Clickport
Start free trial
Dashboard Engagement Tracking Session Tracking Goal Conversions Filtering & Segments Privacy First Real-Time Analytics Bot Protection vs Google Analytics vs Matomo
For Bloggers For Affiliates For E-commerce For SaaS For Agencies
How It Works Blog Updates Documentation UTM Builder GDPR Checker GA4 Data Loss Estimator GA Legal Status GA Problems WordPress Analytics Bot Traffic AI Traffic Ecommerce Analytics WordPress Custom Events About Contact Status

GDPR Compliance

Clickport is designed to be GDPR-compliant from the ground up. This page explains the technical and legal basis for that claim, what data is collected, how it is processed, and how data subject rights are addressed.

Not legal advice. This page describes how Clickport works and why we believe it complies with the GDPR. For specific legal questions about your use case, consult a qualified data protection professional.

No consent banner required

The most impactful GDPR-related question for website owners is whether they need a cookie consent banner. With Clickport, the answer is no.

The reasoning has two parts:

  • No cookies. Clickport never sets cookies. It does not use localStorage for tracking. Session state is stored in sessionStorage, which is tab-scoped and automatically cleared when the tab closes. The ePrivacy Directive (Article 5(3)) requires consent for storing information on a user's device, but explicitly exempts storage that is "strictly necessary" for providing the service the user requested.
  • No personal data processing that requires consent. Under GDPR Article 6, processing personal data requires a legal basis. Clickport processes only aggregate, anonymous analytics data. Where data touches the boundary of personal data (the IP address), it is processed transiently and never stored (see below). This means legitimate interest (Article 6(1)(f)) applies as the legal basis, not consent.
Your website with Clickport
yoursite.com
No cookie banner. No consent popup. Visitors see your content immediately.
Zero cookies set. Check DevTools > Application > Cookies to verify.
No consent management platform (CMP) cost.

This means websites using Clickport as their only analytics tool can remove their cookie consent banner entirely (assuming no other tools on the site require consent). This eliminates the conversion loss from visitors declining cookies or closing the banner without interacting.

Legal basis: legitimate interest

Under GDPR Article 6(1)(f), data processing is lawful when it is necessary for the purposes of legitimate interests pursued by the data controller, provided those interests are not overridden by the rights and freedoms of the data subject.

Website analytics is a widely recognized legitimate interest. Clickport strengthens this basis by minimizing the data processed to the absolute minimum needed for useful analytics:

  • No personal identifiers are stored (no IP, no name, no email)
  • The visitor hash (user_id) rotates daily and cannot be reversed
  • No cross-site tracking is possible
  • No data is shared with third parties
  • No advertising profiles are built

The balancing test under legitimate interest favors this approach: the website owner's interest in understanding aggregate traffic patterns is not outweighed by any privacy impact on visitors, because no visitor can be identified from the data stored.

IP address handling

IP addresses are personal data under the GDPR (confirmed by the CJEU in the Breyer case, C-582/14). Clickport handles this by ensuring IP addresses are never stored in the database.

When a request arrives at the server, the IP address is used for exactly two operations:

  1. Geolocation lookup. The IP is resolved to a country, region, and city using a local database file (DB-IP). No external API call is made. Only the resulting geographic labels (like "DE" and "Berlin") are stored.
  2. Visitor hash generation. The IP is combined with the User-Agent string and a daily rotating salt, then hashed to produce a numeric user_id. This hash is irreversible. A new salt is generated every day, so the same visitor produces a different user_id each day.

After these two operations, the IP address is discarded. There is no IP column in the ClickHouse database schema. The IP address exists only in server memory for the duration of the request.

Data flow: visitor to database
All processing happens on a single EU server. IP never stored.
1
Visitor loads your page Browser sends pageview to clickport.io/api/event
EU
2
IP address arrives with the HTTP request Exists only in server memory
EU
3
Geo lookup via local DB-IP database No external API call. Result: country, region, city.
EU
4
Hash: IP + User-Agent + daily salt Produces numeric user_id. New salt every day at midnight.
EU
5
IP address discarded Never written to database. No IP column in schema.
EU
6
Anonymous data written to ClickHouse Country, city, device, browser, page URL, scroll, duration.
EU
Every step happens on a single Hetzner server in Gunzenhausen, Germany. Data never leaves the EU.

Why the daily rotating hash matters

The daily rotation of the hashing salt has two important privacy consequences:

  • No cross-day tracking. The same visitor gets a different user_id each day. It is impossible to build a profile of a visitor's behavior across multiple days.
  • Irreversibility. Even with access to the database, the hash cannot be reversed to recover the original IP address. The salt changes daily and is not stored alongside the hash.

What data is stored

The ClickHouse database stores two main tables: events (individual pageviews, clicks, form submissions) and sessions (aggregated per-visit data). Neither table contains personal data as defined by the GDPR.

Stored fields

  • user_id: Daily-rotating hash (not reversible to an individual)
  • session_id: Random numeric ID, valid only for the browser tab lifetime
  • Page URL and pathname: The pages visited
  • Referrer and referrer source: Where the visitor came from
  • Country, region, city: Derived from IP, then IP discarded
  • Device type, browser, OS: Parsed from User-Agent header
  • Screen width: Viewport width category (Desktop/Tablet/Mobile)
  • UTM parameters: Campaign tracking from URL parameters
  • Scroll depth, duration, engagement time: Behavioral metrics
  • Custom event names and properties: Defined by the site owner

Never stored

  • IP addresses
  • Names, email addresses, or phone numbers
  • Form field contents (only form name and ID)
  • Browser fingerprints (no canvas, WebGL, font, or audio fingerprinting)
  • Cross-site identifiers or advertising IDs
  • Cookies or persistent storage identifiers

EU-only data hosting

All visitor analytics data is stored on a Hetzner server in Gunzenhausen, Germany. The data never leaves the European Union.

This eliminates concerns about transatlantic data transfers that affect tools like Google Analytics. After the Schrems II ruling (C-311/18), transferring personal data to the US requires additional safeguards such as Standard Contractual Clauses (SCCs) and transfer impact assessments. With Clickport, none of this is necessary because the data stays in Germany.

Sub-processors

Clickport uses three sub-processors. None of them have access to visitor analytics data:

  • Hetzner (Germany): Server hosting. Stores all analytics data.
  • Resend (email delivery): Used only for transactional emails to Clickport customers (password resets, account notifications). Never sees visitor data.
  • Paddle (UK): Payment processing for subscriptions. Never sees visitor data.

Zero sub-processors touch your visitors' analytics data. The visitor data path is: visitor browser, Hetzner server, ClickHouse database. That is it.

GDPR compliance checklist
How Clickport addresses each GDPR requirement
Lawful basis for processing (Art. 6)
Legitimate interest. No personal data stored. Minimal, anonymous data collection only.
No consent required (ePrivacy Art. 5(3))
Zero cookies. sessionStorage only (tab-scoped, auto-cleared). No consent banner needed.
Data minimization (Art. 5(1)(c))
Only aggregate analytics data collected. No names, emails, form contents, or identifiers.
Purpose limitation (Art. 5(1)(b))
Data used exclusively for website analytics. No advertising, profiling, or resale.
Data protection by design (Art. 25)
Privacy is architectural, not configurable. IP discarded at ingestion. Daily rotating hashes.
No cross-border transfers (Art. 44-49)
All data stored on Hetzner in Germany. No US cloud providers. No Schrems II risk.
Security of processing (Art. 32)
TLS encryption in transit. Hetzner infrastructure security. No personal data at rest to breach.
Sub-processor transparency (Art. 28)
3 sub-processors listed. 0 have access to visitor analytics data. DPA available.

Data subject rights

The GDPR grants data subjects (visitors) several rights. Here is how each one applies when using Clickport:

Right to access (Art. 15)

A visitor has the right to know what personal data is being processed about them. Because Clickport does not store personal data that can be linked to an identifiable individual (no IP, no cookies, no persistent identifiers), there is no personal data to return in response to an access request. The daily rotating hash makes it impossible to identify which database records belong to a specific visitor.

Right to erasure (Art. 17)

Since individual visitors cannot be identified in the stored data, erasure requests typically cannot be fulfilled in the traditional sense. However, Clickport provides tools for site owners to manage data:

  • Session deletion: Individual sessions can be deleted from the Sessions panel in the dashboard. This permanently removes the session and all its associated events from ClickHouse.
  • Site deletion: Deleting a site removes all analytics data (sessions and events) for that site from ClickHouse.
  • Account deletion: Deleting your Clickport account removes all your sites and their data.

Right to portability (Art. 20)

Clickport supports data export through PDF reports and CSV exports. The CSV export generates a ZIP archive containing all dashboard data organized by category (traffic, pages, sources, geography, technology, campaigns, goals, sessions). These exports respect active filters and date ranges.

Right to object (Art. 21)

Visitors can object to processing in several ways:

  • Device exclusion: Visitors can opt out of tracking on any browser by visiting https://site.com/?clickport_exclude=1, by flipping the "Exclude my visits" toggle in the site owner's dashboard, or by setting localStorage.setItem('clickport_ignore', 'true') in the browser console. The tracker then exits before sending any event from that browser.
  • Do Not Track: Site owners can enable "Respect DNT" in site settings so that visitors with the Do Not Track header are not tracked.

Right to rectification (Art. 16)

Because no personal data is stored, there is no personal data to correct. The analytics data represents aggregate behavioral metrics (pages visited, scroll depth, duration) that are factual recordings of events.

ePrivacy Directive

The ePrivacy Directive (2002/58/EC, Article 5(3)) requires consent before storing or accessing information on a user's device. This is the legal basis for cookie consent banners across Europe.

Clickport does not trigger this requirement because:

  • No cookies are set. The tracker script does not call document.cookie at any point.
  • No localStorage is used for tracking. The tracker only reads localStorage once to check for the voluntary clickport_ignore opt-out flag. It never writes to it.
  • sessionStorage is tab-scoped. The tracker stores a session ID in sessionStorage to link multiple pageviews within the same tab into a single session. sessionStorage is cleared when the tab closes, is not shared across tabs, and qualifies as strictly necessary for the analytics service.

This interpretation is consistent with guidance from multiple EU data protection authorities, including the CNIL (France), which has confirmed that privacy-respecting analytics tools operating without cookies do not require consent under the ePrivacy Directive.

GDPR comparison
Clickport vs Google Analytics
Requirement Clickport Google Analytics
Consent banner required No Yes
Cookies set 0 Multiple (_ga, _gid, etc.)
IP address stored Never Truncated / anonymized
Data hosted in EU Germany (Hetzner) US (Google Cloud)
Cross-site tracking Not possible Via Google Signals
Data shared with third parties No Google ad products
Schrems II / transfer risk None (EU only) US transfer via SCCs
DPA fines risk Minimal Multiple EU DPAs have ruled against GA
DPIA required Typically no Recommended
Visitor fingerprinting None Device and browser signals

Multiple EU data protection authorities have issued rulings against the use of Google Analytics, including in Austria (DSB, January 2022), France (CNIL, February 2022), and Italy (Garante, June 2022). These rulings found that the transfer of personal data to the US via Google Analytics violated GDPR Articles 44-49.

Clickport avoids all of these issues by keeping data in the EU and not collecting personal data in the first place.

Data Processing Agreement

When you use Clickport to track visitors on your website, you are the data controller and Clickport is the data processor. Under GDPR Article 28, a Data Processing Agreement (DPA) is required between controller and processor.

Clickport provides a Data Processing Agreement that covers:

  • The nature and purpose of processing
  • Types of data processed
  • Sub-processor list and notification obligations
  • Data security measures
  • Assistance with data subject rights
  • Data deletion upon contract termination

Data retention

Clickport retains analytics data indefinitely for as long as your account is active. There is no automatic data expiration or 14-month retention limit (unlike Google Analytics). You can view your complete analytics history at any time.

Data is deleted when:

  • You delete a specific site (removes all sessions and events for that site)
  • You delete your Clickport account (removes all sites and their data)
  • You delete individual sessions via the Sessions panel

Bot detection statistics are automatically purged after 90 days via a ClickHouse TTL policy.

Recommendations for your privacy policy

Even though Clickport does not require a cookie consent banner, you should still mention the use of analytics in your privacy policy. Here is what to cover:

  • You use Clickport Analytics for website analytics
  • No cookies are set by the analytics tool
  • No personal data (IP addresses, names, emails) is collected or stored
  • Data is hosted in Germany (EU) and never transferred outside the EU
  • The legal basis is legitimate interest (GDPR Art. 6(1)(f))
  • Link to Clickport's privacy policy and GDPR compliance page
Legal documents: Clickport's full legal documentation is publicly available: Privacy Policy, GDPR Compliance, Data Processing Agreement, and Terms of Service.
Previous Script Configuration