Security

Once Analytics is designed with privacy and security at its core. Your data stays on your Cloudflare account, and you control access to the dashboard.

Dashboard authentication

Two authentication methods are available:

PIN code auth

The simplest protection — a password to access your dashboard. Sessions last 30 days.

To change your PIN, see Configuration → Changing the PIN.

Cloudflare Access

Enterprise-grade authentication using Cloudflare Zero Trust. Supports email OTP, SSO (Okta, Azure AD), team management, and audit logs.

Manage team access in Cloudflare Dashboard → Zero Trust → Access → Applications.

Data protection

What we collect

What we don't collect

• Email addresses
• Names or usernames
• Form input values
• Payment information
• Personal identifiers

Sensitive data handling

Query parameters are automatically scanned and redacted:

Redacted parameters

Authentication: session_id, token, access_token, refresh_token, jwt, auth, code, state

User data: user_id, email, username, phone, name

Security: password, secret, csrf_token, api_key, private_key

Payment: card, cvv, account_number, routing_number

Tracking IDs: fbclid, gclid, msclkid, _ga

Values are replaced with REDACTED:

Before: /checkout?email=user@example.com&session_id=abc123
After:  /checkout?email=REDACTED&session_id=REDACTED

Bot detection

Once Analytics identifies and flags bot traffic:

Detected bots

• Search engines: Googlebot, Bingbot, Yandex, Baidu, DuckDuckGo
• Social crawlers: Facebook, Twitter, LinkedIn, Pinterest
• AI crawlers: GPTBot, ClaudeBot, ChatGPT-User, Anthropic
• Monitoring: UptimeRobot, Pingdom, Site24x7
• SEO tools: Ahrefs, Semrush, Moz, Screaming Frog

How bots are handled

• Flagged with is_bot = 1 in database
• Browser field stores the bot name
• OS and device fields are null
• Shown separately in dashboard (with "Bot" indicator)
• Not counted in human visitor metrics

Questions? Email hello@onceanalytics.com