Site Logo

Security Practices

Last updated: April 07, 2026

Security is fundamental to Statable. This page describes the technical and organizational measures we implement to protect your data and the data of your website visitors.

TL;DR

  • All data is hosted on EU servers located in the Netherlands
  • No cookies, no browser storage, no device fingerprinting
  • IP addresses are never stored — only anonymized hashes
  • Daily rotating salts prevent cross-day visitor tracking
  • Hashes are scoped per domain — no cross-site tracking
  • All traffic encrypted via HTTPS (TLS)
  • Data at rest encrypted using AES-256
  • Payment data handled by Stripe (PCI DSS compliant)
  • Authentication via OTP or Google OAuth — no stored passwords
  • Role-based access controls for internal operations
  • Regular backups with disaster recovery procedures
  • EU-based company (Netherlands) — GDPR jurisdiction

Data Minimization

Statable is designed to collect the minimum amount of data required to provide meaningful analytics. We deliberately avoid collecting data that could identify individual visitors.

We do not collect or store:

  • Names, email addresses, or contact information of visitors
  • IP addresses (used only for hashing, never stored)
  • Cookies or browser storage data
  • Device fingerprints
  • Cross-site identifiers
  • Behavioral profiles

Anonymization and Hashing

To count unique visitors without identifying them, we use a one-way hashing mechanism. When a visitor loads a page, we compute:

hash(daily_salt + website_domain + ip_address + user_agent)

Key properties of this approach:

  • One-way— the hash cannot be reversed to recover the IP address or User-Agent
  • Daily rotation— the salt changes every 24 hours, so the same visitor produces a different hash each day
  • Domain-scoped— hashes are unique per website, preventing cross-site correlation
  • Non-persistent— raw IP and User-Agent data is discarded immediately after hashing

Encryption

In transit: All communication between your browser and our servers is encrypted using HTTPS with TLS. Our analytics script is served exclusively over HTTPS.

At rest: Data stored on our servers is encrypted at rest using industry-standard AES-256 encryption provided by our hosting infrastructure.

Infrastructure

All Statable servers are located in the Netherlands, within the European Union. Our hosting infrastructure is certified under ISO/IEC 27001 for information security management.

We use Cloudflare as our CDN for network performance, DDoS protection, and web application firewall (WAF) capabilities. Cloudflare helps protect our infrastructure from malicious traffic while ensuring fast delivery of our analytics script worldwide.

Our infrastructure is configured for high availability with automated backups and disaster recovery procedures.

Authentication and Access Control

Statable uses a passwordless authentication system. Customers authenticate using either:

  • One-Time Password (OTP)— a unique code sent to your email for each login
  • Google OAuth— delegated authentication through Google's secure sign-in

Because we do not store passwords, there is no risk of password database breaches. Session tokens are managed securely with appropriate expiration policies.

Internal access to production systems and customer data is restricted to authorized personnel on a need-to-know basis, using role-based access controls.

Data Ownership and Portability

You own your analytics data. We do not sell, share, or monetize customer data in any way. Statable is funded entirely through subscription revenue.

You can export your analytics data at any time. If you choose to delete your account, all associated data is permanently removed from our systems, including all backups, within 30 days.

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never receive, store, or have access to your full credit card number or payment credentials.

We only store the minimum payment metadata necessary for subscription management: billing email, payment status, and transaction identifiers.

Sub-Processors

ServicePurposeLocationCertifications
Server infrastructureServer hosting and data storageNetherlands (EU)ISO/IEC 27001
CloudflareCDN, DDoS protection, WAFGlobalSOC 2 Type 2, ISO 27001
StripePayment processingUnited StatesPCI DSS Level 1
GoogleOAuth authentication (optional)United StatesSOC 2, ISO 27001

Vulnerability Disclosure

If you discover a security vulnerability in Statable, we encourage you to report it responsibly. Please contact us at [email protected] with details of the vulnerability.

We ask that you give us reasonable time to investigate and address the issue before making any public disclosure. We will acknowledge receipt of your report within 48 hours and provide regular updates on our progress.

Contact

For security-related questions or concerns, please contact us:

  • Email: [email protected]
  • Key Arg B.V., Hoge Bothofstraat 49, 7511 ZA Enschede, Overijssel, Netherlands

For more information about our data practices, see our Privacy Policy, GDPR Compliance, and Data Processing Agreement.