Your website, personalised for every visitor.
Mister Chameleon adapts headlines, proof, and CTAs in real time - no code changes, no privacy trade-offs.
Not privacy-optional. Privacy by design.
A lot of personalisation tools were built in an era when third-party cookies were the default. Mister Chameleon was not. We built from the ground up on first-party data - which means you can personalise your website without compromising your visitors' privacy or your GDPR compliance. No cross-site tracking. No fingerprinting. No data sold or shared. Just better content for the right visitor, powered by signals they've already given you.
Our security and privacy principles
No third-party cookies
We use a first-party session cookie set on your own domain. No cross-site tracking, no fingerprinting, no ad network data.
Your data, your database
All behavioural data, session history, and analytics live in your own Supabase database. We never store your visitors' data on our infrastructure.
IP enrichment without consent
IP-to-company lookup resolves to a business entity - not a person - and therefore does not require consent under GDPR in most EU interpretations.
Data minimisation by default
We track only the signals necessary for personalisation decisions. No behavioural profiles are sold, shared, or used outside your account.
Edge-first architecture
The decision engine runs in Next.js Edge Middleware - your visitors' requests never leave the edge. No data reaches a central server unnecessarily.
SOC 2 roadmap
We are working toward SOC 2 Type II certification. Enterprise customers on the Pro plan can request our current security documentation.
Security & compliance FAQ
Do I need to update my cookie banner for Mister Chameleon?
In most cases, no. We use a single first-party functional cookie (mc_session_id) that is necessary for the service to function - which typically does not require explicit consent under ePrivacy Directive interpretations. We recommend disclosing it in your cookie policy as a transparency measure. Your legal team should confirm for your specific jurisdiction.
Where is visitor data stored?
In your own Supabase database. You choose the region (EU, US, or others). We never store your visitors' personal data on Mister Chameleon infrastructure.
Is Mister Chameleon GDPR compliant?
Yes. We act as a data processor under GDPR. We offer a Data Processing Agreement (DPA) for all paying customers, which documents the lawful basis for processing, your rights as controller, and our subprocessor relationships.
Can I request a security questionnaire or DPA?
Yes - contact us at security@misterchameleon.io and we'll respond within two business days.
Questions about compliance?
Our team is happy to help with security questionnaires, DPA requests, and DPIA support.