GDPR Compliance

7 Min. Lesedauer

Zenovay is built with privacy-first principles and provides tools to help you comply with GDPR (General Data Protection Regulation) and other privacy laws like CCPA and PECR.

Overview

The General Data Protection Regulation (GDPR) is a comprehensive privacy law that applies to organizations processing personal data of EU residents. Zenovay helps you meet GDPR requirements through:

Privacy by design - Data minimization and anonymization built-in
User consent management - Tools to respect user preferences
Data subject rights - APIs to handle access and deletion requests
Transparency - Clear data processing documentation

How Zenovay Processes Data

Data We Collect

Zenovay collects only the minimum data necessary for analytics:

Data Type	Purpose	Legal Basis
Page URLs	Traffic analysis	Legitimate interest
Referrer	Traffic sources	Legitimate interest
Browser/Device	Technical analytics	Legitimate interest
Location (Country/City)	Geographic insights	Legitimate interest
Session data	User journey tracking	Legitimate interest

Zenovay does NOT collect personally identifiable information (PII) by default. We don't use cookies for tracking and rely on privacy-friendly methods.

Data We Don't Collect

Personal names, email addresses, or contact information
IP addresses (we immediately hash them)
Precise GPS coordinates
Cross-site tracking data
Sensitive personal data

Zenovay uses cookie-free tracking by default, which means:

No cookie consent banner required in most cases
Complies with ePrivacy Directive
Better user experience (no cookie banners)
More accurate analytics (no cookie blockers)

1. Data Minimization

Zenovay automatically:

Anonymizes IP addresses before storage
Removes query parameters from URLs (optional)
Limits data retention to your specified period
Aggregates data where possible

Respect user privacy preferences:

// Don't track if user has Do Not Track enabled
if (navigator.doNotTrack === '1') {
  window.zenovay('disable');
}

// Respect consent management platform
if (!userConsentGiven) {
  window.zenovay('disable');
}

3. User Opt-Out

Provide an opt-out mechanism for users:

<!-- Add to your privacy policy page -->
<button onclick="window.zenovay('disable')">
  Opt out of analytics tracking
</button>

Users who opt out will have their preference stored locally and all tracking will stop.

4. Data Retention

Data retention is determined by your subscription plan:

Plan	Retention Period
Free	1 year
Pro	2 years
Scale	4 years
Enterprise	4 years base, custom available

When data exceeds your retention period, Zenovay uses a two-phase process: data is first hidden (soft-hide), then permanently deleted after a 30-day grace period. You receive email notifications before any permanent deletion.

Upgrading your plan during the grace period automatically recovers hidden data. See your plan's retention period in Settings → Billing.

Data Subject Rights

GDPR gives individuals specific rights regarding their data. Zenovay provides tools to fulfill these requests:

Right to Access (Article 15)

Users can request what data you have about them. Use the Zenovay dashboard or the External API to retrieve visitor data:

Via Dashboard:

Go to your website's Visitors tab
Use filters to locate the visitor's data
Review all collected data points

Via API:

curl -X GET 'https://api.zenovay.com/api/external/v1/analytics/YOUR_WEBSITE_ID/visitors' \
  -H 'X-API-Key: YOUR_API_KEY'

Right to Erasure (Article 17)

Delete user data upon request through the Zenovay dashboard:

Go to Settings → Security → Right to Erasure
Search for the visitor's data
Click Delete to permanently remove all associated data

Data deletion is permanent and cannot be undone. Zenovay processes deletion requests immediately and removes all associated visitor records.

Right to Data Portability (Article 20)

Export user data in machine-readable format through the dashboard:

Navigate to Analytics → Data Export
Select the date range and data types
Choose format (CSV or JSON)
Download the exported data

You can also use the External API to retrieve analytics data programmatically:

curl -X GET 'https://api.zenovay.com/api/external/v1/analytics/YOUR_WEBSITE_ID' \
  -H 'X-API-Key: YOUR_API_KEY'

Privacy Policy Requirements

If you use Zenovay, update your privacy policy to include:

Sample Privacy Policy Text

## Analytics

We use Zenovay, a privacy-friendly analytics service, to understand how visitors use our website. Zenovay collects:

- Pages you visit
- How you arrived at our site (referrer)
- Your approximate location (country/city)
- Device and browser information

Zenovay does NOT:
- Use cookies
- Collect personal information
- Track you across websites
- Sell your data

Your data is anonymized and aggregated. You can opt out of analytics tracking on our [Privacy Policy page].

For more information, see Zenovay's Privacy Policy: https://zenovay.com/privacy

Do Not Track (DNT)

Respect the Do Not Track browser setting:

<script>
// Check DNT before loading Zenovay
if (navigator.doNotTrack !== '1') {
  // Load Zenovay tracking script
  (function(){
    // ... tracking script
  })();
}
</script>

Cross-Border Data Transfers

Zenovay processes data globally through Cloudflare's network:

Data Centers: Cloudflare's 300+ locations worldwide
Primary Storage: EU data centers for EU customers (optional)
Standard Contractual Clauses: In place for international transfers
Adequacy Decisions: Compliant with EU-US Data Privacy Framework

Data Processing Agreement (DPA)

For Enterprise customers, we provide a Data Processing Agreement (DPA) that includes:

Controller-Processor relationship definition
Security measures and safeguards
Sub-processor list
Data subject rights procedures
Breach notification commitments

Contact [email protected] to request a DPA.

Best Practices for Compliance

1. Update Your Privacy Policy

Clearly explain your use of analytics in your privacy policy.

2. Provide Opt-Out Mechanism

Add an opt-out button on your privacy policy page.

3. Respect User Preferences

Integrate with your consent management platform (CMP) if you use one.

4. Configure Data Retention

Set appropriate retention periods based on your business needs.

5. Document Your Legal Basis

Document why you're processing data (legitimate interest, consent, etc.).

6. Handle Data Subject Requests

Establish a process to handle access, deletion, and portability requests.

Legitimate Interest Assessment (LIA)

Under GDPR Article 6(1)(f), website analytics can be processed under legitimate interest:

Purpose: Understanding website traffic and user behavior to improve services

Necessity Test:

✅ Less invasive than alternatives (no cookies, no PII)
✅ Cannot achieve purpose through other means
✅ Data minimized to what's necessary

Balancing Test:

✅ User impact is minimal (no tracking across sites)
✅ Users can easily opt-out
✅ Data is anonymized and aggregated
✅ No sensitive data collected

Conclusion: Legitimate interest is appropriate for basic website analytics with Zenovay's privacy-first approach.

This is a general assessment. Consult with your legal team to ensure compliance with your specific situation and jurisdiction.

CCPA Compliance

For California users, Zenovay helps you comply with CCPA:

No sale of personal information - We never sell user data
Right to know - API access to user data
Right to delete - Deletion API available
Right to opt-out - Built-in opt-out mechanism

Regional Settings

For enhanced compliance, enable regional data storage:

Go to Settings → Data & Privacy
Enable EU Data Residency (Enterprise only)
All EU visitor data stays within EU data centers

Compliance Checklist

Update privacy policy to mention Zenovay
Configure data retention period
Add opt-out button to privacy page
Set up Do Not Track respect
Document legal basis for processing
Establish data subject request procedure
Review and sign DPA (Enterprise customers)
Train team on privacy procedures

Additional Resources

Need Help?

For GDPR-specific questions or compliance assistance, contact our privacy team at [email protected].

This guide provides general information about GDPR compliance with Zenovay. It does not constitute legal advice. Consult with your legal counsel for specific compliance requirements.