Discover Mister Chameleon

Your website, personalised for every visitor.

Mister Chameleon adapts headlines, proof, and CTAs in real time - no code changes, no privacy trade-offs.

Privacy-first personalisation

Not privacy-optional. Privacy by design.

A lot of personalisation tools were built in an era when third-party cookies were the default. Mister Chameleon was not. We built from the ground up on first-party data - which means you can personalise your website without compromising your visitors' privacy or your GDPR compliance. No cross-site tracking. No fingerprinting. No data sold or shared. Just better content for the right visitor, powered by signals they've already given you.

Digital security concept - padlock on a circuit board background
First-party data, your database, your region - GDPR compliant by design

Our security and privacy principles

No third-party cookies

We use a first-party session cookie set on your own domain. No cross-site tracking, no fingerprinting, no ad network data.

Your data, your database

All behavioural data, session history, and analytics live in your own Supabase database. We never store your visitors' data on our infrastructure.

IP enrichment without consent

IP-to-company lookup resolves to a business entity - not a person - and therefore does not require consent under GDPR in most EU interpretations.

Data minimisation by default

We track only the signals necessary for personalisation decisions. No behavioural profiles are sold, shared, or used outside your account.

Edge-first architecture

The decision engine runs in Next.js Edge Middleware - your visitors' requests never leave the edge. No data reaches a central server unnecessarily.

SOC 2 roadmap

We are working toward SOC 2 Type II certification. Enterprise customers on the Pro plan can request our current security documentation.

Security & compliance FAQ

Do I need to update my cookie banner for Mister Chameleon?

In most cases, no. We use a single first-party functional cookie (mc_session_id) that is necessary for the service to function - which typically does not require explicit consent under ePrivacy Directive interpretations. We recommend disclosing it in your cookie policy as a transparency measure. Your legal team should confirm for your specific jurisdiction.

Where is visitor data stored?

In your own Supabase database. You choose the region (EU, US, or others). We never store your visitors' personal data on Mister Chameleon infrastructure.

Is Mister Chameleon GDPR compliant?

Yes. We act as a data processor under GDPR. We offer a Data Processing Agreement (DPA) for all paying customers, which documents the lawful basis for processing, your rights as controller, and our subprocessor relationships.

Can I request a security questionnaire or DPA?

Yes - contact us at security@misterchameleon.io and we'll respond within two business days.

Questions about compliance?

Our team is happy to help with security questionnaires, DPA requests, and DPIA support.