=== Harvv Analytics ===
Contributors: harvv, ecommercepros505
Tags: analytics, woocommerce, behavioral analytics, conversion tracking, privacy
Requires at least: 6.0
Tested up to: 6.9
Requires PHP: 7.4
Stable tag: 1.0.0
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Zero-PII behavioral analytics pixel with WooCommerce order sync. No cookies, no consent banner required.

== Description ==

**Zero PII. No cookies. No consent banner required.**

Harvv Analytics ships a lightweight (under 10 KB gzipped) behavioral tracker that captures how visitors interact with your pages — dead clicks, rage clicks, scroll depth, hover intent, JavaScript errors, engagement time — and syncs WooCommerce orders to your Harvv dashboard. It never reads cookies, never transmits names, emails, phone numbers, or addresses, and never stores personal data in your WordPress database.

Because the plugin transmits no personal data, it does not require a cookie-consent banner under GDPR, CCPA, or PECR. Your visitors see no pop-ups; your checkout flows are not slowed; your compliance posture is simpler.

**What this plugin does**

* Enqueues a vanilla-JS tracker (no jQuery, no external scripts) on your frontend.
* Captures behavioral signals: scroll depth, click targets, dead/rage clicks, hover intent, page errors, engagement time.
* Syncs WooCommerce orders on `woocommerce_payment_complete` (never blocks checkout).
* Passes customer identity as a non-reversible hash derived from the site's own salts — the raw email never leaves WordPress.
* Works with WooCommerce HPOS (Custom Order Tables) out of the box.
* Multisite-aware: one network API key, per-subsite Site IDs, per-subsite admin overrides.

**What this plugin does NOT do**

* Does not set or read cookies.
* Does not transmit email addresses, names, phone numbers, postal addresses, or IP addresses.
* Does not load any JavaScript from external URLs — the tracker ships bundled with the plugin.
* Does not create custom database tables on your WordPress site.
* Does not record session replays or keystrokes.

**Why you might want this**

If you run a WooCommerce store and want to see the dead clicks, rage clicks, and broken checkout paths your visitors hit — without making them click through a GDPR banner — Harvv is designed for you. The behavioral signals are sent to your Harvv dashboard where they become a prioritized list of UX fixes with plain-English explanations.

== External Services ==

This plugin relies on the Harvv analytics service (operated by Olivas Venture Capital LLC d/b/a Harvv) to store and analyze behavioral events. Data is transmitted to the following endpoint:

* **Endpoint:** `https://api.harvv.com/v1/track`
* **When:** Events are sent continuously while a visitor is on your site (batched every 5 seconds or on tab close, via `navigator.sendBeacon` when available). WooCommerce order events are sent once, on `woocommerce_payment_complete`.
* **What is sent (behavioral events):** Session ID (random, in-memory, regenerated per browser tab — never a stable cookie), visitor ID (sessionStorage-scoped, cleared when the tab closes), event type, page path (no query string with sensitive params), referrer, viewport dimensions, CSS selectors of clicked/hovered elements (tag + id + first class name only, no text content), JavaScript error messages, engagement timestamps.
* **What is sent (WooCommerce events):** Order ID, order status, order total, line-item product IDs and quantities, coupon codes, payment method name, shipping method name, non-reversible customer hash (derived via `wp_hash()` using your WordPress salts).
* **What is NOT sent:** Names, email addresses, phone numbers, postal addresses, IP addresses, raw user IDs, cookies, session replays, keystroke data, form values.
* **Registration endpoint:** `https://api.harvv.com/v1/sites/register` — called once per site (or subsite on Multisite) to obtain a Site ID. Transmits only the site URL, site name, WordPress version, PHP version, and plugin version.
* **Connect flow:** `https://harvv.com/connect/wordpress` — opened in a new browser tab when an admin clicks "Connect to Harvv" in the plugin settings. Harvv's hosted signup page handles authentication; it then POSTs the API key back to your site's own REST endpoint (`/wp-json/harvv/v1/connect`) with a nonce you generated locally.
* **Harvv terms of service:** [https://harvv.com/terms](https://harvv.com/terms)
* **Harvv privacy policy:** [https://harvv.com/privacy](https://harvv.com/privacy)

By activating this plugin and supplying an API key, you consent to the transmission of the data described above to Harvv. You can disconnect at any time from the plugin's settings page; uninstalling removes all plugin options from your database.

== Installation ==

1. Install and activate the plugin through the WordPress Plugins screen, or upload the plugin folder to `/wp-content/plugins/harvv-analytics/`.
2. Navigate to **Settings → Harvv Analytics**.
3. Click **Connect to Harvv** — this opens harvv.com in a new tab for signup. Once you complete signup, the tab will notify this plugin and your API key will be saved automatically.
4. Alternatively, expand **I already have an API key** and paste your key manually.
5. On WooCommerce sites, no further action is needed — order events start flowing on the next completed payment.

For multisite networks: go to **Network Admin → Settings → Harvv Analytics** and set one network-wide API key. Each subsite will auto-register with Harvv on its next pageload and receive its own Site ID.

== Frequently Asked Questions ==

= Does this require a cookie consent banner? =

No. The plugin sets no cookies and transmits no personal data. Under GDPR, CCPA, and PECR, cookie-consent banners are required only when a site sets non-essential cookies or transmits personal data to third parties. Harvv transmits only behavioral signals (dead clicks, scroll depth, etc.) and a non-reversible customer hash — these are not personal data under any major privacy regime.

If your legal counsel interprets the regulations more conservatively than we do, you can still add Harvv to your privacy policy's third-party services section. The plugin provides suggested language at **Settings → Privacy → Policy Guide**.

= Does this plugin work without WooCommerce? =

Yes. The WooCommerce integration loads conditionally — on a non-Woo WordPress site, the plugin runs as a pure behavioral pixel.

= Does this plugin slow down my checkout? =

No. All outbound HTTP calls use `wp_remote_post()` with `'blocking' => false`, and the browser tracker uses `navigator.sendBeacon()` or `fetch` with `keepalive: true`. Nothing in the plugin waits on a response from Harvv.

= Is this plugin HPOS (Custom Order Tables) compatible? =

Yes. The plugin declares compatibility with `custom_order_tables` and uses only the WC_Order CRUD API — never direct `$wpdb` access against order tables.

= What happens if my site loses internet connectivity? =

The browser tracker queues events locally and attempts to flush on each interval; unsent events are discarded silently when the browser tab closes. WooCommerce order events are fire-and-forget — if your site cannot reach `api.harvv.com` at the moment of `payment_complete`, the event is lost. We do not queue order events for retry on-site because doing so would require creating a custom database table, which this plugin intentionally does not do.

= How do I uninstall? =

Delete the plugin from the Plugins screen. All plugin options (`harvv_api_key`, `harvv_site_id`, and related) are removed via `uninstall.php`. The plugin never creates custom database tables on your site, so nothing is left behind.

= I use caching plugins — does this conflict? =

No. The tracker is enqueued in the footer and is cache-friendly (same output for every visitor). The Connect-flow REST endpoint is under `/wp-json/harvv/v1/*` and is gated by a one-shot nonce, so caching that endpoint is harmless.

== Changelog ==

= 1.0.0 =
* Initial release.
* Behavioral tracker (dead clicks, rage clicks, scroll depth, hover intent, JS errors, engagement).
* WooCommerce `payment_complete` order sync.
* HPOS (Custom Order Tables) compatibility declared.
* Connect-to-Harvv flow with one-shot nonce + HMAC-signed callback.
* Manual API-key entry as alternative path.
* Multisite support with per-subsite override.
* WordPress Privacy API integration (suggested policy text + empty exporter).

== Upgrade Notice ==

= 1.0.0 =
First release.
