Switch detects AI agents on your site without collecting personal information. Here is exactly how we handle data — no vague promises, just specifics.
Switch is engineered so that personal data never enters the system in the first place. We don't rely on privacy policies to restrict what we do with sensitive data — the system is built so that sensitive data is never stored. IPs are hashed before any database write. Fingerprints are reduced to irreversible hashes. URLs are stripped of query parameters. The result: even in the event of a breach, there is no PII to expose.
Data Collection
Switch classifies traffic by analyzing behavioral patterns and environment signals. It does not need — and does not collect — any personal information.
Page path
e.g. /pricing — query strings are stripped before storage
Referrer origin + path
Query strings stripped; only origin and path retained
Fingerprint hash
One-way hash derived from canvas, WebGL, and audio — not reversible
IP hash
SHA-256 of the visitor IP — raw IP is never stored
User-agent string
Used for agent classification (e.g. "GPTBot/1.0")
Behavioral metrics
Mouse entropy, scroll patterns, click timing — statistical aggregates only
Environment signals
Headless browser flags, automation globals, plugin counts
Session ID
Random UUID in sessionStorage — expires when the tab closes
Cookies
Switch sets zero cookies
Personal information
No names, emails, phone numbers, or account data
Form content
Form interaction timing is measured; actual input values are never read
Keystrokes
Typing cadence variance is measured; actual keys pressed are never captured
Raw IP addresses
IPs are SHA-256 hashed on the server before any storage
Cross-site tracking
No third-party cookies, no tracking pixels, no data sharing with ad networks
Raw fingerprints
Only hashes stored — canvas pixels, WebGL renders, etc. are never persisted
Security Architecture
Multiple independent layers of protection ensure your data stays secure at every stage.
Raw IP addresses are SHA-256 hashed the moment they arrive at our ingestion endpoint — before any database write. The original IP is discarded immediately and never logged. Browser fingerprints are reduced to irreversible djb2 hashes.
Query strings are stripped from both page URLs and referrer URLs before storage. Only the path is retained (e.g. /pricing, not /pricing?email=user@example.com). This prevents accidental PII leakage through URL parameters.
Every database table enforces Row Level Security (RLS). Your data is cryptographically scoped to your account — other customers cannot query, view, or infer anything about your site's traffic. Even our own admin tools respect these boundaries.
The Switch Network shows aggregate agent statistics on our public Agent Directory (e.g. “GPTBot detected 4,200 times across the network”). These are per-agent-type counts only — never per-site. No individual site's traffic volume, URLs, paths, or session data is ever exposed in aggregate stats.
Dashboard access requires authenticated sessions via Supabase Auth. Team members are added through an invite-only system with role-based permissions (owner, admin, editor). Billing webhooks are verified using Stripe signature validation.
All data in transit is encrypted via TLS. The dashboard enforces HSTS with a two-year max-age and preload flag. Additional security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are set on every response.
Infrastructure
SDK Security
The Switch SDK is a single JavaScript file (~10KB gzipped) added via a script tag. It requires no server-side changes, no proxy configuration, and no DNS modifications. It runs entirely in the browser and communicates only with Switch's ingestion endpoint.
The SDK does not set cookies. Session IDs are random UUIDs stored in sessionStorage, which is scoped to the current tab and cleared when it closes. There is no mechanism to track a visitor across different websites.
When journey actions serve custom HTML content (e.g. replace_content), all HTML is sanitized through DOMPurify with a strict allowlist of tags and attributes. Script injection is blocked at the SDK level.
The ingestion endpoint enforces 200 requests/minute per IP and a 64KB maximum payload size. Malformed or oversized payloads are rejected before any processing. Site keys are validated against a strict schema.
Common Questions
No. Every database query is scoped by Row Level Security to your authenticated account. Other customers cannot access, query, or infer any information about your traffic. The only cross-tenant data is the public Agent Directory, which shows aggregate agent-type counts (e.g. "GPTBot: 4,200 detections") with no site-level breakdown.
No. The raw IP address is SHA-256 hashed on the server the moment it arrives. The hash is used for rate limiting and pattern matching. The original IP is never written to the database or any log.
The SDK is ~10KB gzipped and loads asynchronously with the defer attribute. It does not block rendering. Beacons are sent on an adaptive schedule (every 5–60 seconds depending on classification confidence) and have no impact on page performance.
No. Switch sets zero cookies. Session IDs are stored in sessionStorage (tab-scoped, cleared on close). There is no mechanism to track visitors across different websites or sessions.
Switch's architecture is designed with privacy regulations in mind. We collect no personal data, set no cookies, and store no raw IPs. The behavioral signals we analyze (mouse entropy, scroll patterns) are statistical aggregates that cannot identify an individual person. However, we recommend consulting your legal team about your specific compliance requirements.
The public Agent Directory shows only per-agent-type statistics: total detection count, average confidence, and first/last seen timestamps. These are computed across the entire Switch network. No site identifiers, URLs, traffic volumes, or session details are included in aggregate queries.
Even in a worst-case scenario, an attacker would find only hashed IPs, hashed fingerprints, URL paths (no query strings), user-agent strings, and behavioral metrics. There are no passwords, emails, names, or other personal information in the events table. Customer account data (email, billing) is managed by Supabase Auth and Stripe respectively, each with their own security certifications.
Add Switch in five minutes. Get instant visibility into AI agent traffic with zero impact on your visitors' privacy.