GDPR Compliance

No. Statable does not use cookies, localStorage, sessionStorage, or any form of browser-side storage for analytics purposes. Our tracking script does not set any cookies on your visitors' devices.

Because we do not use cookies or similar tracking technologies, the ePrivacy Directive (often called the "Cookie Law") does not require a consent banner for Statable analytics. You can use Statable on your website without asking visitors for consent to track them.

Instead of cookies, we generate a daily rotating hash to count unique visitors. The hash is created from:

• A daily-rotating salt (changes every 24 hours)
• The website domain
• The visitor's IP address
• The visitor's User-Agent string

The raw IP address and User-Agent are never stored. Only the resulting one-way hash is used, and it cannot be reversed to identify the original visitor. Because the salt rotates daily, the same visitor generates a completely different hash each day, making cross-day tracking impossible.

Additionally, hashes are scoped to each individual website domain. This means visitors cannot be tracked across different websites that use Statable.

Our analytics script collects the minimum data necessary to provide useful website analytics:

• Page URL (with automatic PII filtering)
• Referrer URL
• Browser type and version
• Operating system
• Device type (desktop, mobile, tablet)
• Screen size
• Language preference
• Country (derived from IP address, not stored)
• Page view timestamps
• Session duration and scroll depth
• Custom events (if configured by the website owner)

We do not collect names, email addresses, or any form of personal contact information from website visitors. We do not engage in cross-site tracking, device fingerprinting, or behavioral profiling.

When you create a Statable account, we act as the data controller for your account information. This includes:

• Email address (used for authentication and communication)
• Account settings and preferences
• Payment information (processed by Stripe; we never store card details)

Our legal basis for processing this data is the performance of a contract (Article 6(1)(b) GDPR) and our legitimate interests in operating the service (Article 6(1)(f) GDPR).

When our analytics script runs on your website, we act as a data processor on your behalf. You, as the website owner, are the data controller for your visitors' data.

We process the minimum amount of data necessary to provide analytics insights. All data is anonymized through our hashing mechanism, and raw personal data (IP addresses) is never stored.

We offer a Data Processing Agreement (DPA) that governs our processing of visitor data on your behalf. The DPA is automatically included as part of our Terms of Service.

Key Arg B.V. is incorporated in the Netherlands, a member state of the European Union. All analytics data is processed and stored on servers located in the Netherlands.

We use Cloudflare as our CDN provider for network performance and security. Cloudflare may process network traffic data in accordance with their own privacy policy, but the analytics data itself is stored exclusively within the EU.

This means no analytics data leaves the European Economic Area, eliminating concerns about international data transfers under GDPR Chapter V.

Under the GDPR, individuals have specific rights regarding their personal data. Because Statable anonymizes visitor data through one-way hashing, we cannot identify or retrieve data relating to a specific individual visitor.

For Statable customers (account holders), we fully support:

• Right of access— you can view all data associated with your account
• Right to rectification— you can update your account information at any time
• Right to erasure— you can delete your account and all associated data
• Right to object— you can contact us to exercise this right

To exercise any of these rights, please contact us at [email protected].

Because of our privacy-first design, Statable is also compliant with other major privacy regulations:

• ePrivacy Directive (PECR)— no cookies or browser storage used
• CCPA / CPRA (California)— we do not sell personal information and do not engage in cross-context behavioral advertising
• COPPA (Children's Online Privacy)— we do not knowingly collect data from children under 13

We use the following third-party services to operate Statable:

If you have any questions about our GDPR compliance or data practices, please contact us:

• Email: [email protected]
• Key Arg B.V., Hoge Bothofstraat 49, 7511 ZA Enschede, Overijssel, Netherlands