Clickport
Start free trial
Intuitive Dashboard Real-Time Analytics Session Tracking Engagement Tracking Goal Conversions Filtering & Segments Conversion Funnels User Flows Privacy First Bot Protection
For agencies For SaaS For e-commerce For affiliates For bloggers For publishers Google Search Console Bing Webmaster Tools WordPress Shopify Tracker install SPA tracking Custom Events API reference vs Google Analytics vs Matomo vs Cloudflare
How It Works Blog Updates Documentation UTM Builder GDPR Checker GA4 Data Loss Estimator GA Legal Status About Contact Status Security

GDPR Compliance

Clickport Analytics is built for privacy from the ground up. No cookies, no personal data, no consent banner needed. All data is hosted on EU servers in Germany.

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy. It aims to give individuals control over their personal data and to simplify the regulatory environment.

Clickport Analytics is designed to be fully GDPR compliant without requiring any extra effort from you. We do not collect personal data, so the most restrictive parts of the GDPR simply do not apply.

No personal data collection

The GDPR applies to the processing of personal data. Clickport does not collect, store, or process any personal data from your website visitors. Specifically:

  • No cookies or tracking identifiers of any kind
  • No IP addresses stored (used once at request time for country lookup, then discarded)
  • No names, email addresses, or account information from visitors
  • No device fingerprinting
  • No cross-site or cross-device tracking

All data we collect is aggregate and non-personal: page URLs, referrer sources, browser type, device type, and country. None of this can be used to identify an individual visitor.

No consent banner required

Under GDPR and the ePrivacy Directive, consent banners are required when you store information on a user's device (cookies, localStorage) or process personal data.

Clickport does neither. We do not set any cookies. We use the browser's sessionStorage, which exists only within a single tab and is automatically cleared when the tab closes. The ePrivacy Directive explicitly exempts storage that is strictly necessary for providing a service the user has requested.

This means you can use Clickport on your website without displaying a cookie consent banner, without adding Clickport to your cookie management platform, and without obtaining prior consent from your visitors.

How visitor counting works

Many analytics tools use persistent cookies or fingerprinting to identify returning visitors. Clickport takes a different approach.

We generate a daily-rotating identifier by hashing the visitor's IP address, User-Agent, and a random salt. The hash changes every day. The raw IP address is never written to disk, and the salt is destroyed after a 24-hour overlap window. This makes it impossible to:

  • Link a visitor's activity across different days
  • Reverse the hash to recover the original IP address
  • Identify or track individual visitors over time

This approach gives website owners useful aggregate metrics (unique visitor counts) while preserving individual privacy.

Per-site tracking rules

Every Clickport site has a Tracking rules tab in Settings that lets the controller (you) decide which traffic gets recorded before it ever reaches the database. Four list types, all enforced at ingestion with silent drops:

  • IP block list: reject single IPs or CIDR ranges (IPv4). Useful for excluding your office network or known abuse sources.
  • Country block list: reject traffic from specific countries, including a special entry for anonymous proxies and VPNs. Useful if local procurement or sovereignty preferences direct you to refuse data from particular jurisdictions.
  • Page block list: reject events on specific URL paths, with wildcards. Useful for keeping internal admin pages, staging routes, and auth flows out of analytics.
  • Hostname allow list: restrict tracking to a list of approved hostnames. Empty list accepts all (the default). Add one entry and strict mode kicks in. This is the defense against tracker theft, where someone copies your snippet onto a different domain to inflate counts or burn through your tier.

Rejected events return a normal HTTP 200 to the visitor but are never written to ClickHouse, never appear in any panel, and never count against your monthly pageview tier. From a GDPR perspective, the rules give you concrete, documentable control over the categories of data your processor handles.

Data hosted in the EU

All Clickport data is stored on servers operated by Hetzner, a German company with data centers in Germany. Your analytics data never leaves the European Union.

This eliminates concerns about international data transfers for visitor analytics data. For account-related communications, we use Resend (USA), which is certified under the EU-US Data Privacy Framework.

Our sub-processors:

  • Hetzner (Gunzenhausen, Germany): Server hosting, database storage, and infrastructure
  • Resend (USA): Transactional email delivery for account-related emails only (password resets, verification)
  • Paddle (London, UK): Payment processing as our merchant of record. Paddle handles all billing, VAT, and invoicing. See Paddle's privacy policy

We do not use Google services, advertising networks, CDNs, or any other external services that process visitor data.

Your rights as a Clickport customer

If you create a Clickport account, we collect your email address and a securely hashed password. Under the GDPR, you have the following rights regarding this data:

  • Right of access: You can view all data associated with your account in the dashboard settings
  • Right to rectification: You can update your email address and name at any time from account settings
  • Right to erasure: You can delete your account and all associated data at any time. Deletion is immediate and permanent
  • Right to data portability: One click in Settings prepares a ZIP of 17 daily-aggregated CSVs covering every metric we collect for your site, emailed to you with a 24-hour download link. Free at every tier, no waiting period, no format lock-in. See the export documentation for the full file list and column units
  • Right to object: You can cancel your account and stop all data processing at any time

For data subject requests, contact us at privacy@clickport.io.

Your visitors' rights

Because Clickport does not collect personal data from website visitors, GDPR data subject rights (access, rectification, erasure, portability) do not apply to visitor analytics data. There is no personal data to access, correct, or delete.

If a visitor contacts you with a data subject request regarding Clickport analytics, you can confidently respond that no personal data about them is stored or processed by Clickport.

Data Processing Agreement

If you need a Data Processing Agreement (DPA) for your records or to satisfy your own compliance requirements, we provide one. You can review and sign our DPA at clickport.io/dpa.

While a DPA is technically not required when no personal data is processed, we provide one for customers who want an extra layer of contractual assurance.

Further reading

If you have questions about GDPR compliance or our privacy practices, contact us at privacy@clickport.io.

Last updated: February 11, 2026.