Privacy Policy

Last updated:

1. Introduction

Web-Tracking.eu ("we", "us", "our") is a web analytics service operated from Denmark. This Privacy Policy explains how we collect, use, and protect information when you use our website and analytics service. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR).

Our service is designed from the ground up to be privacy-friendly. We do not use cookies for analytics tracking, we do not store IP addresses, and we do not engage in cross-site tracking of any kind.

2. Data Controller

The data controller for this service is:

Web-Tracking.eu
Denmark
Email: privacy@web-tracking.eu

3. Data We Collect

3.1 Analytics Data (collected on behalf of our customers)

When a visitor browses a website that uses our analytics script, we collect the following data points. This data is collected on behalf of our customers (the website operators) who act as data controllers for their visitors.

  • Page URL and referrer URL
  • Browser type and version (derived from User-Agent)
  • Operating system
  • Device type (desktop, mobile, tablet)
  • Screen resolution
  • Country of origin (derived at request time, not stored as IP)
  • Language preference
  • UTM campaign parameters
  • Custom events (as configured by the website operator)

3.2 What We Do Not Collect or Store on Your Device

  • IP addresses are never stored or logged (only used ephemerally to derive a hashed visitor ID and resolve country/city via GeoIP)
  • No cookies are set for analytics purposes
  • No localStorage, sessionStorage, or IndexedDB is used
  • No personal identifiers or fingerprinting techniques
  • No cross-site or cross-device tracking
  • Because we do not store or access any information on the user's terminal equipment, no consent is required under ePrivacy Directive Article 5(3)

3.3 How Visitor Identification Works

To count unique visitors without storing anything on their device, we derive a daily-rotating hash from (IP + User-Agent + Site ID + current date + server salt). This hash is used as the visitor ID for that day only. Tomorrow, the same visitor gets a new ID, so we cannot track individuals across days.

3.3 Account Data

When you create an account to use our service as a customer, we collect:

  • Email address
  • Name (optional)
  • Billing information (processed by our payment provider)
  • Website domains registered for tracking

4. How We Use Your Data

We use the collected data for the following purposes:

  • Providing aggregated web analytics to our customers
  • Operating and maintaining the service
  • Processing payments and managing subscriptions
  • Communicating service updates and important notices
  • Improving the service based on usage patterns

We do not sell, rent, or share personal data with third parties for marketing purposes.

5. Legal Basis for Processing

We process data under the following legal bases as defined by the GDPR:

  • Legitimate interest (Article 6(1)(f)): For analytics data collection, as our service is designed to operate without personal data and serves the legitimate interest of website operators understanding their traffic.
  • Contract performance (Article 6(1)(b)): For account and billing data necessary to provide the service.
  • Legal obligation (Article 6(1)(c)): For data required by tax and accounting regulations.

6. Data Storage and Security

All data is stored on servers located in Germany, operated by Hetzner Online GmbH. Data never leaves the European Union. We implement appropriate technical and organizational measures to protect data, including:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest for all databases
  • Regular security updates and patching
  • Access controls with least-privilege principles
  • Regular backups with encrypted storage

7. Data Retention

Analytics data is retained according to the customer's plan tier:

  • Free: 30 days
  • Starter: 1 year
  • Growth: 3 years
  • Scale: 5 years

Customers may configure shorter retention periods in their dashboard settings. A daily background job permanently deletes analytics events that exceed the customer's plan retention. When a customer deletes their account, all associated analytics data is permanently deleted within 30 days.

Backups: we keep encrypted database snapshots in Hetzner Object Storage (Falkenstein, Germany) for 30 days on the primary bucket. Backups are pruned automatically after that. Even though our analytics data does not contain personal information by itself (cookieless hashes rotate daily and cannot be reversed), we apply the same retention discipline to backups as we do to live data.

Account and billing data is retained for the duration of the customer relationship and for an additional period as required by applicable tax and accounting laws (typically 5 years under Danish bookkeeping requirements). When you delete your account, billing data is anonymised but the legal accounting record is preserved.

7b. Operational Reliability

We run the service with the following operational practices to minimise downtime and data loss:

  • Zero-downtime deploys: the service runs in PM2 cluster mode with multiple worker processes. Code updates roll out worker-by-worker so at least one process is always available to receive tracking events.
  • Tracking script retries: the cookieless tracking script on customer sites retries failed event submissions with exponential backoff (500 ms → 1.5 s → 4 s) so transient server unavailability does not lose data.
  • Daily backups: automated PostgreSQL backups to Hetzner Object Storage in Falkenstein. We validate backup integrity automatically on every run and alert administrators if a backup fails or its archive cannot be parsed.
  • Encryption at rest: all storage (database disks + backup object storage) is encrypted by Hetzner.
  • Maintenance windows: in the rare case we need to take the service offline (major schema changes, etc.) we display a clear maintenance page and continue accepting tracking events (/api/collect stays online) so customer data is not lost.

8. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights:

  • Right of access: Request a copy of the data we hold about you.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure: Request deletion of your data.
  • Right to restriction: Request limitation of processing.
  • Right to data portability: Request your data in a machine-readable format.
  • Right to object: Object to processing based on legitimate interest.
  • Right to withdraw consent: Where processing is based on consent.

To exercise any of these rights, contact us at privacy@web-tracking.eu. We will respond within 30 days of receiving your request.

9. Cookies

Our analytics service does not use cookies to track website visitors. Our own website (web-tracking.eu) uses only essential cookies required for authentication and session management when you log into your account. No third-party tracking cookies are used.

10. Sub-processors

We use the following sub-processors to operate our service:

ProviderPurposeLocation
Hetzner Online GmbHInfrastructure and hostingGermany
Stripe Payments Europe LtdPayment processing + EU VAT (Stripe Tax)Ireland (EU)
Google LLCAuthentication (Google OAuth)EU (data processing)
MigaduEmail servicesSwitzerland

11. Payment Processing (Stripe)

We use Stripe Payments Europe Ltd (Ireland) for payment processing and Stripe Tax for automated EU VAT collection. When you subscribe to a paid plan, Stripe handles payment processing, VAT calculation per your jurisdiction, invoicing, and refunds. Stripe receives your billing details (name, address, payment method) directly — we never see your card number. See Stripe's privacy policy at stripe.com/privacy.

12. Authentication (Google OAuth)

If you choose to sign in with Google, Google receives your IP address and email during authentication. We only use Google to verify your identity -- no analytics or tracking data is shared with Google. See Google's privacy policy at policies.google.com/privacy.

13. International Transfers

All core infrastructure is located in Germany (Hetzner). Payment processing happens within the EU via Stripe Payments Europe Ltd (Ireland). Email is processed by Migadu (Switzerland — which the EU recognises as having adequate data protection). Google authentication may briefly process data outside the EU under their Standard Contractual Clauses. All sub-processors have adequate data protection mechanisms in place.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered customers via email. The "Last updated" date at the top of this page indicates when the policy was last revised.

15. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet).

16. Contact

For any questions regarding this Privacy Policy or our data practices, contact us at:

Web-Tracking.eu
Email: privacy@web-tracking.eu