GDPR Compliance

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process personal data of individuals located in the European Union, regardless of where the organization is based.

GDPR establishes strict requirements for how personal data must be collected, processed, stored, and protected. It also grants individuals significant rights over their personal data.

Our platform is designed from the ground up to help website owners comply with GDPR requirements. Here's how we support your compliance efforts:

• No cookies used for visitor tracking (no consent banner required)
• No personally identifiable information (PII) collected from visitors
• IP addresses are anonymized before storage (last octet removed)
• No cross-site tracking or user fingerprinting
• Data processing agreements (DPA) available for all customers
• Easy data export and deletion capabilities
• Servers located in the European Union
• End-to-end encryption for all data transmission

For website visitors, we process only anonymous, aggregated data:

• Page URL and referrer source
• Device type (desktop, mobile, tablet)
• Browser type and version
• Operating system
• Country and city (from anonymized IP)
• Session duration and pages viewed
• No names, emails, phone numbers, or other PII is collected

For account holders, we process:

• Username (for authentication)
• Email address (for account recovery and notifications)
• Encrypted password hash (never stored in plain text)
• Account creation date and last login timestamp
• Subscription and billing information (processed by third-party payment processors)

AnalyticsX processes data under the following GDPR legal bases:

• Legitimate Interest (Article 6(1)(f)): For anonymous website analytics that don't identify individuals
• Contract Performance (Article 6(1)(b)): For providing our service to account holders
• Legal Obligation (Article 6(1)(c)): For complying with tax and accounting requirements
• Consent (Article 6(1)(a)): For optional marketing communications (can be withdrawn anytime)

Under GDPR, individuals have the following rights regarding their personal data. We provide mechanisms to honor all of these rights:

• Right to Access (Article 15): Request a copy of your personal data
• Right to Rectification (Article 16): Request correction of inaccurate data
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing (Article 18): Request limitation of data processing
• Right to Data Portability (Article 20): Request data in machine-readable format
• Right to Object (Article 21): Object to processing of your data
• Rights on Automated Decision-Making (Article 22): Not applicable (we don't use automated decision-making)

Under GDPR Article 28, when we process personal data on behalf of our customers, we act as a data processor. We offer a Data Processing Agreement to all customers that includes:

• Scope and purpose of data processing
• Duration of processing
• Nature and purpose of processing
• Types of personal data and categories of data subjects
• Obligations and rights of the controller (you)
• Technical and organizational security measures
• Sub-processor information and approvals
• Data breach notification procedures
• Data deletion and return procedures
• Audit and inspection rights

AnalyticsX stores all data on servers located within the European Union. This ensures that data never leaves the EU, eliminating the need for additional safeguards required for international transfers under GDPR Chapter V.

• Primary data centers: European Union (GDPR-compliant jurisdiction)
• Backup servers: European Union
• No data transfers to third countries
• All infrastructure providers are GDPR-compliant and certified

GDPR Article 32 requires appropriate technical and organizational measures to ensure data security. We implement:

• SSL/TLS encryption for all data transmission (HTTPS only)
• Encryption at rest for all stored data
• Encrypted password storage using bcrypt
• Regular security audits and vulnerability testing
• Automatic session timeout for inactive users
• IP address anonymization (last octet removed)
• Database access controls and logging
• Employee access restrictions and training
• Incident response and breach notification procedures

Under GDPR Articles 33-34, data controllers must notify supervisory authorities within 72 hours of becoming aware of a personal data breach. Our procedures include:

• 24/7 monitoring and detection systems
• Immediate internal incident response team activation
• Customer notification within 72 hours if affected
• Documentation of all breaches regardless of severity
• Cooperation with supervisory authorities
• Remediation and prevention measures implementation

We use the following sub-processors to deliver our service. All are GDPR-compliant and bound by data processing agreements:

• Cloud Hosting: EU-based infrastructure provider (data storage)
• Email Service: Transactional email delivery (EU-based)
• Payment Processor: Subscription billing (PCI-DSS compliant)
• CDN: Content delivery (EU nodes only)

We will notify customers of any new sub-processors and provide an opportunity to object.

GDPR requires that personal data be kept no longer than necessary. Our retention periods:

• Visitor Analytics: Based on your subscription plan (7 days to unlimited)
• Account Data: Retained while account is active
• Billing Records: 7 years (legal requirement for tax purposes)
• Deleted Accounts: All data permanently deleted within 30 days

You can configure shorter retention periods or manually delete data at any time from your dashboard.

As a AnalyticsX customer, you are the data controller for your website visitors. Your responsibilities include:

• Informing visitors about analytics collection in your privacy policy
• Ensuring you have a legal basis for processing visitor data
• Responding to data subject requests from your visitors
• Configuring appropriate data retention settings
• Not collecting personally identifiable information through our tracking
• Complying with any additional local privacy requirements

Under GDPR, you have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates GDPR requirements.

Our lead supervisory authority is the data protection authority in the jurisdiction where AnalyticsX is registered. You may also contact the supervisory authority in your country of residence.

We will update this GDPR compliance page as regulations evolve or our practices change:

• Changes will be reflected in the "Updated" date at the top of this page
• Significant changes will be communicated to account holders via email
• Historical versions available upon request

We encourage you to review this page periodically for updates.

For GDPR-related questions, data subject requests, or compliance inquiries: