryptique can be loaded conditionally based on user consent: 
// Only load after consent
if (userHasConsented()) {
  var script = document.createElement('script');
  script.src = 'https://cdn.cryptique.io/scripts/analytics/1.0.1/cryptique.script.min.js';
  script.setAttribute('site-id', 'YOUR_SITE_ID');
  document.head.appendChild(script);
}

Integration with CMPs

Works with Consent Management Platforms: OneTrust: 
OneTrust.OnConsentChanged(function(e) {
  if (OnetrustActiveGroups.includes('C0002')) {
    // Performance cookies consented - load Cryptique
    loadCryptique();
  }
});
Cookiebot: 
window.addEventListener('CookiebotOnAccept', function(e) {
  if (Cookiebot.consent.statistics) {
    loadCryptique();
  }
});

Data Retention

Retention Periods

Configure how long data is retained:
Data TypeDefault RetentionConfigurable
Events24 monthsYes
User profiles24 monthsYes
Sessions24 monthsYes
Transactions24 monthsYes

Configuring Retention

  1. Go to SettingsPrivacy
  2. Set retention period for each data type
  3. Data older than retention period is automatically deleted
Shorter retention periods reduce storage but limit historical analysis.

Data Access & Export

Who Can Access Data

RoleData Access
Super UserFull access
AdminFull access
UserFull access (configurable)
All data access is logged in the audit trail.

User Data Requests

For GDPR/CCPA data subject requests: Data Export:
  1. Search for user by email, wallet, or ID
  2. View user profile
  3. Export user data as JSON
Data Deletion:
  1. Search for user
  2. Click Delete Profile
  3. Confirm deletion
User deletion is permanent and cannot be undone.

Audit Logging

All significant actions are logged: 
Audit Log:
├── Feb 15, 2:30 PM │ admin@example.com │ Viewed user profile: user_123
├── Feb 15, 2:15 PM │ admin@example.com │ Exported user data: user_456
├── Feb 15, 1:00 PM │ owner@example.com │ Changed retention period to 6 months
├── Feb 14, 4:45 PM │ admin@example.com │ Deleted user profile: user_789
└── ...
Logged actions:
  • User profile views
  • Data exports
  • Configuration changes
  • User deletions
  • Team member changes
  • Site/contract modifications

Security

Data Encryption

StateEncryption
In transitTLS 1.3
At restAES-256

Infrastructure

  • Data centers in secure, SOC 2 compliant facilities
  • Regular security audits
  • Penetration testing
  • Incident response procedures

Access Controls

  • Role-based access (Super User, Admin, User)
  • All access logged
  • Session timeouts
  • Secure authentication

Data Storage & Infrastructure

Where your data is stored

All Cryptique data is stored and processed on Google Cloud Platform (GCP) in the us-central1 region (Iowa, United States).
LayerProviderRegion
Application hostingGoogle Cloud Platformus-central1 (US)
Database & event storageGoogle Cloud Platformus-central1 (US)
CDN & DDoS protectionCloudflareGlobal edge
Enterprise customers may request EU-only data residency as part of a custom agreement. Contact privacy@cryptique.io to discuss data residency requirements.

Security certifications

CertificationStatus
GDPR✅ Compliant
CCPA / CPRA✅ Compliant
SOC 2 Type II🔄 In progress
ISO 27001🔄 In progress
Cryptique’s infrastructure runs on Google Cloud Platform, which holds SOC 2 Type II and ISO 27001 certifications at the infrastructure level. Cryptique’s own SOC 2 Type II audit is currently in progress. When completed, the report will be available to enterprise customers under NDA.

Compliance

GDPR

Cryptique supports GDPR compliance: Data minimization: Collect only necessary data ✅ Purpose limitation: Analytics purpose clearly defined ✅ Storage limitation: Configurable retention periods ✅ Right to access: Export user data ✅ Right to erasure: Delete user profiles ✅ Data portability: JSON export format Your responsibilities:
  • Obtain proper consent before tracking
  • Update privacy policy to mention Cryptique
  • Honor data subject requests

CCPA

For California Consumer Privacy Act: Right to know: Access user data via search ✅ Right to delete: Delete user profiles ✅ Right to opt-out: Honor user preference (e.g. do not load SDK when user opts out) Cryptique uses first-party cookies for:
CookiePurposeDuration
cq_distinct_idUser identification1 year
cq_session_idSession tracking30 minutes
No third-party cookies are used.

Privacy Settings

Configurable Options

Access via SettingsPrivacy:
SettingDescription
Data retentionHow long to keep data
IP geolocationEnable/disable location tracking
Auto-eventsWhich automatic events to capture
Sensitive pathsPaths to exclude from tracking

Exclude Sensitive Pages

Exclude pages from tracking: 
script.setAttribute('auto-events-disabled-paths', '/account,/settings,/admin');
Or configure in dashboard: 
Excluded Paths:
├── /account/*
├── /settings/*
├── /admin/*
└── /checkout/*

Disable Specific Events

Disable events that might capture sensitive data: 
script.setAttribute('auto-events-disabled-events', 'text_selection,copy_action');

Data Processing Agreement

For customers who require a formal Data Processing Agreement (DPA) — including those operating under GDPR — Cryptique provides:
DocumentAvailable
Data Processing Agreement (DPA)✅ On request
EU Standard Contractual Clauses (SCCs)✅ On request
UK International Data Transfer Addendum✅ On request
HIPAA Business Associate Agreement (BAA)On request (enterprise)
To request any of these documents, email privacy@cryptique.io with the subject line “DPA Request”. We aim to respond within 2 business days.

Best Practices

Before Going Live

  1. ✅ Review what data you’re collecting
  2. ✅ Update your privacy policy
  3. ✅ Implement consent if required
  4. ✅ Configure data retention
  5. ✅ Exclude sensitive paths
  6. ✅ Test that opt-out is honored (e.g. SDK not loaded when user opts out)

Ongoing

  • Regularly review data collection
  • Honor data subject requests promptly
  • Keep team access up to date
  • Monitor audit logs

Privacy Policy Template

Include in your privacy policy: 
Analytics

We use Cryptique for product analytics. Cryptique collects:
- Pages visited and interactions
- Device and browser information
- Approximate location (country/city)
- Wallet addresses (if you connect a wallet)

This data helps us improve our product. We do not sell your data.
You can opt out of analytics by disabling or not loading the analytics script.

For more information, see Cryptique's privacy policy at 
https://cryptique.io/privacy

Troubleshooting

  1. Search for user by email, wallet, or ID
  2. Open user profile
  3. Click Delete Profile
  4. Confirm deletion
  5. Notify user of completion
  1. Search for user
  2. Open user profile
  3. Click ExportJSON
  4. Provide exported file to user

Next Steps

Team Management

Configure team access

Default Properties

See what’s collected