GDPR Compliance Overview

Learn how Zenovay helps you comply with GDPR (General Data Protection Regulation) for your website analytics.

The General Data Protection Regulation is an EU law that:

Protects personal data of EU residents
Requires consent for data collection
Grants data access and deletion rights
Mandates data breach notifications
Imposes significant fines for non-compliance

GDPR applies if you:

Are based in the EU/EEA
Have visitors from the EU/EEA
Offer goods/services to EU residents
Monitor behavior of EU residents

Privacy-First Design

Zenovay is designed with privacy in mind:

Feature	Description
Cookieless option	The tracker can run without cookies or local storage
IP handling	IPs are hashed for visitor identification, never stored in plaintext
Data minimization	Only collect the data you need
EU data residency	Primary data is stored in the EU (Frankfurt) for every plan
Data portability	Export your personal account data (free, all plans)
Right to erasure	Delete account and visitor data on request

Data We Collect

Standard Collection (Cookieless Mode):
├── Page URL
├── Referrer (domain)
├── Browser type
├── Device type
├── Country (derived from a hashed IP, IP not stored in plaintext)
└── Session identifier (in-memory, non-persistent)

Extended Collection (with cookies / consent):
├── Full page URL with parameters
├── Full referrer URL
├── Returning-visitor identifier
├── Custom event properties
└── Revenue data

Configuration Options

Cookieless Mode

Cookieless mode lets the tracker run without cookies or local storage — it uses an in-memory, window-scoped session identifier instead. This is the lawful-by-default option for tracking before consent.

To enable it for a website:

Open the website's settings and select the Advanced tab.
Under Privacy & Cookies, turn on Cookieless mode.
Save changes.

In the same Advanced tab you can also set the cookie lifetime (when cookies are used), exclude routes from tracking, and mask form inputs so sensitive values are never captured.

IP Handling

Zenovay does not store raw IP addresses. IPs are used transiently to derive the visitor's country and to build a hashed, salted visitor identifier — the plaintext IP is never written to your analytics. See IP Handling for the details and any per-website options.

// Only track after consent
if (hasGDPRConsent('analytics')) {
  const script = document.createElement('script');
  script.src = 'https://api.zenovay.com/z.js';
  script.setAttribute('data-tracking-code', 'YOUR_TRACKING_CODE');
  document.head.appendChild(script);
}

Lawful Basis for Processing

When using cookie-based tracking:

Implement a cookie consent banner
Wait for explicit opt-in
Load the tracking script after consent
Provide an easy opt-out

Legitimate Interest (Article 6.1.f)

When using cookieless mode:

Document your legitimate interest
Conduct a balancing test
Provide an opt-out mechanism
Minimize data collection

Cookieless Mode + Legitimate Interest

Legitimate Interest Assessment

Purpose: Understanding website usage to improve user experience

Necessity: Analytics essential for:
  - Identifying broken pages
  - Understanding traffic sources
  - Improving content

Balancing Test:
  - Minimal data collected
  - No persistent identifiers (cookieless mode)
  - No cross-site tracking
  - Clear privacy policy
  - Easy opt-out available

Conclusion: Legitimate interest applies in cookieless mode

Right to Information (Article 13/14)

Provide a clear privacy policy:

## Analytics Data Collection

We use Zenovay Analytics to understand how visitors
use our website. We collect:

- Pages visited
- Time spent on pages
- Browser and device type
- Country (derived from IP, IP not stored in plaintext)

We do not:
- Store IP addresses in plaintext
- Track across websites
- Sell data to third parties

Data is stored in the EU and retained for [X] months.

Right of Access (Article 15)

A visitor can request the data you hold about them:

The visitor submits a request
You identify their data in Zenovay
Export it (via the API, below)
Provide it within 30 days

Via API (Pro plan and above):

# Retrieve analytics data for a website (filter by visitor as needed)
curl -X GET "https://api.zenovay.com/api/external/v1/analytics/{websiteId}/visitors" \
  -H "X-API-Key: zv_YOUR_API_KEY"

Separately, your own personal account data can be downloaded any time from your Profile page in the app — "Download my data" exports your profile, websites, team memberships, and account history as JSON. This is free on every plan (GDPR Article 20). See Download my data.

Right to Erasure (Article 17)

Delete visitor data on request:

The visitor requests deletion
Identify their records in Zenovay
Delete the data
Confirm deletion

To delete a specific visitor's data, locate their records first — if the visitor was identified (you passed an email or user ID into the tracker), find them under Identified Users (/analytics/profiles). For bulk or programmatic deletion, use the REST API (Pro and above).

To delete your own Zenovay account and all associated data, use Delete account on your Profile page. See Right to Erasure and Delete my account for details.

Right to Restriction (Article 18)

To pause processing for a visitor while a dispute is resolved, contact Zenovay support at [email protected] with the request. There is no self-service "restrict processing" toggle in the dashboard — restriction is handled by support.

Right to Data Portability (Article 20)

Export data in a machine-readable format:

Your personal account data: download it from your Profile page in the app ("Download my data"), which returns JSON. Free on every plan.

Visitor analytics data: retrieve it through the REST API (Pro and above):

# Retrieve analytics data in JSON format
curl -X GET "https://api.zenovay.com/api/external/v1/analytics/{websiteId}/visitors" \
  -H "X-API-Key: zv_YOUR_API_KEY"

Data Processing Agreement

When Required

Under GDPR Article 28, a DPA is required when Zenovay processes personal data on your behalf.

Getting a DPA

Zenovay publishes a standard, pre-signed DPA — you don't have to negotiate or chase a signature.

Read the current DPA at zenovay.com/legal/dpa (available in all six locales, no sign-in required).
It becomes a binding part of your contract automatically when you accept the Terms of Service on sign-up — no separate "accept" step.
If your legal team needs a countersigned copy or a custom addendum, email [email protected]. There's no charge.

See Find the DPA for the full process.

DPA Contents

Our DPA includes:

Subject matter and duration
Nature and purpose of processing
Types of personal data
Categories of data subjects
Rights and obligations
Sub-processor list
Security measures
Audit rights

EU Data Residency

Data Location

Zenovay's primary database runs in the EU (Frankfurt, eu-central-1) for every customer, regardless of plan. Analytics events, visitor records, websites, team data, and audit logs are stored there. Backups are encrypted at rest in the same region.

Edge requests are served by Cloudflare Workers on the closest point-of-presence for low latency. The Workers do not persist data — they validate and forward events to the EU primary store. A small number of US-based subprocessors (e.g. Stripe, Resend) are covered by the EU–US Data Privacy Framework or Standard Contractual Clauses.

See Where is my data stored? for the complete picture.

Zenovay works alongside consent managers including:

Cookiebot
OneTrust
Osano
Termly
Custom solutions

Cookiebot Example

window.addEventListener('CookiebotOnAccept', function() {
  if (Cookiebot.consent.statistics) {
    loadZenovay();
  }
});

function loadZenovay() {
  const script = document.createElement('script');
  script.src = 'https://api.zenovay.com/z.js';
  script.setAttribute('data-tracking-code', 'YOUR_TRACKING_CODE');
  document.head.appendChild(script);
}

OneTrust Example

OneTrust.OnConsentChanged(function() {
  if (OnetrustActiveGroups.includes('C0002')) { // Performance
    loadZenovay();
  }
});

Documentation Requirements

Privacy Policy

Include:

What data you collect
Why you collect it
How long you keep it
Who has access
User rights
How to opt out

Records of Processing

Maintain documentation:

Categories of data
Purpose of processing
Data retention periods
Security measures
Sub-processors used

If using cookies:

List all cookies
Explain purpose
State duration
Link to opt-out

Compliance Checklist

Technical Measures

Enable cookieless mode or get consent
Review your IP handling settings
Set appropriate data retention
Implement consent integration

Legal Measures

Reference the Zenovay DPA (zenovay.com/legal/dpa)
Update your privacy policy
Document your lawful basis
Create a data subject request process
Maintain processing records

Organizational Measures

Train your team on GDPR
Appoint a DPO (if required)
Establish breach procedures
Run regular compliance audits

Enforcement and Fines

Potential Penalties

Tier	Maximum Fine	Examples
Lower	€10M or 2% revenue	No DPA, poor records
Higher	€20M or 4% revenue	No consent, ignoring rights

Recent Enforcement

Analytics-related fines have been issued for:

Transferring data to the US without safeguards
No valid consent for analytics
Ignoring opt-out requests

Best Practices

Start with Cookieless Mode

Enable cookieless mode for your website (website settings → Advanced → Privacy & Cookies). This gives you minimal tracking without requiring consent. Your script tag stays simple:

<!-- Minimal tracking, no consent needed -->
<script
  defer
  data-tracking-code="YOUR_TRACKING_CODE"
  src="https://api.zenovay.com/z.js"
></script>

Don't pre-check consent boxes
Make rejection as easy as acceptance
Allow granular choices
Remember preferences
Allow withdrawal

Regular Reviews

Audit data collection quarterly
Review sub-processors annually
Update policies when changes occur
Test data subject request handling

GDPR Compliance Overview

What is GDPR?

Who Does GDPR Apply To?

Zenovay's GDPR Compliance