Privacy Policy
Last updated · June 14, 2026
Bearing is a privacy-first web analytics tool operated by Sidecar (“we”, “us”). This policy explains what data we handle, both for people who hold a Bearing account and for visitors to websites that have installed the Bearing tracking script.
The short version
- No cookies and no cross-site tracking for analytics.
- We never store visitors’ IP addresses.
- We don’t collect personal data about visitors, build advertising profiles, or sell data to anyone.
- Analytics are aggregate and designed to comply with GDPR, ePrivacy, PECR, and CCPA without a cookie banner.
Visitors to sites that use Bearing
When you visit a website that uses Bearing, the script sends a small event to our servers. We use that to produce aggregate statistics for the website owner. For each event we may record:
- The page URL and path, and the referring URL or source.
- Browser, operating system, and device type (from the user agent).
- Approximate location (country, region, and city) derived from your network connection at the edge. We do not store your IP address.
- UTM campaign parameters present in the URL, and screen width.
- Engagement signals for the page: approximate time on page and how far you scrolled.
- Interaction events: clicks on buttons and links, file downloads, and form submissions, recorded with the element’s visible text (the “call to action”) and, for links, their destination. These let the site owner see which actions visitors take, in aggregate.
- Any custom event properties the site owner chooses to send (the site owner is responsible for not sending personal data here).
Before any of these labels are stored, and, for the tracking script, before they ever leave your browser, we automatically redact obvious personal data from them: email addresses and long number sequences such as phone, account, or order numbers. We do not record what you type into forms, and we do not capture screen recordings.
To count unique visitors without cookies, we generate a one-way hash from a daily-rotating secret, the website domain, your IP address, and your user agent. Your IP address is used only to derive the approximate location above and to compute this hash. It is never written to storage. Because the secret rotates every day, the hash cannot be used to follow a visitor across days or across different websites.
Bearing account holders
- Account details you provide: email address, a securely hashed password, and an optional name.
- The websites you add and the aggregate analytics collected for them.
- Billing details are handled by Stripe. We store your Stripe customer ID and subscription status only, never your card number.
- If you choose to connect Google Search Console, we store an access token for your Google account (encrypted at rest) and periodically import aggregate search statistics: the search queries that lead to your site, and the pages they land on. You can disconnect at any time from your site settings, which deletes the token and the imported data.
AI-assisted recommendations (the Heading)
On paid plans, the Heading uses an AI provider to turn your analytics into a written set of recommendations for a site you own. When it runs, we send that provider:
- The aggregate analytics for your site: the same figures shown on your dashboard, including aggregate engagement signals such as average time on page and scroll depth, and any description you give us of what the site is for. All of it is already stripped of the personal data described above; we do not send any additional information about individual visitors.
- The publicly available content of your own pages, and screenshots of them, so it can review your copy and layout (the same pages anyone can visit). Page fetches identify themselves as our bot and are flagged so they are never counted as analytics traffic.
- If you have connected Google Search Console, the aggregate search queries and landing pages already imported for your site.
The provider also performs web searches to research your business and market from public sources. It processes this data on our behalf to generate your brief and does not use it to train its models. This feature runs only for paid accounts, only for sites you own, and only when the Heading is generated or you request a refresh.
Cookies
The Bearing tracking script, the part that runs on websites you measure, sets no cookies and uses no other persistent browser storage to identify visitors. That is the whole point of it, and it never changes.
The Bearing app, where you sign in and view your dashboards, uses a small number of strictly necessary cookies to keep you signed in and to protect the sign-in process (a session cookie and security tokens). These are essential for the app to function, last only as long as needed, and are never used for tracking or advertising, so no consent banner is required. If you sign in with Google, you are briefly redirected to Google to authorize the connection; Google may set its own cookies on its own domains during that step, governed by Google’s privacy policy rather than this one. We set no advertising or third-party tracking cookies anywhere.
Service providers
We share data only with the providers needed to run the service: Vercel (hosting and edge network), Neon (database), Stripe (payments), and Resend (transactional and report email). If you connect Google Search Console, Google provides the search statistics you import. When you use the AI Heading on a paid plan, Anthropic (the AI provider that writes your recommendations) and the services that render page screenshots and measure page performance process the data described in the section above. Each processes data on our behalf under their own terms.
Data retention
Aggregate analytics are retained while the associated site is active, subject to your plan. Account data is kept while your account is open. When you delete a site or close your account, the associated data is removed.
Your rights
Depending on where you live, you may have the right to access, correct, export, or delete your data, and to object to certain processing. Because we do not store identifying information about site visitors, we usually cannot link analytics back to an individual. To exercise any right, contact us at the address below.
International transfers & children
Our providers process data in the United States and other regions. Bearing is not directed to children under 16, and we do not knowingly collect their data.
Changes
We may update this policy as the product evolves. Material changes will be reflected by the “last updated” date above.
Contact
Questions about privacy? Email [email protected].