Metrivo
Docs/Security & Privacy

Security & Privacy Standards

Metrivo is built to be privacy-friendly. We do not track visitors across websites, we secure API keys cryptographically, and we hash customer emails to protect identities.

Privacy-Friendly Web Tracking

Our client-side tracking script respect user choices and offers simple opt-out flags for your team and staging domains.

Respects Do Not Track (DNT)

If a user has set their browser to send a "Do Not Track" signal (`navigator.doNotTrack === "1"`), Metrivo immediately halts initialization. No network requests are made, and no tracking data is sent to our servers.

Developer and Team Opt-Out

To avoid skewing production analytics with team pageviews, you can set an opt-out key in browser storage:

localStorage.setItem("__metrivo_exclude", "1")

Staging and Demo Exclusion

Append `?metrivo_ignore=true` to any URL in your browser to prevent that specific session from sending events. This is ideal for manual QA testing or verifying staging link paths.

Cryptographic Data Protections

We apply industry-standard security steps to sensitive customer identities and credential records.

One-Way Email Hashing

To comply with GDPR and prevent storing plain-text customer emails, we pass customer email addresses through a salted SHA-256 hash algorithm before writing them to the database. This allows our engine to correlate Stripe, Razorpay, or Dodo checkout payments with web visitors without storing cleartext PII (Personally Identifiable Information).

Secure API Key Management

Metrivo API keys are created with a secure prefix (e.g. `key_`). The full secret token is shown to you only once. We store only a secure hash of the token on our servers, preventing credential leaks even in the event of database access.

Webhook Integrity

To prevent spoofing or replay attacks, Metrivo requires webhook payloads to be signed by the originating payment gateway (Stripe, Razorpay, or Dodo).

Signature Verification

When configuring webhook secrets, Metrivo validates the headers against each provider's cryptographic signing specifications. Any webhook containing an invalid or missing signature is immediately rejected with a `400 Bad Request` or `401 Unauthorized` status.

Next: Read the FAQ

Browse commonly asked questions regarding installation, attribution rules, and dashboard configurations.