To use Calibre’s RUM tracking, you need to install a JavaScript snippet on your website. The JavaScript snippet runs in the user’s browser and collects performance data as they interact with your site. Data is collected and delivered to Calibre’s globally distributed edge network for processing, and later stored in a centralised database.
This page describes what data is collected, where and how it is processed, and where it is stored.
When a user visits your website, the RUM snippet use.calibre.app/index.js collects the following:
| Field | Description |
|---|---|
| sessionId | A randomly generated identifier for the user session. Automatically discarded when the session ends. Never used again. |
| path | The URL of the page being visited. e.g.: /products/123, or a custom path defined by advanced configuration. |
| pageLabel | document.title, or a label defined by advanced configuration. |
| metrics[] | An array of performance metrics (e.g.: LCP, CLS, INP) for various events, including timing information and source element identifiers. e.g. #cartCheckout. Sourced from a recent release of web-vitals. |
Data is delivered to use.calibre.app/t for processing.
RUM performance data is delivered to Calibre’s globally distributed edge network, where it is processed. Each edge location processes data, extracting coarse location data (city, country), browser identification (name, version) and device characteristics (vendor, model, operating system) from user agent parsing.
| Field | Description |
|---|---|
| origin | The origin of the request (e.g.: https://example.com). |
| city | The city from which the user is accessing the site. |
| country | The country from which the user is accessing the site. |
| Browser - name, version, majorVersion | Name and version of the browser being used (e.g.: Chrome 140). |
| Device - vendor, model | The vendor and model of the device being used (e.g.: Apple iPhone 18). |
| Operating System - name, version | Name and version of the operating system being used (e.g.: Windows 10). |
| Device Type | Flags to indicate the type of device (e.g.: Mobile, Tablet, Desktop, Android, iOS, Smart TV, etc). |
| Timestamp | Timestamp of when the data was collected (e.g.: ISO 8601 UTC timestamp). |
All data transports are encrypted using industry-standard protocols like SSL/TLS 1.3 to ensure data security and privacy as data migrates to our database in the USA.
RUM data is generally processed at an edge location nearest to the user, as determined by Anycast routing and availability of edge locations near to the user. Our edge network is supplied by Amazon Web Services (AWS) Lambda@Edge.
Processed, anonymous data is securely transferred to a centralised database in the USA, where it can be viewed in Calibre.
Calibre’s Real User Monitoring is designed to collect performance data while respecting user privacy. We operate on a core principle of data minimisation, and as such, we only collect data necessary to provide our services.
For each new visitor, a randomly unique identifier is generated and stored in sessionStorage. This identifier is used to associate collected performance data with a specific user session. When the user closes the tab or browser, the identifier is immediately removed from sessionStorage.
The session identifier does not contain any personally identifiable information (PII) and is not linked to any other data that could identify the user.
No cookies or localStorage are used to track users. Users are not tracked across different sessions. Internally, the session identifier is used to count unique sessions for reporting and billing purposes.
Calibre retains RUM data for a period of up to 24 months, determined by your Site’s RUM Settings.
After this period, data is automatically deleted in accordance with our data retention policy.
If you want to stop collecting data from users in the European Economic Area (EEA) or European Union (EU), you can do so by configuring your Site’s RUM settings.
When the Exclude EEA/EU option is enabled, the RUM snippet will not be loaded for visitors identified from these regions.
Calibre RUM uses a combination of techniques to automatically detect and filter out bot and automated traffic. This includes analysing request patterns, user agent strings, and other heuristics to identify non-human, or abusive behaviour. This detection occurs in real-time at the edge locations closest to the user (as determined by Anycast routing).
Calibre RUM has adopted the upcoming specification for signature based subresource integrity (SSRI) to ensure that the resources being loaded have not been tampered with by an attacker.
When you embed Calibre RUM into your pages, the supplied integrity attribute contains a public cryptographic key that can be used by browsers to verify the authenticity of the resource. If the signature does not match, the script will not be executed.
Signature based SRI is supported as of Chrome 141. Safari and Firefox do not yet support SSRI and will ignore the integrity attribute.
If you are using a Content Security Policy (CSP) on your website, you will need to update the allowlist to ensure the RUM snippet can function correctly:
1script-src: use.calibre.app;2connect-src: use.calibre.app;
If you discover a security vulnerability in Calibre RUM, we encourage you to responsibly disclose it by contacting us at security@calibreapp.com. We will work with you to investigate and address issues that meet our security criteria.
If you require a Data Processing Agreement (DPA) for your use of Calibre RUM, please contact us at privacy@calibreapp.com.
On this page