Privacy Policy
Eurolytics is built to give you useful analytics without compromising your visitors' privacy. Here's exactly what we collect, what we don't, and why.
Tracking: What We Collect From Your Visitors
When someone visits a website using Eurolytics, our tracker collects the minimum data needed to produce useful analytics. We store no user-identifiable information.
Data we collect per pageview
| Field | What it is |
|---|---|
| page path | The URL path visited (e.g. /pricing), without query strings |
| referrer domain | The domain of the referring page (e.g. google.com), not the full URL |
| UTM parameters | Campaign tags (utm_source, utm_medium, utm_campaign, utm_term, utm_content) if present |
| country & region | Derived from IP geolocation, then the IP is discarded (see below) |
| device type | Desktop, mobile, or tablet — parsed from the User-Agent header |
| browser & OS | Browser name and operating system — parsed from the User-Agent header |
| screen size | Width and height in pixels |
| engagement | Time on page and scroll depth (sent when the visitor leaves the page) |
| custom events | Event names and properties you choose to send (e.g. "signup", "purchase") |
Data we never store in the tracking flow
- ✕IP addresses — Used only for geolocation lookup. The IP is truncated (IPv4 to /24, IPv6 to /48) before any processing, then discarded entirely. Never written to disk.
- ✕Raw User-Agent strings — Parsed into device, browser, and OS fields, then thrown away. The raw string is never stored.
- ✕Cookies — We set zero cookies. No first-party, no third-party, none. This is why you don't need a consent banner for Eurolytics.
- ✕Fingerprinting data — No canvas fingerprinting, WebGL hashes, font enumeration, or any browser fingerprinting technique.
- ✕Persistent identifiers — No localStorage, no IndexedDB, no tracking across sessions or days.
- ✕Full referrer URLs — We extract only the domain. Query strings, paths, and fragments are stripped.
- ✕Full page query strings — Only recognized UTM parameters are extracted. Everything else is discarded.
How visitor identification works
To count unique visitors without tracking individuals, we generate a daily rotating identifier. It's computed as an HMAC hash of the site ID, a truncated IP, and basic device info, combined with a secret key and the current date. This produces an opaque token (visitor_day) that cannot be reversed to reveal the original inputs. Because the date is part of the hash, the identifier changes every day — there is no way to connect a Monday visitor to the same person on Tuesday. No cross-day or cross-site tracking is possible.
AI Crawler & Bot Tracking
Eurolytics classifies traffic as human, bot, or AI crawler. When we detect a bot (via User-Agent matching, pixel tracking, or honeypot links), we store:
- •The bot name (e.g. GPTBot, ClaudeBot, Googlebot)
- •The bot category (AI crawler, search engine, social, SEO tool)
- •Which page was accessed and when
- •How it was detected (JavaScript tracker, pixel, or honeypot)
The same privacy rules apply: no IP addresses or raw User-Agent strings are stored for bot traffic either.
Dashboard: What We Store For Your Account
When you sign up for a Eurolytics dashboard account, we store personal information necessary to provide the service. This data is kept in PostgreSQL, separate from the analytics database.
Account information
| Field | Details |
|---|---|
| Your email address, used for login, verification, and service communications | |
| name | Your display name (optional) |
| password | Stored as a bcrypt hash (cost factor 12). We never store or see your plaintext password. |
| email verified | Whether you've completed email verification |
Session & security data
To keep your dashboard account secure, we store session information when you log in:
| Field | Details |
|---|---|
| session token | A hashed JWT token stored in an httpOnly cookie (7-day expiry) |
| device / browser / OS | So you can see which devices are logged into your account |
| IP address | Stored for your login sessions only, for security purposes (detecting unauthorized access) |
| last active | When you last used the dashboard |
Site & team configuration
- •Sites: Domain names you've registered for tracking, along with snippet configuration and onboarding status
- •Team members: Email addresses and roles of people you've invited to your organization
- •Goals & funnels: Conversion tracking rules you've defined
- •Notification preferences: Your email report and alert settings
Emails
We send transactional emails (verification codes, password resets, welcome messages) and optional notification emails (weekly reports, traffic alerts) via Brevo. We keep a log of sent emails (recipient, type, subject, timestamp) for debugging delivery issues. You can control notification emails from your account settings.
Where Data Is Stored
All Eurolytics infrastructure is hosted in the European Union with Hetzner, a German cloud provider. Analytics data lives in ClickHouse, account data lives in PostgreSQL. Both databases run on EU servers.
We use MaxMind's GeoLite2 database for IP geolocation. The geolocation lookup happens on our servers — IP addresses are never sent to a third party for this purpose.
GDPR & Privacy Regulations
Eurolytics stores no user-identifiable data in the tracking flow. No cookies, no fingerprinting, no persistent identifiers, and no personal data collection from your website visitors. Visitor IDs rotate daily and IP addresses are never stored.
This makes it straightforward to remain GDPR compatible when using Eurolytics as your analytics provider. Because there is no personal data in the analytics pipeline, you do not need to display a cookie consent banner or add Eurolytics to your consent management platform.
We cannot speak to your organization's total data flow or compliance posture — that depends on all the tools and processes you use. But on the Eurolytics side of things, there is simply no personal visitor data to worry about.
Your Rights
- •Data export: You can export all your analytics data as JSON from the dashboard at any time.
- •Account deletion: Contact us at hello@eurolytics.app to delete your account and all associated data.
- •Data correction: You can update your name and email from your account settings, or contact us for assistance.
Contact
If you have questions about this privacy policy or how we handle data, reach out at hello@eurolytics.app.
