Data residency
Where your sessions are stored, and how to pin a region for compliance.
Default
Sessions are stored in our managed storage tier. The default region follows your traffic — the API writes to the edge region closest to the origin of the POST. For most Tanzania-first apps, that's Europe (eu).
What's stored
| Data | Retention | Notes |
|---|---|---|
| Session events (DOM, clicks, network) | 90 days (free) / configurable (paid) | Compressed, gzipped |
| Screen frames (RN) | 90 days | JPEG blobs |
| Error payloads + stack traces | 90 days | Indexed for search |
| User traits | Forever (until deletion) | Attached to visitor |
| Visitor IDs | Forever | Persists across sessions |
Pinning a region
For GDPR, Tanzanian data-protection, or HIPAA-adjacent compliance, you can ask us to pin your project to a specific region so data never leaves that jurisdiction.
Available regions on request:
| Region | Data center |
|---|---|
eu | Frankfurt, Germany |
us-east | Ashburn, Virginia |
ap-south | Mumbai, India |
af-south | Johannesburg, South Africa |
Email kelvin@galacha.me with your project ID and desired region. We configure the routing server-side, no SDK change needed.
Encryption
| Layer | Mechanism |
|---|---|
| In transit | HTTPS (TLS 1.2+) |
| At rest | AES-256 at the storage layer |
| Backups | Encrypted, region-local, 30-day retention |
Project keys are hashed before indexing. The raw key is never logged.
Subprocessors
We use the following third parties to operate the service:
| Vendor | Purpose |
|---|---|
| Cloudflare | CDN, DDoS protection |
| Fly.io | Compute |
| Our managed storage tier | Long-term session storage |
Full subprocessor list and DPA templates available on request.
Deletion
See Deleting user data.