Privacy policy.

If you never submit a form or email us, we know essentially nothing about your visit beyond the basic technical exchange your browser has with our hosting provider to deliver the page.

If you do contact us, we receive what you send, we use it to respond, and we don't sell it, share it, or add you to any marketing list. You can ask us to delete it at any time.

The sections below say the same thing in more detail, plainly and without legal theater. If something is unclear, email admin@npdestracker.com.

Information you give us. When you fill out the demo request form on /demo, send us an email, or otherwise contact us, we receive the information you choose to share. Typically that's your name, title, agency, email address, and whatever you write in your message.

Information collected automatically. Like virtually every website, our hosting provider receives basic technical information with each page request, including your IP address, browser type, and the URL you requested. This is used for site delivery, security, and diagnostics.

We use website analytics tools and Google Ads + Microsoft Advertising UET conversion tags to understand how visitors find and use the public site, and to measure which advertising campaigns lead to demo opens, pricing engagement, and pilot inquiries. These tools may receive page views, clicks, scrolling, device and browser information, and approximate location based on IP address. They look at how the public marketing website is used, not at customer compliance records inside the application. We do not sell visitor information.

Campaign source (UTM) tags. If you arrive via a link with UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term), we remember those tags inside your current browser tab using first-party sessionStorage and forward them along when you click through to the application or send us an email, so we can see which campaign your interest came from. This is first-party storage only — not a cookie, not transmitted to other websites, and cleared automatically when you close the tab.

The public website uses website analytics tools to understand how visitors find and use the site. Typical signals include page views, clicks, scrolling, device and browser information, approximate location based on IP address, and general site usage. Some of these tools record session activity such as where visitors click or scroll on a page so we can understand which parts of the site are useful and which are confusing.

These tools observe how the public marketing website is used. They do not receive customer compliance records from the application. We do not sell visitor information.

About cookies. Our own site code does not set any cookies. The analytics and ad measurement tools listed above (Microsoft Clarity, Google Ads, Microsoft Advertising UET) load on the public website and may set their own first-party browser cookies as part of standard measurement — for example, to recognize that a session continued across page loads. We do not read those cookies in our own code. You can block these tools through standard browser privacy settings, an ad blocker, or a privacy-focused browser extension, and the site will still work normally.

Buyer-intent events. On the public marketing website we fire a small set of named events so we can see which advertising campaigns and which pages lead to demo opens, pricing engagement, and pilot inquiries. The events we fire are: sample workspace click, pricing page view, security page view, privacy page view, walkthrough request click, pilot inquiry click, contact email click, and checkout link click. Each event is the name of the action plus any UTM tags from the link you arrived on — never the contents of a form, email, or compliance record. These event names are passed to the analytics layers already loaded on the public site (Google Ads, Microsoft Clarity, Microsoft Advertising UET, and Vercel Analytics).

Google Ads conversion tracking. The public website loads a Google Ads tag (AW-18184217672) so we can measure which advertising campaigns lead to the buyer-intent events listed above. The signals Google receives are those event names plus standard request data your browser already sends to any website. We do not upload customer compliance records or visitor lists to Google, and the Google Ads tag is only present on the public marketing website, not inside the application. We do not currently run Google Ads remarketing or audience lists from these events.

If your browser is configured to send a Do Not Track or Global Privacy Control signal, the analytics tools we use may honor those signals according to each provider's own configuration. You can also block analytics and ad scripts through standard browser privacy settings or an ad blocker.

Email correspondence is retained in our email system for as long as reasonably necessary to respond, maintain business records, and support future conversations. You can request deletion at any time by emailing us.

Technical server logs are retained by our hosting provider according to their standard retention windows.

NPDESTracker is built for municipal staff and public agencies. The public website is not directed to children under 13, and we do not knowingly collect information from them.