Clickport is designed to be GDPR-compliant from the ground up. This page explains the technical and legal basis for that claim, what data is collected, how it is processed, and how data subject rights are addressed.
The most impactful GDPR-related question for website owners is whether they need a cookie consent banner. With Clickport, the answer is no.
The reasoning has two parts:
localStorage for tracking. Session state is stored in sessionStorage, which is tab-scoped and automatically cleared when the tab closes. The ePrivacy Directive (Article 5(3)) requires consent for storing information on a user's device, but explicitly exempts storage that is "strictly necessary" for providing the service the user requested.This means websites using Clickport as their only analytics tool can remove their cookie consent banner entirely (assuming no other tools on the site require consent). This eliminates the conversion loss from visitors declining cookies or closing the banner without interacting.
Under GDPR Article 6(1)(f), data processing is lawful when it is necessary for the purposes of legitimate interests pursued by the data controller, provided those interests are not overridden by the rights and freedoms of the data subject.
Website analytics is a widely recognized legitimate interest. Clickport strengthens this basis by minimizing the data processed to the absolute minimum needed for useful analytics:
The balancing test under legitimate interest favors this approach: the website owner's interest in understanding aggregate traffic patterns is not outweighed by any privacy impact on visitors, because no visitor can be identified from the data stored.
IP addresses are personal data under the GDPR (confirmed by the CJEU in the Breyer case, C-582/14). Clickport handles this by ensuring IP addresses are never stored in the database.
When a request arrives at the server, the IP address is used for exactly two operations:
user_id. This hash is irreversible. A new salt is generated every day, so the same visitor produces a different user_id each day.After these two operations, the IP address is discarded. There is no IP column in the ClickHouse database schema. The IP address exists only in server memory for the duration of the request.
The daily rotation of the hashing salt has two important privacy consequences:
user_id each day. It is impossible to build a profile of a visitor's behavior across multiple days.The ClickHouse database stores two main tables: events (individual pageviews, clicks, form submissions) and sessions (aggregated per-visit data). Neither table contains personal data as defined by the GDPR.
All visitor analytics data is stored on a Hetzner server in Gunzenhausen, Germany. The data never leaves the European Union.
This eliminates concerns about transatlantic data transfers that affect tools like Google Analytics. After the Schrems II ruling (C-311/18), transferring personal data to the US requires additional safeguards such as Standard Contractual Clauses (SCCs) and transfer impact assessments. With Clickport, none of this is necessary because the data stays in Germany.
Clickport uses three sub-processors. None of them have access to visitor analytics data:
Zero sub-processors touch your visitors' analytics data. The visitor data path is: visitor browser, Hetzner server, ClickHouse database. That is it.
The GDPR grants data subjects (visitors) several rights. Here is how each one applies when using Clickport:
A visitor has the right to know what personal data is being processed about them. Because Clickport does not store personal data that can be linked to an identifiable individual (no IP, no cookies, no persistent identifiers), there is no personal data to return in response to an access request. The daily rotating hash makes it impossible to identify which database records belong to a specific visitor.
Since individual visitors cannot be identified in the stored data, erasure requests typically cannot be fulfilled in the traditional sense. However, Clickport provides tools for site owners to manage data:
Clickport supports data export through PDF reports and CSV exports. The CSV export generates a ZIP archive containing all dashboard data organized by category (traffic, pages, sources, geography, technology, campaigns, goals, sessions). These exports respect active filters and date ranges.
Visitors can object to processing in several ways:
localStorage.setItem('clickport_ignore', 'true') in the browser console will prevent the tracker from running on that browser.Because no personal data is stored, there is no personal data to correct. The analytics data represents aggregate behavioral metrics (pages visited, scroll depth, duration) that are factual recordings of events.
The ePrivacy Directive (2002/58/EC, Article 5(3)) requires consent before storing or accessing information on a user's device. This is the legal basis for cookie consent banners across Europe.
Clickport does not trigger this requirement because:
document.cookie at any point.localStorage once to check for the voluntary clickport_ignore opt-out flag. It never writes to it.sessionStorage to link multiple pageviews within the same tab into a single session. sessionStorage is cleared when the tab closes, is not shared across tabs, and qualifies as strictly necessary for the analytics service.This interpretation is consistent with guidance from multiple EU data protection authorities, including the CNIL (France), which has confirmed that privacy-respecting analytics tools operating without cookies do not require consent under the ePrivacy Directive.
| Requirement | Clickport | Google Analytics |
|---|---|---|
| Consent banner required | No | Yes |
| Cookies set | 0 | Multiple (_ga, _gid, etc.) |
| IP address stored | Never | Truncated / anonymized |
| Data hosted in EU | Germany (Hetzner) | US (Google Cloud) |
| Cross-site tracking | Not possible | Via Google Signals |
| Data shared with third parties | No | Google ad products |
| Schrems II / transfer risk | None (EU only) | US transfer via SCCs |
| DPA fines risk | Minimal | Multiple EU DPAs have ruled against GA |
| DPIA required | Typically no | Recommended |
| Visitor fingerprinting | None | Device and browser signals |
Multiple EU data protection authorities have issued rulings against the use of Google Analytics, including in Austria (DSB, January 2022), France (CNIL, February 2022), and Italy (Garante, June 2022). These rulings found that the transfer of personal data to the US via Google Analytics violated GDPR Articles 44-49.
Clickport avoids all of these issues by keeping data in the EU and not collecting personal data in the first place.
When you use Clickport to track visitors on your website, you are the data controller and Clickport is the data processor. Under GDPR Article 28, a Data Processing Agreement (DPA) is required between controller and processor.
Clickport provides a Data Processing Agreement that covers:
Clickport retains analytics data indefinitely for as long as your account is active. There is no automatic data expiration or 14-month retention limit (unlike Google Analytics). You can view your complete analytics history at any time.
Data is deleted when:
Bot detection statistics are automatically purged after 90 days via a ClickHouse TTL policy.
Even though Clickport does not require a cookie consent banner, you should still mention the use of analytics in your privacy policy. Here is what to cover: