Privacy Policy

Last updated: April 1, 2026

1. Introduction

This Privacy Policy describes how MiserablyEmployed, LLC (“SessionSight,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal information. SessionSight is a product of MiserablyEmployed, LLC. SessionSight provides a platform for user analytics, experience optimization, and marketing automation, including related tools and features (collectively, the “Service”), which our customers integrate into their websites using our SDK or JavaScript snippet.

This policy applies to:

Customers: Individuals and organizations that create a SessionSight account and use our Service.
End Users: Visitors to our customers’ websites whose session data is captured by the SessionSight SDK on behalf of our customers.
Website Visitors: Individuals who visit the SessionSight website (sessionsight.com) without necessarily having an account.

SessionSight operates in two distinct roles with respect to personal data:

Data Controller: We act as the controller for personal data we collect directly from our customers and website visitors (for example, account information, billing details, and usage analytics).
Data Processor: We act as a processor on behalf of our customers for End User session data captured through the SessionSight SDK. Our customers determine the purposes and means of processing that data, and we process it strictly according to their instructions and our Data Processing Agreement.

By using our Service or visiting our website, you acknowledge that you have read and understand this Privacy Policy. If you are a customer, your use of the Service is also governed by our Terms of Service and, where applicable, our Data Processing Agreement.

2. Information We Collect

2.1 Customer Account Data (SessionSight as Controller)

When you create and use a SessionSight account, we collect the following categories of personal information directly from you:

Account Data: Information you provide during registration and while using the Service, such as your name, email address, company name, and any other details you choose to add to your account or organization profile.
Billing Data: Billing and invoicing information you provide, such as company name, address, and tax identification numbers. Payment card details are collected and processed by our third-party payment processor. We do not store full credit card numbers on our servers.
Usage Data: Information about how you interact with the SessionSight dashboard, including feature usage, login timestamps, pages visited within the application, and preferences.
Support Data: Communications you send to us via email, chat, or other support channels, including any personal information you choose to include in those communications.
Marketing Data: With your consent, we may collect your email address and communication preferences for the purpose of sending product updates, newsletters, and promotional materials.

2.2 End User Session Data (SessionSight as Processor)

When our customers install the SessionSight SDK or JavaScript snippet on their websites, the SDK captures session data from their website visitors (End Users) on behalf of and under the instructions of the customer. This data may include:

Interaction Data: Such as mouse movements, clicks, scroll positions, and page navigation.
Page Content: Captured to enable session replay, including the visual layout and text content of the page as rendered in the End User’s browser.
Device Information: Such as browser type, operating system, screen dimensions, and language settings.
Approximate Location: Country and city derived from the End User’s connection. IP addresses are not stored.
Form Interaction Metadata: Describing how End Users interact with forms, without capturing the values entered into form fields.
Visitor Identifiers: Used to associate sessions from the same browser.
Custom Data: Any custom events, user identification data, or metadata that our customers choose to send through the SDK.
Feedback Content: Free-text responses, survey answers, and other feedback voluntarily submitted by End Users through feedback collection features. This content may contain personal data provided directly by the End User.

Default Data Protection Measures in the SDK

SessionSight is designed with privacy in mind. The following protections are applied by default:

Form field values are not captured. The SDK records only interaction metadata such as field focus, whether a field contains a value, field labels, and field types.
Customers may opt to capture values for specific non-sensitive fields by configuring the SDK or by marking individual elements with an unmask attribute. Customers are responsible for ensuring they have appropriate consent and legal basis before enabling capture for any field.
Even when a customer opts to capture a field, common sensitive patterns (such as email addresses, phone numbers, US Social Security numbers, credit card numbers, and authentication tokens) are automatically redacted before the value is transmitted.
Password fields never have their values captured under any circumstances.
Query strings and URL fragments are stripped from captured page URLs, navigation events, and link attributes, since they often contain session tokens, reset codes, and other sensitive parameters that should not appear in recordings.

2.3 Website Visitor Data

We use our own product (SessionSight) on our website to understand how visitors interact with our content and to improve the user experience. The data collected, how it is used, how long it is retained, and the legal bases for processing are the same as described in Section 2.2 and the corresponding sections below for End User session data. Please see our Cookie Policy for details on the cookies and similar technologies we use.

2.4 Publicly Available Third-Party Content

Certain features of the Service, operated at the direction of our customers, process publicly available content from third-party platforms (such as public social media posts) to detect mentions of keywords or topics that a customer has configured. Only the event of a keyword match and the information necessary to present that match to the customer are retained. We do not build profiles of third-party users from this data, and we do not use it for any purpose other than delivering the customer-configured feature.

3. How We Use Your Information

Customer Account Data

We use customer account data for the following purposes:

Service Delivery: To create and manage your account, authenticate your identity, and provide the SessionSight platform and its features.
Billing and Payments: To process subscription payments, issue invoices, and manage your billing relationship.
Service Improvement: To analyze usage patterns, identify areas for improvement, and develop new features and functionality.
Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.
Security: To detect, investigate, and prevent fraudulent activity, unauthorized access, and other security threats.
Communications: To send transactional emails (account confirmations, password resets, billing notifications) and, with your consent, marketing communications.
Legal Compliance: To comply with applicable laws, regulations, and legal processes.

End User Session Data

We process End User session data solely on behalf of our customers, in accordance with their instructions and our Data Processing Agreement. Our customers use this data for product analytics, user experience optimization, and other purposes enabled by the Service, such as session replay, heatmaps, funnel analysis, A/B testing, feature flags, form analytics, and goal tracking.

SessionSight does not use End User session data for its own purposes, and does not sell, rent, or trade End User session data to any third party.

For individuals in the European Economic Area (EEA) and the United Kingdom (UK), we rely on the following legal bases under the General Data Protection Regulation (GDPR) and equivalent legislation:

Performance of a Contract (Article 6(1)(b)): Processing of customer account data and billing data is necessary for the performance of our contract with you, specifically to provide the SessionSight Service, manage your account, and process payments.
Legitimate Interests (Article 6(1)(f)): We process usage data and website visitor data based on our legitimate interest in understanding how our Service and website are used, improving and securing our platform, and communicating with customers about their accounts. We have conducted balancing tests to ensure these interests do not override your fundamental rights and freedoms.
Consent (Article 6(1)(a)): We process marketing data and send promotional communications only with your prior consent. You may withdraw consent at any time by using the unsubscribe link in any marketing email or by contacting us at [email protected].
Legal Obligation (Article 6(1)(c)): We may process personal data where necessary to comply with applicable legal obligations, such as tax reporting or responding to lawful requests from public authorities.

For End User session data, SessionSight processes this data as a processor on behalf of the customer (controller). The customer is responsible for establishing an appropriate legal basis for the collection and processing of their End Users’ data. We recommend that our customers provide clear notice to their End Users and, where required, obtain consent.

We do not sell, rent, or trade personal information to third parties. We share personal information only in the following limited circumstances:

Sub-Processors: We use carefully selected third-party service providers to help us operate and deliver the Service. Each sub-processor is bound by contractual obligations to protect personal data and to process it only for the purposes we specify.
Legal Requirements: We may disclose personal information if required to do so by law, regulation, court order, or other governmental process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users of any such change in ownership or control of their personal information.

Sub-Processor List

The following sub-processors are currently authorized to process personal data on our behalf:

Sub-Processor	Purpose	Location
DigitalOcean	Cloud infrastructure, hosting, and managed data services	United States
Cloudflare	Content delivery, security, and DNS	Global
Resend	Transactional email delivery	United States
Stripe	Payment processing and subscription billing	United States
Anthropic	AI inference for public content analysis, customer-directed content analysis, and de-identified UX insight generation	United States

We will update this list when sub-processors are added or removed and will provide notice in accordance with our Data Processing Agreement.

Use of AI (Anthropic)

SessionSight uses Anthropic’s Claude API in four distinct scopes: (i) analysis of publicly available third-party websites, (ii) analysis of customer-supplied website content at the customer’s direction, (iii) generation of de-identified UX insights from per-session signals such as session duration, sanitized page paths, frustration and engagement scores, error counts, form completion ratios, and counts of interaction patterns, and (iv) the in-dashboard AI assistant, which sends the user’s chat input and the responses from SessionSight tools the assistant invokes on the user’s behalf.

In scope (iii), no session identifiers, visitor identifiers, end-user identifiers, raw event streams, DOM snapshots, or form field values are transmitted. Anthropic retains API inputs and outputs for up to thirty (30) days for trust and safety purposes and does not use this data to train its models.

In scope (iv), conversations with the in-dashboard AI assistant are stored on SessionSight servers, scoped to the originating user and company, for up to thirty (30) days from last activity so the same conversation continues across devices. Only the user-typed text and the assistant’s text reply are stored; raw tool inputs and tool responses are not retained beyond the request lifecycle. Users may delete an individual conversation at any time from the assistant panel.

Customer-Directed Integrations

SessionSight allows customers to connect third-party services (such as social media platforms, messaging platforms, email and messaging providers, webhook endpoints, and other tools) through our integrations and workflow features. A current list of supported integrations is available in the SessionSight dashboard. When you configure these connections, data is shared with those services according to your configuration and subject to those services’ own privacy policies. These third-party services are not sub-processors of SessionSight. You are responsible for reviewing and accepting the terms and privacy practices of any service you choose to connect.

6. Data Retention

Customer Account Data

We retain customer account data for as long as your account is active or as needed to provide you with the Service. If you close your account, we will delete or anonymize your account data within 30 days, except where we are required to retain certain information to comply with legal obligations (such as tax and billing records), resolve disputes, or enforce our agreements.

End User Session Data

End User session data is retained according to the customer’s subscription plan:

Plan	Retention Period
Trial / Starter	90 days
Pro	180 days
Enterprise	365 days

Session data that exceeds the retention period for the applicable plan is automatically and permanently deleted through a scheduled cleanup process. Customers may also request early deletion of session data by contacting us.

7. International Data Transfers

SessionSight is based in the United States, and our primary infrastructure is hosted in the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States.

For transfers of personal data from the EEA or UK to the United States, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914) and, where applicable, the UK International Data Transfer Addendum. These safeguards are incorporated into our Data Processing Agreement and ensure that personal data receives an adequate level of protection regardless of where it is processed.

We also require our sub-processors to implement appropriate safeguards for international data transfers, including the use of SCCs where applicable.

8. Your Rights

Rights of SessionSight Customers and Website Visitors

Depending on your jurisdiction, you may have the following rights with respect to the personal data we hold about you as a controller:

Right of Access: You have the right to request a copy of the personal data we hold about you.
Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data.
Right to Erasure: You have the right to request that we delete your personal data, subject to certain exceptions (such as where retention is required by law).
Right to Restriction: You have the right to request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
Right to Object: You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis.
Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. In certain cases, we may ask you to verify your identity before we can process your request.

If you believe that we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

Rights of End Users

If you are an End User whose session data has been captured by the SessionSight SDK on a customer’s website, please direct any requests regarding access, correction, deletion, or other rights to the website operator (our customer). The website operator is the data controller for your session data and is responsible for responding to your requests.

If you contact SessionSight directly with an End User data request, we will make reasonable efforts to identify the relevant customer and forward your request, or direct you to the appropriate contact.

SessionSight uses cookies and similar browser storage on the sessionsight.com website for essential functionality, analytics, and preference management.

The SessionSight SDK, when installed on a customer’s website, uses first-party cookies and equivalent local browser storage to assign a persistent visitor identifier and to track the active recording session. These are set under the customer’s domain and are used solely to associate activity from the same browser. They do not track users across different websites.

For detailed information about the specific cookies and storage entries we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.

10. Restricted Use Cases

The SessionSight Service is not designed or certified for the categories of use described below. Customers must not deploy the Service in these contexts.

10.1 Children (COPPA)

The SessionSight Service is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. Our customers are prohibited from using the SessionSight SDK on websites or portions of websites that are directed at children under 13 or that are otherwise subject to the Children’s Online Privacy Protection Act (COPPA).

If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete that information. If you believe that a child under 13 has provided personal information through a website using the SessionSight SDK, please contact us at [email protected], and we will work with the relevant customer to address the issue.

10.2 Protected Health Information (HIPAA)

SessionSight is not a HIPAA-compliant service. We are not a Business Associate as defined under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and we have not entered into a Business Associate Agreement (“BAA”) with any customer. The Service has not been designed, audited, or certified for the storage, transmission, or processing of Protected Health Information (“PHI”) as defined under HIPAA.

Customers must not install the SessionSight SDK on, or otherwise use the Service in connection with, any website, application, page, or workflow that collects, displays, or transmits PHI. This includes, without limitation, patient portals, telehealth interfaces, electronic health record interfaces, prescription or lab-result interfaces, and any other digital property of a HIPAA Covered Entity or Business Associate where PHI is rendered to or entered by an end user.

If a customer transmits PHI to SessionSight in violation of this restriction, the customer is solely responsible for any resulting compliance exposure. Upon becoming aware of any such transmission, SessionSight may suspend or terminate the customer’s account and delete the affected data. SessionSight does not consent to act as a HIPAA Business Associate by virtue of receiving PHI in violation of these terms.

11. California Privacy Rights (CCPA/CPRA)

This section applies to California residents and supplements the information provided elsewhere in this Privacy Policy, as required by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”).

SessionSight’s Role

With respect to End User session data collected through the SDK on our customers’ websites, SessionSight acts as a “Service Provider” under the CCPA. We process this data solely on behalf of and under the instructions of our customers, and we do not sell, share, or use it for any purpose other than providing the Service as described in our agreements with our customers.

No Sale of Personal Information

SessionSight does not sell personal information. We have never sold personal information, and we have no plans to sell personal information. This applies to all categories of personal information we collect, whether from customers, End Users, or website visitors.

SessionSight does not share personal information for cross-context behavioral advertising. We do not disclose personal information to third parties for the purpose of targeted advertising across different websites, applications, or services.

Your California Privacy Rights

If you are a California resident, you have the following rights under the CCPA:

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom it is shared.
Right to Delete: You may request that we delete your personal information, subject to certain exceptions provided by law.
Right to Correct: You may request that we correct inaccurate personal information we hold about you.
Right to Opt-Out of Sale or Sharing: Because we do not sell or share personal information for cross-context behavioral advertising, there is no need to opt out. However, we honor this right and will continue to refrain from such practices.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge different prices, provide a different level of quality, or suggest that you will receive different treatment for exercising your rights.

To exercise your California privacy rights, please contact us at [email protected]. We will verify your identity before processing your request and respond within 45 days, as required by law.

If you are an End User of a website that uses SessionSight, please direct your CCPA requests to the website operator. As a Service Provider, SessionSight processes End User data only on the customer’s behalf.

12. Do Not Track / Global Privacy Control

SessionSight honors both Do Not Track (DNT) and Global Privacy Control (GPC) signals. When the SDK detects either signal from a visitor’s browser, it suppresses the persistent visitor identifier and uses an in-memory session identifier instead. The visitor’s session is still recorded, but they are not identified across separate visits.

13. Data Security

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. For a detailed description of our security measures, see Section 6 of our Data Processing Agreement. Key measures include:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
Encryption at Rest: Data at rest is encrypted at the infrastructure storage layer using AES-256 or equivalent.
Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis, with separate authentication mechanisms for dashboard and API access.
Input Validation: All API inputs are validated and sanitized before processing.
Data Isolation: Each customer’s session data is logically isolated at the company and property level to prevent unauthorized cross-customer access.
Infrastructure Security: Our hosting infrastructure is provided by cloud providers that maintain industry-recognized security certifications.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to following industry best practices and promptly notifying affected parties and relevant authorities in the event of a data breach, in accordance with applicable law.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the “Last updated” date at the top of this page.

For material changes that significantly affect how we collect, use, or share personal information, we will provide at least 30 days’ advance notice. This notice will be delivered by email to the address associated with your SessionSight account and, where appropriate, through a prominent notice on our website.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]
Mailing Address: MiserablyEmployed, LLC, 400 N Tampa St Ste 1550 PMB 200053, Tampa, Florida 33602-4719 US

We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.