Skip to main content

Privacy Policy

Last updated: November 24, 2025

At Webonlytics, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web analytics service.

Quick Navigation

1. Information We Collect 2. How We Use Your Data 3. Advanced Tracking Technologies 4. Automated Profiling 5. AI & Predictive Analytics 6. Marketing Attribution 7. Third-Party Integrations 8. Privacy for Website Visitors 9. Cookies & Tracking 10. Data Sharing 11. For Website Owners 12. Your Rights (GDPR) 13. Data Retention 14. Data Security 15. Contact Us

1. Information We Collect

1.1 Account Information

When you register for an account, we collect:

  • Name and email address
  • Password (encrypted and hashed)
  • Account creation date
  • Two-factor authentication settings (optional)

1.2 Website Analytics Data

When visitors browse websites using our tracking service, we collect comprehensive analytics data:

  • Page Information: URLs visited, page titles, referrer URLs, page type classification
  • Device Information: Device type (desktop, mobile, tablet), device brand, screen resolution, viewport dimensions
  • Browser Information: Browser type and version, operating system and version
  • Geographic Information: Country, region/state, city, latitude/longitude coordinates (accurate to ~1 meter)
  • Language & Timezone: Preferred language setting, timezone
  • Session Information: Session ID, visit duration, pages per session, bounce rate, scroll depth percentage
  • Engagement Metrics: Interaction count, engagement type (impression, click, view, interaction), engagement duration and depth
  • Identity & Tracking: User fingerprint (device identifier), user ID (if logged in), canonical user ID (links activity across your devices)
  • Marketing Data: UTM parameters (source, medium, campaign, term, content), channel classification, attribution touchpoints
  • E-commerce Data: Purchase history, transaction data, product views, cart actions (if applicable)
  • Consent Status: Consent categories and preferences

1.3 What We Minimize

Privacy-Conscious Practices:

  • We do NOT use third-party advertising cookies from ad networks
  • We do NOT sell your raw visitor data to data brokers
  • We do NOT share data with unauthorized third parties
  • IP addresses are anonymized for website visitor analytics (full IPs retained only for account security)
  • All data is stored in EU-based data centers for GDPR compliance

Note: We DO perform cross-device tracking to link your activity across multiple devices (desktop, mobile, tablet) for accurate analytics. You have the right to object to this tracking. See "Cross-Device Tracking" section below for details.

2. How We Use Your Data

We use the collected information for:

Providing Analytics Services

Generating insights, reports, and visualizations for website owners

Service Improvement

Improving our platform performance, features, and user experience

Communication

Sending service updates, security alerts, and support messages

Legal Compliance

Meeting legal obligations and preventing fraud or abuse

3. Advanced Tracking Technologies

Important Disclosure:

We employ advanced tracking technologies including device fingerprinting, cross-device tracking, and IP-based geolocation. These methods help us provide accurate analytics but may have privacy implications.

3.1 Device Fingerprinting & Identification

We use device fingerprinting technology to identify unique devices accessing websites using our analytics service.

What is Device Fingerprinting?

Device fingerprinting creates a unique identifier based on your device's characteristics without using cookies. This allows us to recognize your device across visits.

Data Collected for Fingerprinting:

  • Screen resolution, color depth, viewport dimensions
  • Timezone, language preferences
  • Installed fonts, browser plugins
  • WebGL renderer information
  • Canvas and audio fingerprinting data
  • Battery status, hardware concurrency
  • Device brand and model (when available)

Purpose:

  • Prevent duplicate visitor counting
  • Enable cross-device user identification and journey tracking
  • Detect fraudulent or automated traffic
  • Provide trusted device authentication for account holders

Legal Basis: Legitimate interest for fraud prevention and analytics accuracy. You have the right to object to fingerprinting at any time.

3.2 Precise Geolocation Tracking

We collect precise geolocation data to provide location-based analytics.

Data Collected:

  • Latitude and longitude coordinates (accurate to approximately 1 meter)
  • Country, region/state, city
  • IP-based geolocation estimates

How Collected:

  • IP address geolocation databases
  • Browser Geolocation API (when granted permission)
  • GPS data from mobile devices (when applicable)

Purpose:

  • Geographic performance analysis
  • Regional behavior analysis
  • Fraud detection and prevention
  • Marketing attribution by location

Legal Basis: Legitimate interest for analytics (IP-based). Explicit consent required for browser Geolocation API or GPS data.

Your Control:

You can deny geolocation permissions in your browser settings. IP-based geolocation cannot be disabled but is less precise than GPS.

3.3 Cross-Device Tracking & Identity Resolution

We link your activity across multiple devices (desktop, mobile, tablet) to provide a unified view of your behavior and accurately measure marketing effectiveness.

How We Link Devices:

  • Deterministic matching (100% confidence): When you log in on multiple devices using the same account, we definitively link those devices
  • Probabilistic matching (60-95% confidence): When patterns suggest multiple devices belong to the same person, such as:
    • Same IP address and similar timing patterns
    • Same timezone, language, and geographic location
    • Sequential browsing behavior across devices
    • Similar device fingerprint characteristics

Data Linked Across Devices:

  • Device fingerprints from all your devices
  • Session IDs and browsing patterns
  • Page views, clicks, and engagement metrics
  • User IDs and a "canonical user ID" that represents you across all devices
  • Marketing touchpoints (ads clicked, emails opened, etc.)

Confidence Scoring: We assign confidence scores (0-100%) to probabilistic device matches and store the matching signals used. We only link devices when confidence exceeds 60%.

Example: How Cross-Device Tracking Works

  1. You click a Google ad on your work desktop → We assign fingerprint A and canonical ID "user_1"
  2. Later, you visit from your iPhone → We assign fingerprint B and canonical ID "user_2" (separate at first)
  3. You log in on your iPhone → We link fingerprint B to your account
  4. Next day, you log in on your desktop → We link fingerprint A to the same account
  5. Result: Fingerprints A and B now share the same canonical ID → We can see your complete journey: "Google ad on desktop → Purchase on iPhone"

Purpose:

  • Accurate unique visitor counting (preventing duplicate counts)
  • Cross-device attribution modeling for marketing effectiveness
  • Understanding complete customer journeys across all touchpoints
  • Improved analytics accuracy for website owners

Legal Basis: Legitimate interest for analytics accuracy and marketing optimization. We recommend website owners obtain explicit consent for cross-device tracking when required by applicable law.

Your Rights Regarding Cross-Device Tracking:

  • Right to Object: You can object to cross-device tracking at any time
  • Right to Unlink: You can request that we unlink your device identities
  • Right to Explanation: You can request information about which of your devices are linked
  • How to Exercise: Email privacy@webonlytics.com with subject "Opt-Out from Cross-Device Tracking"

4. Automated Profiling & Behavioral Segmentation

GDPR Article 22 Notice:

We use automated processing to create behavioral profiles and segment users. You have the right to object, request explanation, and obtain human review of automated decisions.

We use automated processing to create behavioral profiles and segment users based on their activity patterns.

4.1 Profiling Activities

  • RFM Segmentation: Classifying users by Recency (last visit), Frequency (visit count), Monetary value (purchase amount)
  • Behavioral Segments: High value customers, cart abandoners, at-risk users, active users, dormant users
  • User Journey Stages: Awareness → Consideration → Decision → Retention → Advocacy
  • Custom Segments: Website owners can create custom segment rules based on any behavioral criteria

4.2 Data Used for Profiling

  • Visit frequency, recency, and duration
  • Pages viewed and time spent per page
  • Purchase history and transaction values
  • Engagement metrics (scroll depth, clicks, interactions)
  • Device type, location patterns
  • Marketing attribution data

4.3 Segment Examples

High Value Customers

Users with lifetime value > $1000, 5+ purchases, recent activity

Cart Abandoners

Added items to cart but no purchase within 7 days

At Risk Users

Previously active but no visit in 30+ days

Brand Advocates

Multiple referrals, social shares, high engagement

4.4 Consequences of Profiling

Website owners may use profile segments for:

  • Targeted marketing campaigns and personalized emails
  • Personalized content recommendations
  • Differential pricing or special offers (if applicable)
  • Prioritized customer support (if applicable)

4.5 Your Rights Regarding Profiling

  • Right to Object: Object to profiling at any time
  • Right to Explanation: Request information about your profile and segments
  • Right to Human Review: Request human review of automated decisions
  • Right to Deletion: Request deletion of your behavioral profile

How to Exercise: Email privacy@webonlytics.com with subject "Opt-Out from Profiling"

Legal Basis: Legitimate interest for analytics and marketing optimization. Recommended to obtain explicit consent for high-risk profiling.

5. Artificial Intelligence & Predictive Analytics

Automated Decision-Making Disclosure (GDPR Article 13):

We use AI and machine learning models to generate predictions about user behavior. This constitutes automated decision-making which may have significant effects.

5.1 Predictions We Generate

Conversion Probability

Likelihood of making a purchase (0-100%)

Churn Risk

Likelihood of user becoming inactive (0-100%)

Customer Lifetime Value

Predicted total revenue from user over their lifetime

Next Likely Action

Predicted next page, product, or action user will take

5.2 AI Models & Technology

We use the following AI technologies:

  • Ollama: Open-source language models for natural language processing
  • Custom ML Models: Proprietary machine learning models trained on behavioral data
  • Model Versioning: We track model names, versions, and providers for transparency

5.3 Data Used for Predictions

  • Historical behavior (visits, purchases, engagement patterns)
  • Demographic data (industry, company size, if provided)
  • Device and location patterns
  • Session metrics and journey stages
  • Marketing attribution touchpoints
  • User properties and custom attributes

5.4 How Predictions Are Used

Website owners may use AI predictions for:

  • Personalized marketing campaigns and recommendations
  • Abandoned cart recovery automation
  • Churn prevention campaigns
  • Content and product recommendations
  • Resource allocation and prioritization

5.5 Transparency & Validation

Model Transparency:

  • You can request your prediction scores and confidence intervals
  • We provide feature importance (which factors influenced predictions)
  • We validate predictions against actual outcomes for accuracy
  • Prediction errors are logged and used to improve models

5.6 Your Rights Regarding AI

  • Right to Object: Object to AI profiling and predictions
  • Right to Explanation: Request explanation of prediction logic and features used
  • Right to Human Review: Request human review instead of automated decisions
  • Right to Contest: Challenge predictions you believe are inaccurate

Contact: Email ai-privacy@webonlytics.com for AI-related privacy questions

Legal Basis: Legitimate interest for analytics and marketing optimization. We recommend explicit consent for automated decision-making with significant effects.

6. Marketing Attribution & Campaign Tracking

We track the effectiveness of marketing campaigns across multiple touchpoints to measure ROI and optimize advertising spend.

6.1 Attribution Data Collected

  • UTM Parameters: Source, medium, campaign, term, content from URLs
  • Channel Classification: Paid, organic, direct, referral, social, email
  • Engagement Metrics: Duration on page, scroll depth, interaction count
  • Touchpoint Position: First touch, middle touches, last touch in customer journey
  • Cost Data: Ad spend, impressions, clicks (for ROI calculations)
  • Conversion Attribution: Which touchpoints led to conversions and their contribution weights

6.2 Attribution Models Used

First-Touch

100% credit to first interaction

Last-Touch

100% credit to final interaction

Linear

Equal credit to all touchpoints

Time-Decay

More credit to recent interactions

Position-Based

40% first, 40% last, 20% middle

Data-Driven (AI)

AI-calculated contribution weights

6.3 Purpose of Attribution Tracking

  • Measure marketing return on investment (ROI)
  • Optimize advertising spend across channels
  • Understand complete customer journey
  • Identify most effective marketing touchpoints

Legal Basis: Legitimate interest for marketing analytics.

7. Third-Party Advertising Platform Integrations

Website owners using Webonlytics can connect their advertising platform accounts to sync campaign data and metrics.

7.1 Supported Platforms

We integrate with the following advertising platforms:

  • Google Ads
  • Facebook Ads / Meta Business Suite
  • LinkedIn Ads (if applicable)
  • Other advertising platforms as configured by website owners

7.2 Data Collected from Ad Platforms

  • Campaign names, IDs, and metadata
  • Ad group and individual ad performance metrics
  • Impressions, clicks, conversions, and ad spend
  • Demographic targeting data (age, gender, interests)
  • Geographic performance data by region
  • Device performance data (desktop, mobile, tablet)
  • Hourly granular performance metrics

7.3 OAuth Tokens & Security

How We Access Platform Data:

  • We store OAuth access tokens and refresh tokens to access platform APIs
  • All tokens are encrypted at rest using AES-256 encryption
  • Tokens are used only for authorized data synchronization
  • You can revoke platform connections at any time in your dashboard

7.4 Purpose

  • Unified analytics dashboard combining website and ad data
  • ROI calculations and attribution modeling
  • Campaign performance analysis and optimization
  • Cross-channel marketing insights

Your Control: Disconnect ad platforms anytime in Settings → Integrations. Revoke OAuth tokens independently on each platform's security settings.

8. Privacy for Website Visitors

Are you a visitor to a website using Webonlytics?

This section explains how your data is collected and protected when you visit websites that use our analytics service.

3.1 Who We Are

Webonlytics provides analytics services to website owners (our customers). When you visit a website using our service, we collect analytics data on behalf of that website owner. The website owner is the Data Controller (they decide what data to collect), and Webonlytics is the Data Processor (we process data according to their instructions).

3.2 What Data We Collect About You

When you visit a website using Webonlytics tracking, we may collect:

Page Activity

  • Pages you visit
  • Time spent on each page
  • How you arrived (referrer)
  • Links you click

Device Information

  • Device type (mobile/desktop)
  • Browser type and version
  • Screen resolution
  • Operating system

Location Data

  • Country and city (from IP)
  • Timezone
  • Language preference
  • IP addresses are anonymized

Session Data

  • Session duration
  • Pages per session
  • Unique visitor identifier
  • Consent status

Privacy-Preserving Technology:

  • We use cookie-less tracking by default
  • IP addresses are anonymized immediately upon collection
  • We do NOT track you across different websites
  • We do NOT create advertising profiles
  • We do NOT sell your data to third parties

3.3 Why Your Data is Collected

Website owners use Webonlytics to:

  • Understand visitor behavior: See which pages are popular, how long visitors stay, and where they come from
  • Improve website performance: Identify slow pages, broken links, or usability issues
  • Measure marketing effectiveness: Track which campaigns or referral sources bring visitors
  • Enhance user experience: Optimize content and navigation based on visitor preferences

Legal basis: The website owner (Data Controller) determines the legal basis for processing your data, typically legitimate interest for analytics or consent if required by their privacy policy.

3.4 Your Rights as a Website Visitor

Under GDPR, CCPA, and similar data protection laws, you have the right to:

Access

Request what data has been collected about you

Rectification

Correct inaccurate or incomplete data

Erasure (Right to be Forgotten)

Request deletion of your visitor data

Data Portability

Receive your data in a portable format

Object to Processing

Opt-out from future tracking

Withdraw Consent

Revoke previously given consent

3.5 How to Exercise Your Visitor Rights

Option 1: Contact the Website Owner (Recommended)

The website you visited is the Data Controller and is primarily responsible for handling your data requests. Check their privacy policy for contact information.

Option 2: Opt-Out Directly from Webonlytics

You can request deletion of your visitor data and opt-out from future tracking:

Delete My Visitor Data

3.6 Data Retention for Visitors

Visitor data is retained according to the website owner's data retention policy, typically:

  • Raw visitor data: Maximum 180 days (configurable by website owner in admin menu, default varies by account type)
  • Aggregated analytics: Converted to anonymous statistics after the retention period
  • After aggregation: Individual visitor identifiers are removed
  • Opt-out records: Maintained indefinitely to honor your opt-out preference

3.7 Who Can Access Your Data

Your visitor data is accessible to:

  • The website owner: The Data Controller who operates the website you visited
  • Webonlytics staff: Limited access for technical support and service operation
  • Sub-processors: Hosting providers and infrastructure services (under strict data processing agreements)

We do NOT: Share visitor data with advertisers, data brokers, or any third parties for marketing purposes.

3.8 International Data Transfers

All visitor data is stored in EU-based data centers, ensuring full GDPR compliance. If you're visiting from outside the EU, your data may be transferred to and processed in the EU under adequate safeguards.

3.9 Children's Privacy

Webonlytics does not knowingly collect data from children under 16 (or the applicable age in your jurisdiction). Website owners using our service are responsible for obtaining parental consent if their website is directed at children.

3.10 Questions or Complaints

Contact us: privacy@webonlytics.com

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

9. Cookies & Tracking Technologies

Cookie-Less Tracking by Default

Our tracking system is designed to work without third-party cookies. We use privacy-preserving methods to track website visitors.

Essential Cookies Only

We only use essential cookies for:

  • Authentication: Keeping you logged into your account
  • Security: CSRF protection and session management
  • Preferences: Remembering your dashboard settings

No consent banner required: Since we don't use tracking or advertising cookies, you won't see annoying cookie consent banners on our service.

10. Data Sharing & Disclosure

We Never Sell Your Data

Your data is yours, and we will never sell it to advertisers, data brokers, or third parties for marketing purposes.

Limited Data Sharing

We may share data only in these specific circumstances:

Service Providers

Third-party services that help us operate (e.g., hosting, email delivery), under strict data processing agreements

Legal Requirements

When required by law, court order, or government regulation

Business Transfers

In case of merger, acquisition, or sale of assets (you will be notified)

11. For Website Owners Using Webonlytics

Are you a website owner using Webonlytics?

As a Data Controller, you have specific obligations and responsibilities when collecting visitor data through our service.

6.1 Your Role as Data Controller

When you use Webonlytics on your website:

  • You are the Data Controller: You determine what visitor data to collect, for what purposes, and how long to retain it
  • Webonlytics is your Data Processor: We process visitor data on your behalf according to your instructions and our Data Processing Agreement
  • You are responsible: For ensuring lawful data collection, obtaining necessary consents, and handling visitor data requests

6.2 Data Processing Agreement (DPA)

Under GDPR Article 28, a Data Processing Agreement is required between you (Controller) and Webonlytics (Processor).

Our DPA Covers:

  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Duration of processing
  • Your rights and obligations as Controller
  • Our obligations as Processor (security, confidentiality, sub-processors)
  • Data breach notification procedures
  • Audit rights and assistance with compliance

Automatic DPA: By using Webonlytics, you agree to our standard DPA available in your account settings.

6.3 Your Obligations to Your Visitors

As a website owner using analytics, you must:

Privacy Policy

Disclose analytics tracking in your privacy policy with specific details

Legal Basis

Establish lawful basis for processing (consent, legitimate interest, etc.)

Consent (if required)

Obtain explicit consent if legally required in your jurisdiction

Data Requests

Handle visitor access, deletion, and portability requests

Data Retention

Set appropriate data retention periods and delete data when no longer needed

Records

Maintain records of processing activities (GDPR Article 30)

6.4 Required Privacy Policy Disclosures

Your privacy policy must inform visitors that you use Webonlytics for analytics. Here's sample text you can adapt:

Analytics: We use Webonlytics, a privacy-first analytics service, to understand how visitors interact with our website. Webonlytics collects information such as pages visited, device type, browser, location (country/city), and session duration. This data helps us improve our website and user experience.

Data collected: Page URLs, referrer URLs, device information, browser type, approximate location, session data

Data processor: Webonlytics (webonlytics.com)

Data retention: Maximum 180 days for raw data (configurable in admin settings), then aggregated and anonymized

Your rights: You can opt-out from analytics tracking at any time by visiting webonlytics.com/delete

Legal basis: Legitimate interest for website analytics (or: Your consent, if applicable)

Copy Privacy Policy Text

6.5 Handling Visitor Data Requests

When visitors exercise their GDPR rights, you can:

  • Access requests: Export visitor data from your Webonlytics dashboard
  • Deletion requests: Delete specific visitor data or direct visitors to our deletion page
  • Rectification requests: Update or correct visitor data as needed
  • Opt-out requests: Use our API to exclude specific visitors from tracking

Dashboard Tools: Access these features in Settings → Privacy & Compliance → Visitor Data Management

6.6 Sub-Processors

Webonlytics uses the following sub-processors to provide our service:

Service Purpose Location
Hetzner Cloud hosting infrastructure Germany (EU)
Cloudflare CDN and DDoS protection Global (EU data residency)
Mailgun Transactional emails EU region

All sub-processors operate under strict data processing agreements and GDPR compliance.

6.7 GDPR Compliance Checklist for Website Owners

  • Added analytics disclosure to your privacy policy
  • Determined legal basis for processing (consent or legitimate interest)
  • Implemented consent banner (if required in your jurisdiction)
  • Set up process for handling visitor data requests
  • Configured appropriate data retention period in dashboard
  • Reviewed and accepted Data Processing Agreement
  • Maintained records of processing activities (Article 30)

6.8 Liability & Indemnification

Important Legal Notice

As the Data Controller, you are responsible for ensuring your use of Webonlytics complies with applicable data protection laws. Webonlytics provides tools and features to help you comply, but ultimate responsibility rests with you.

You agree to indemnify Webonlytics against any claims arising from:

  • Your failure to obtain necessary consents
  • Your non-compliance with data protection laws
  • Your failure to handle visitor data requests properly
  • Your privacy policy inadequacies or misrepresentations

6.9 Best Practices

  • Transparency: Be clear about what data you collect and why
  • Minimization: Only track what you actually need
  • Regular Review: Periodically review your analytics setup and privacy policy
  • Respect DNT: Consider honoring Do Not Track (DNT) browser signals
  • Prompt Response: Handle visitor data requests within GDPR timeframes (30 days)
  • Document Everything: Keep records of your data protection compliance measures

6.10 Support for Website Owners

Need help with GDPR compliance or have questions about your obligations?

compliance@webonlytics.com

Access our Compliance Hub in your dashboard for templates, guides, and automated tools.

12. Your Rights (GDPR & CCPA)

Under GDPR and CCPA, you have the following rights:

Right to Access

Request a copy of all your personal data

Right to Rectification

Correct inaccurate or incomplete data

Right to Erasure

Delete your data (right to be forgotten)

Right to Data Portability

Export your data in machine-readable format

Right to Object

Object to certain data processing

Right to Restrict Processing

Limit how we process your data

Exercise Your Rights

To exercise any of these rights:

Delete My Data

13. Data Retention

We retain different types of data for different periods based on their purpose and legal requirements:

Data Type Retention Period Reason
Raw visit data Maximum 180 days (configurable in admin menu) Analytics calculation, then aggregated
Aggregated statistics Indefinitely Anonymous reporting
User fingerprints Until opt-out or 2 years of inactivity Fraud prevention
Cross-device identities & links Until opt-out or 2 years of inactivity Analytics accuracy, marketing attribution
User profiles & segments Until opt-out or account deletion Personalization
AI predictions 1 year Model training validation
Attribution touchpoints Maximum 180 days (configurable in admin menu) Attribution modeling
Ad platform OAuth tokens Until disconnected API access
Account security data (IPs, device fingerprints) Until account deletion + 30 days Security, fraud prevention
Audit logs 3 years Legal compliance
Opt-out records Indefinitely Honor opt-out requests
Account information While account is active Service provision
Backups 30 days after deletion Disaster recovery (not accessible)

Note: The maximum data retention period of 180 days can be configured in the admin menu. Website owners can set a shorter retention period based on their privacy requirements. Some data may be retained longer if required by law or for legitimate business purposes (e.g., preventing fraud, resolving disputes). You can delete your account at any time.

14. Data Security

We implement industry-standard security measures to protect your data:

Technical Measures

  • TLS/SSL encryption for data in transit
  • AES-256 encryption for data at rest
  • Regular security audits and updates
  • Firewalls and intrusion detection

Organizational Measures

  • Limited access to personal data
  • Employee training on data protection
  • Data processing agreements with vendors
  • Incident response procedures

EU Data Centers: All data is stored in EU-based data centers, ensuring full GDPR compliance and data sovereignty.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: privacy@webonlytics.com
Response Time: Within 72 hours
Data Protection Officer: dpo@webonlytics.com

Supervisory Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data properly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date at the top
  • Sending an email notification for significant changes (if you have an account)

Your continued use of our service after any changes indicates acceptance of the updated Privacy Policy.