Security & Privacy — Webalytics Help

At Webalytics, privacy is built into the product — not bolted on. This article explains how we store data, what we collect, and how you can keep your account secure.

What data we collect

Webalytics collects only the data necessary to generate analytics. We do not collect or store:

Personal identifiable information (names, emails, phone numbers) of your site visitors
Full IP addresses (we use the first two octets only for geolocation, then discard the rest)
Fingerprinting data
Advertising identifiers

We do collect:

Anonymised session identifiers (reset every 24 hours)
Page URLs visited
Referrer source
Browser type, OS, screen size, and device category (aggregated)
Country (derived from IP, then IP is discarded)
Events you define or that are auto-captured

Cookie-free by default

Webalytics does not use cookies by default. This means you do not need a cookie consent banner for Webalytics tracking alone in most jurisdictions. Verify this with your own legal counsel for your specific situation.

💡

GDPR, PECR & CCPABecause we don't use cookies or collect personal data, Webalytics is designed to be compliant with GDPR, PECR, and CCPA out of the box. We are not a data processor under GDPR — we are a data controller for aggregate analytics only.

Data storage

Location: All data is stored on servers in the European Union (Frankfurt, Germany) by default. US-region storage is available on Team and Enterprise plans.
Retention: Analytics data is retained for 24 months on Free plans and indefinitely on Pro and Team plans (configurable).
Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Backups: Daily backups are retained for 30 days.

Compliance

GDPR compliant
SOC 2 Type II report available on request (Enterprise plans)
We do not sell or share your data with third parties
Sub-processors list available at webalytics.io/sub-processors

Password & account security

Strong passwords

Use a unique password of at least 12 characters. A password manager (1Password, Bitwarden, etc.) makes this effortless. Do not reuse passwords across services.

Two-factor authentication (2FA)

Enable 2FA under Settings → Security → Two-factor authentication. We support authenticator apps (TOTP) and email OTP. 2FA is required for all Team plan accounts.

Active sessions

Review and revoke active sessions from Settings → Security → Active sessions. If you see a session you don't recognise, revoke it and change your password immediately.

Reporting a security issue

If you discover a security vulnerability, please report it responsibly to security@webalytics.io. We review all reports within 48 hours and have a coordinated disclosure process.