Privacy Policy

Last updated: February 10, 2026

1. Introduction

GDPRmetrics ("we", "us", "our") is a privacy-focused web analytics platform. We respect your privacy and are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains what personal data we collect, how we process it, the legal basis for processing, how long we retain it, and your rights as a data subject. It applies to all users of our website at gdprmetrics.com and our analytics services.

2. Data Controller

The data controller responsible for the processing of your personal data is:

GDPRmetrics

Operating in Poland

Email: contact@gdprmetrics.com

3. What Data We Collect

Account Data

When you register for our service via Google OAuth, we collect your email address and display name as provided by Google. We do not collect or store passwords — authentication is handled entirely through Google's OAuth 2.0 protocol.

Analytics Data (Collected on Your Behalf)

Our analytics tracker collects anonymous, aggregated website traffic data on behalf of our customers. This includes: page URLs visited, traffic source (referrer), browser type and version, operating system, device type, and approximate geographic location (country level). We do not collect IP addresses, do not use cookies, and do not create user profiles or track individuals across sessions.

Billing and Subscription Data

Payment processing is handled by Polar Software Inc. as our Merchant of Record, which processes payments through Stripe. We do not directly collect or store your payment card details. Polar may collect billing information (such as name, email, and payment method) in accordance with their own privacy policy. We store subscription status, plan type, and usage data necessary for service delivery.

Technical Data

When you use our dashboard, we may process your IP address, browser type, and device information for security purposes and to deliver the service. This data is not used for tracking or profiling.

4. Legal Basis for Processing

We process your personal data under the following legal bases as defined in Article 6 of the GDPR:

  • Contract performance (Art. 6(1)(b)) — Processing your account and subscription data is necessary to provide the analytics service you have signed up for.
  • Legitimate interest (Art. 6(1)(f)) — We process technical data for service security, fraud prevention, and service improvement. Our analytics tracker operates under our customers' legitimate interest in understanding their website traffic without identifying individuals.
  • Legal obligation (Art. 6(1)(c)) — We retain certain billing and transaction records as required by applicable tax and accounting laws.
  • Consent (Art. 6(1)(a)) — Where applicable, such as for optional marketing communications. You may withdraw consent at any time.

5. How We Use Your Data

  • Providing and maintaining the analytics service
  • Managing your account and authentication
  • Processing subscriptions and billing through our Merchant of Record
  • Communicating service updates and important notices
  • Improving service quality and performance
  • Ensuring security and preventing fraud or abuse
  • Fulfilling legal and regulatory obligations

6. Third-Party Services

We use the following third-party services to operate GDPRmetrics:

Google (Authentication)

We use Google OAuth 2.0 for user authentication. When you sign in, Google shares your email address and display name with us. Google's processing of your data is subject to Google's Privacy Policy.

Polar Software Inc. (Merchant of Record)

Polar acts as our Merchant of Record for all paid subscriptions. As the reseller of our digital services, Polar processes payments through Stripe, handles international sales taxes (VAT, GST, etc.), and manages billing on our behalf. Polar's processing of your payment data is subject to Polar's Privacy Policy and Stripe's Privacy Policy.

Cloudflare (Infrastructure)

Our service is hosted on Cloudflare's global infrastructure, including Cloudflare Workers, D1 database, KV storage, and Analytics Engine. Cloudflare processes data in accordance with their Privacy Policy and is committed to GDPR compliance.

7. Cookies and Tracking Technologies

Analytics tracker: Our analytics tracking script does not use cookies, local storage, or any persistent identifiers. It collects only anonymous pageview data and does not track individual users across sessions or websites.

Dashboard authentication: When you log into the GDPRmetrics dashboard, we use a single essential cookie to maintain your authenticated session. This cookie is strictly necessary for the service to function and does not require consent under GDPR.

We do not use any third-party tracking cookies, advertising pixels, or behavioral profiling technologies.

8. Data Retention

  • Account data: Retained for the duration of your active account. Upon account deletion, your data is removed within 30 days.
  • Analytics data: Raw analytics data is retained for 90 days in Cloudflare Analytics Engine, after which it is automatically deleted. Aggregated daily summaries may be retained longer for billing purposes.
  • Billing records: Transaction and subscription records are retained as required by applicable tax and accounting laws (typically 5–7 years).
  • Authentication session: Session tokens expire and are invalidated upon logout.

9. International Data Transfers

Your data may be processed outside the European Economic Area (EEA) by our third-party service providers:

  • Cloudflare operates a global network with data centers worldwide, including within the EEA. Cloudflare participates in the EU-U.S. Data Privacy Framework.
  • Polar Software Inc. is incorporated in the United States (Delaware). Payment data transfers are protected by Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.
  • Google participates in the EU-U.S. Data Privacy Framework for authentication data transfers.

All transfers are conducted with appropriate safeguards to ensure your data receives a level of protection consistent with the GDPR.

10. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — obtain a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your personal data ("right to be forgotten").
  • Right to restriction — request that we limit the processing of your data.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at contact@gdprmetrics.com. We will respond to your request within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO).

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
  • Authentication is handled via OAuth 2.0 with JWT tokens — we never store passwords.
  • Data is stored on Cloudflare's secure, ISO 27001 certified infrastructure.
  • Access to personal data is restricted to authorized personnel only.

12. Children's Privacy

Our service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at contact@gdprmetrics.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we will also notify registered users via email. We encourage you to review this policy periodically.

14. Contact

For any questions or concerns about this Privacy Policy or the processing of your personal data, contact us at:

GDPRmetrics — Data Protection

Email: contact@gdprmetrics.com