Privacy Policy

Last updated: May 12, 2026

This Privacy Policy describes how ABTestly ("ABTestly", "we", "us", or "our") collects, uses, stores, and shares personal information when you use our website at abtestly.com, our dashboard, our API, and our snippet that runs on customer websites (collectively, the "Service").

We take your privacy seriously. This policy explains what we do with your data and your rights regarding that data. If you have questions, contact us at privacy@abtestly.com.

1. Who we are

ABTestly is operated as an independent software service. We are the data controller for personal data collected about you when you sign up for our Service.

When our customers use ABTestly to run experiments on their own websites, they act as the data controller for their end-users' data. ABTestly acts as a data processor in that relationship. See Section 9 for more details.

Contact:

• Email: privacy@abtestly.com
• Address: Available on request from the above email.

EU/UK Representative under Article 27 GDPR:

For customers and users located in the European Union or the United Kingdom, our appointed representative can be contacted at privacy@abtestly.com. Representative details will be published here once finalized.

2. Information we collect

2.1 Information you provide to us

When you sign up and use ABTestly, we collect:

• Account information: your name, email address, and authentication tokens, collected via our authentication provider Clerk.
• Organization information: the name of your organization, your role, and your team members (if applicable).
• Payment information: billing name, address, and payment method details. Payment information is collected and processed by our payment provider Paddle. We do not store full credit card numbers on our servers.
• Communications: any information you provide when contacting our support team, providing feedback, or completing surveys.
• Experiment configuration: the names, targeting rules, variant code, and other configurations you create within the Service.

2.2 Information we collect automatically

When you use our dashboard or API, we collect:

• Usage data: pages viewed, features used, actions taken, timestamps, and approximate frequency of use.
• Device information: browser type and version, operating system, screen resolution, language preferences.
• IP address and approximate location: derived to country level for fraud prevention and analytics.
• Cookies and similar technologies: see our Cookie Policy section below.
• Error data: information about errors and crashes via our error tracking provider Sentry, including stack traces and contextual debugging data.

2.3 Information collected by our snippet on customer websites

When our customers install the ABTestly snippet on their websites, the snippet collects the following information about their end-users:

• Anonymous visitor identifier: a randomly generated UUID stored in the end-user's browser via localStorage and cookies. This identifier is used solely to ensure consistent variant assignment and is not linked to any personally identifiable information by ABTestly.
• Browser metadata: URL, referrer, user agent, screen size, approximate geographic location (country level, derived from IP), and language.
• Experiment exposure data: which experiments the end-user was exposed to and which variants they saw.
• Cookies and localStorage entries: set by the snippet to maintain consistent variant assignments across page views.

The snippet does NOT collect:

• End-users' names, email addresses, or other directly identifying information
• Form input contents
• Mouse movements or keystrokes
• Session recordings or screenshots
• Sensitive personal data such as health, financial, or biometric information

Our customers are responsible for obtaining appropriate consent from their end-users before deploying the snippet, in accordance with applicable laws including GDPR, UK GDPR, ePrivacy Directive, CCPA, and similar regulations.

3. How we use information

We use the information we collect for the following purposes:

• Provide the Service: create and maintain your account, process your experiments, deliver variant code to end-users, count monthly tracked users for billing.
• Process payments: charge you for paid plans, send receipts, manage subscriptions.
• Communicate with you: send service updates, security alerts, billing notices, and respond to support requests.
• Send marketing communications: with your consent, send product updates, tips, and promotional content. You can opt out at any time.
• Improve the Service: analyze usage patterns to fix bugs, optimize performance, and develop new features.
• Prevent fraud and abuse: detect and prevent unauthorized access, account takeovers, and policy violations.
• Comply with legal obligations: respond to lawful requests from authorities, enforce our Terms of Service, and protect our rights.

4. Legal bases for processing (GDPR)

If you are located in the European Union, the United Kingdom, or other regions with similar laws, we rely on the following legal bases:

• Contract: to provide the Service you've subscribed to.
• Legitimate interests: to improve the Service, prevent fraud, and communicate with you about your account.
• Consent: for marketing communications and non-essential cookies. You can withdraw consent at any time.
• Legal obligation: to comply with applicable laws and respond to lawful requests.

5. How we share information

We do not sell your personal information. We share information only as described below:

5.1 Service providers (sub-processors)

We use the following third-party services to operate ABTestly. Each has its own privacy policy and data handling practices:

• Cloudflare (USA) — edge compute, content delivery, DNS, security. Privacy policy
• Neon (USA) — managed Postgres database hosting. Privacy policy
• Clerk (USA) — authentication and user management. Privacy policy
• Paddle (UK/USA) — payment processing and merchant of record. Privacy policy
• Resend (USA) — transactional and marketing email delivery. Privacy policy
• Sentry (USA) — error tracking and application monitoring. Privacy policy
• PostHog (USA) — internal product analytics. Privacy policy

We may add or change sub-processors over time. Material changes to our sub-processor list will be reflected in updates to this policy.

5.2 Legal requests

We may disclose information if required by law, regulation, or valid legal process, including responding to subpoenas, court orders, or government requests. We will notify affected users where legally permitted.

5.3 Business transfers

If ABTestly is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership.

5.4 Aggregated or de-identified data

We may share aggregated or de-identified data that cannot reasonably be used to identify you for any purpose.

6. International data transfers

ABTestly is operated from Bangladesh. Our service providers operate in various countries including the United States, the United Kingdom, and the European Union. By using our Service, your information may be transferred to, stored, and processed in countries outside of your country of residence, including countries that may have different data protection standards than your country.

For transfers from the EU/UK to countries that have not received an adequacy decision, we rely on Standard Contractual Clauses approved by the European Commission or equivalent safeguards.

7. Data retention

We retain personal information for as long as necessary to provide the Service and comply with legal obligations:

• Account information: retained while your account is active. Deleted within 30 days of account closure, except where required by law (e.g., tax records retained for 7 years).
• Experiment data and variants: retained while your account is active. Archived experiments may be cold-stored after 180 days. All data deleted on account closure or on explicit request.
• End-user exposure data: aggregated and anonymized after 90 days. Raw exposure logs retained for 90 days for billing reconciliation.
• Payment records: retained for 7 years as required by tax and accounting laws.
• Support communications: retained for 3 years for service quality and dispute resolution.

8. Your rights

Depending on where you live, you may have the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: request that we correct inaccurate or incomplete information.
• Deletion: request that we delete your personal information, subject to legal retention requirements.
• Portability: receive your data in a structured, machine-readable format.
• Restriction: request that we restrict processing of your data in certain circumstances.
• Objection: object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: where processing is based on consent, you can withdraw it at any time.
• Complaint: file a complaint with your local data protection authority.

For users in California (CCPA/CPRA), you have additional rights to know what categories of personal information we collect, the sources, the business purposes, and the categories of third parties with whom we share information. We do not sell personal information.

To exercise any of these rights, email privacy@abtestly.com. We will respond within 30 days (or sooner if required by applicable law).

9. Customers as data controllers

When our customers install the ABTestly snippet on their websites, they determine what experiments to run, what data to collect about their end-users, and how to comply with applicable laws. In this relationship:

• The customer is the data controller for their end-users' personal data.
• ABTestly is the data processor, acting on the customer's instructions.
• The customer is responsible for obtaining appropriate consent and providing required notices to their end-users.
• ABTestly will sign a Data Processing Agreement (DPA) with customers on request.

If you are an end-user of a customer's website and have questions about how your data is being used, please contact the website owner directly. ABTestly cannot identify or contact you on the customer's behalf.

10. Cookies and tracking technologies

We use cookies and similar technologies for the following purposes:

• Essential cookies: required for authentication and security. Cannot be disabled.
• Functional cookies: remember your preferences and settings.
• Analytics cookies: help us understand how the Service is used. Used only with consent in jurisdictions that require it.

On customer websites, our snippet sets the following storage entries on end-users' browsers:

• __abt_uid: anonymous visitor identifier (UUID). Valid for 2 years. Used for consistent variant assignment.
• __abt_v_*: variant assignment records. Valid for 30 days.
• __abt_code_*: cached variant code for repeat-visit performance. Valid for the duration of the experiment.
• __abt_seen_v: tracks the last seen config version.

End-users can disable or delete these by clearing their browser's cookies and localStorage. Customers using ABTestly should disclose these in their own privacy policies.

11. Security

We implement reasonable technical and organizational measures to protect your information, including:

• TLS encryption for all data in transit
• Encryption at rest for stored data via our service providers
• Row-level access controls in our database
• Secrets management via secure environment variables
• Regular dependency updates and security patches
• Access logging and monitoring

No security measure is perfect. If we become aware of a data breach affecting your personal information, we will notify you and applicable regulators as required by law.

12. Children's privacy

ABTestly is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, contact us at privacy@abtestly.com and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website at least 30 days before they take effect. The "Last updated" date at the top of this policy reflects the most recent revision.

14. Contact us

For questions, concerns, or requests regarding this Privacy Policy or your personal information:

• Email: privacy@abtestly.com
• Legal notices: legal@abtestly.com
• Mailing address: available on request from the above email addresses.

For complaints in the EU, you may contact your local Data Protection Authority. For the UK, the Information Commissioner's Office (ico.org.uk).