Compliance for legal teams edit

Does Simple Analytics collect personal data?

Simple Analytics does not collect personal data. We do not use cookies or similar tracking technologies. We are also careful to avoid collecting any metrics that could be used for finger-printing and singling out a user (Recital 26 GDPR). None of the data we collect fall under the GDPR.

Simple Analytics processes IP addresses for Internet communication but never stores them. See below for more information on how we process IP addresses.

Simple Analytics does not require user consent because it doesn’t use cookies or process any other data stored on the end user’s terminal (Art. 5(3) of the ePrivacy Directive).

Are data transfers an issue when using Simple Analytics?

Data transfers are not an issue. Simple Analytics does not collect personal data and does not rely on service providers outside the EU.

The anonymous data we collect can be transferred outside the EU with no compliance risks or burdens if needed. Our extra-EU customers don’t need to implement standard contractual clauses or other safeguards to make the data transfer GDPR compliant.

What is Simple Analytics’ role in the processing of the data?

The notions of data controller and data processor are defined concerning personal data by the GDPR (see Articles 4(7) and (8) GDPR). We only collect anonymous metrics. Therefore, we are neither data controllers nor data processors concerning the data we collect and process for our customers.

Simple Analytics is a sole data controller concerning IP addresses.

Do I need a Data Processing Agreement to use Simple Analytics?

A Data Processing Agreement is unnecessary because Simple Analytics is not a personal data processor.

Does Simple Analytics use third-party providers?

We rely on Dutch companies Worldserver and Leaseweb to store data. We also rely on BunnyCDN to deliver content. BunnyCDN is part of Slovenian company BunnyWay.

Worldserver, Leaseweb, and Bunnyweb are trusted, European, and GDPR-compliant providers with infrastructure located in the EU. We don’t need to use European providers, as non-personal data can be transferred without limitations under the GDPR. We still choose to do so to ensure that the processing is as transparent and confidential as possible.

The anonymized metrics collected by Simple Analytics are not personal data. They do not fall under the GDPR, and Articles 5(1)(a) and 6 do not apply to them. No legal basis is needed to process anonymous data.

IP addresses are processed by Simple Analytics as a sole data controller based on its legitimate interest (Art. 6(1)(f) GDPR) to provide the service.

Using Simple Analytics does not make you a controller of personal data. You do not need a legal basis to process the data, as the GDPR and the principle of lawfulness (5(1)(a) GDPR) do not apply to anonymous data.

How does Simple Analytics process IP addresses?

Although IP addresses are sent to us, they are immediately discarded from every request—we don’t process, log, store, or transfer IP addresses.

We are sole controllers concerning IP addresses. We minimize the processing of IP addresses by only using them for communication. We drop IP addresses from our systems after each request, and no trace of IP addresses can be found in our system logs.

Simple Analytics may match addresses against a list of known bots addresses as an optional setting. IP addresses are dropped immediately after the check.

IP addresses are never logged, stored, transferred, or processed in any other way.

Does Simple Analytics require a privacy notice or a privacy policy?

Simple Analytics does not require a privacy notice. Our customers are not controllers of personal data and are not required to provide any information under Art. 13 GDPR, as the provision only applies to the data controller.

For the same reason, it is not mandatory to include Simple Analytics in a website’s privacy policy. We still encourage our customers to do so to be as transparent as possible. This page