LEGAL

Privacy Policy

How Dijji collects, uses, and protects information — on dijji.com and through the analytics service we provide.

Last updated · 24 April 2026

On this page

Who we are
When you visit dijji.com
When you create an account
What we collect on behalf of our customers
Third-party services
Retention
Your rights
Security
Contact

1. Who we are

Dijji is a privacy-first analytics service operated from Mumbai, India. This policy covers two separate data flows:

Our marketing site — what we know when you browse dijji.com.
Our analytics service — what our customers collect through the Dijji tracker deployed on their own websites and apps, and the controls they have as data controllers.

2. When you visit dijji.com

We do not use cookies, advertising pixels, or cross-site tracking on our own marketing site. We do run our own analytics tracker (the same one we sell) on dijji.com — it records pageviews with hashed IP addresses, the referring URL, your browser and device type, and coarse city-level geolocation inferred from your IP. We do not link this to your identity unless you are logged in.

Standard web server logs — which include your unhashed IP, user-agent, and request timestamps — are retained for 14 days solely for debugging and abuse response, then deleted.

3. When you create an account

We collect:

Your email address (required — used for sign-in, password recovery, and product email)
A bcrypt hash of your password (we never store or log the plaintext)
Your optional display name
Timestamps of sign-up, last sign-in, and password changes
Site configuration you create (workspace names, site keys, trigger rules, uptime checks, etc.)

We send transactional email (account verification, password resets, team invitations, daily AI briefs) and very occasionally product announcements. You can unsubscribe from non-essential mail with one click — essential security mail (password resets, invite acceptance) cannot be unsubscribed from as long as you hold an account.

4. What we collect on behalf of our customers

When our customers install the Dijji tracker on their websites, they become the data controller and Dijji operates as their data processor. The tracker sends the following to our servers for each pageview and interaction:

A hashed IP address (hashed server-side on receipt with a per-site salt)
City-level geolocation inferred from the IP
The pathname visited (not the query string unless the site owner opts in)
The referring URL
User-agent string (browser, OS, device type)
A random, cookie-less visit ID stored only in the current tab's sessionStorage
Engagement signals — scroll depth, active time, click counts, rage-click patterns
Custom events the site owner chooses to track via dijji.track()
When enabled by the site owner: session replays (DOM snapshots via rrweb) and mobile SDK data (crashes, installs, rich device context)

We do not set any cookies. We do not fingerprint devices. We do not build cross-site profiles. We do not sell or share data with advertisers.

Site owners are responsible for obtaining any consent their jurisdiction requires (GDPR, DPDP, CCPA, etc.) from their own visitors — Dijji provides a consent-gate API they can wire to a consent manager if they choose.

5. Third-party services

Dijji operates a small, vetted set of third-party processors:

Hostinger — compute and database hosting (EU & India data centres)
Brevo — transactional + product email
OpenAI — generates the Daily AI Brief and session narrations. Only aggregate, non-identifying event streams are sent; no IPs, user emails, or raw replay frames are included in prompts. OpenAI is contractually prohibited from training on Dijji API input (per their API terms).
cron-job.org — heartbeats our scheduled jobs
jsDelivr — CDN for the rrweb library used during session replay

6. Retention

Web server logs — 14 days
Pageviews, engagement, custom events — as long as the customer's account is active; deleted 30 days after account closure
Session replays — default 30 days; customers can request shorter retention
AI-generated brief & session summaries — 24 hours (cached), then regenerated on demand
Support emails — 2 years

7. Your rights

Depending on your jurisdiction, you may have the right to:

Request a copy of the data we hold about you
Correct inaccurate data
Request deletion of your account and associated data
Object to processing, or withdraw consent where it was the legal basis
Lodge a complaint with your local data-protection authority

To exercise any of these rights, email hello@dijji.com from the address on your account. We respond within 30 days.

8. Security

All connections to Dijji are served over TLS with HSTS preload. Passwords are stored as bcrypt hashes. IPs collected via the tracker are hashed server-side on ingestion with a per-site salt. Database backups are encrypted at rest. We do not claim to be invulnerable — if you believe you have found a vulnerability, please email hello@dijji.com and we will respond promptly.

9. Contact

Dijji · Mumbai, India
Email: hello@dijji.com

We'll update this policy as the product evolves. Material changes will be announced via email to active account holders at least 14 days before taking effect.