GDPR Compliance
Zenovay is built with privacy-first principles and provides tools to help you comply with GDPR (General Data Protection Regulation) and other privacy laws like CCPA and PECR.
Overview
The General Data Protection Regulation (GDPR) is a comprehensive privacy law that applies to organizations processing personal data of EU residents. Zenovay helps you meet GDPR requirements through:
- Privacy by design - Data minimization and anonymization built-in
- User consent management - Tools to respect user preferences
- Data subject rights - APIs to handle access and deletion requests
- Transparency - Clear data processing documentation
How Zenovay Processes Data
Data We Collect
Zenovay collects only the minimum data necessary for analytics:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Page URLs | Traffic analysis | Legitimate interest |
| Referrer | Traffic sources | Legitimate interest |
| Browser/Device | Technical analytics | Legitimate interest |
| Location (Country/City) | Geographic insights | Legitimate interest |
| Session data | User journey tracking | Legitimate interest |
Zenovay does NOT collect personally identifiable information (PII) by default. The tracking script operates in cookieless mode on the marketing site (no cookies, no localStorage — window-scoped in-memory IDs only). Within the logged-in dashboard, session cookies are used solely for authentication and are strictly necessary.
Data We Don't Collect
- Personal names, email addresses, or contact information
- IP addresses (we immediately hash them)
- Precise GPS coordinates
- Cross-site tracking data
- Sensitive personal data
Cookie-Free Tracking
Zenovay uses cookie-free tracking by default, which means:
- No cookie consent banner required in most cases
- Complies with ePrivacy Directive
- Better user experience (no cookie banners)
- More accurate analytics (no cookie blockers)
GDPR Compliance Features
1. Data Minimization
Zenovay automatically:
- Anonymizes IP addresses before storage
- Removes query parameters from URLs (optional)
- Limits data retention to your specified period
- Aggregates data where possible
2. Consent Management
Respect user privacy preferences:
// Don't track if user has Do Not Track enabled
if (navigator.doNotTrack === '1') {
window.zenovay('disable');
}
// Respect consent management platform
if (!userConsentGiven) {
window.zenovay('disable');
}
3. User Opt-Out
Provide an opt-out mechanism for users:
<!-- Add to your privacy policy page -->
<button onclick="window.zenovay('disable')">
Opt out of analytics tracking
</button>
Users who opt out will have their preference stored locally and all tracking will stop.
4. Data Retention
Data retention is determined by your subscription plan:
| Plan | Retention Period |
|---|---|
| Free | 1 year |
| Pro | 2 years |
| Scale | 4 years |
| Enterprise | 4 years base, custom available |
When data exceeds your retention period, Zenovay uses a two-phase process: data is first hidden (soft-hide), then permanently deleted after a 30-day grace period. You receive email notifications before any permanent deletion.
Upgrading your plan during the grace period automatically recovers hidden data. See your plan's retention period in Settings → Workspace → Billing & invoices.
Data Subject Rights
GDPR gives individuals specific rights regarding their data. Zenovay provides tools to fulfill these requests:
Right to Access (Article 15)
Users can request what data you have about them. Use the Zenovay dashboard or the External API to retrieve visitor data:
Via Dashboard:
- Go to your website's Visitors tab
- Use filters to locate the visitor's data
- Review all collected data points
Via API:
curl -X GET 'https://api.zenovay.com/api/external/v1/analytics/YOUR_WEBSITE_ID/visitors' \
-H 'X-API-Key: YOUR_API_KEY'
Right to Erasure (Article 17)
Delete user data upon request through the Zenovay dashboard:
- Navigate to the domain in Domains, open the Analytics tab, and use the Visitors view to locate the visitor's records
- Use the External API to identify and delete the visitor's data by visitor ID
- Deletions are permanent and cannot be undone
Data deletion is permanent and cannot be undone. Zenovay processes deletion requests immediately and removes all associated visitor records.
Right to Data Portability (Article 20)
Export user data in machine-readable format using the External API:
curl -X GET 'https://api.zenovay.com/api/external/v1/analytics/YOUR_WEBSITE_ID' \
-H 'X-API-Key: YOUR_API_KEY'
Privacy Policy Requirements
If you use Zenovay, update your privacy policy to include:
Sample Privacy Policy Text
## Analytics
We use Zenovay, a privacy-friendly analytics service, to understand how visitors use our website. Zenovay collects:
- Pages you visit
- How you arrived at our site (referrer)
- Your approximate location (country/city)
- Device and browser information
Zenovay does NOT:
- Use cookies
- Collect personal information
- Track you across websites
- Sell your data
Your data is anonymized and aggregated. You can opt out of analytics tracking on our [Privacy Policy page].
For more information, see Zenovay's Privacy Policy: https://zenovay.com/privacy
Do Not Track (DNT)
Respect the Do Not Track browser setting:
<script>
// Check DNT before loading Zenovay
if (navigator.doNotTrack !== '1') {
// Load Zenovay tracking script
(function(){
// ... tracking script
})();
}
</script>
Cross-Border Data Transfers
Zenovay processes data globally through Cloudflare's network:
- Data Centers: Cloudflare's 300+ locations worldwide
- Primary Storage: EU data center (Frankfurt, eu-central-1) for all customers
- Standard Contractual Clauses: In place for international transfers
- Adequacy Decisions: Compliant with EU-US Data Privacy Framework
Data Processing Agreement (DPA)
Zenovay provides a Data Processing Agreement (DPA) that includes:
- Controller-Processor relationship definition
- Security measures and safeguards
- Sub-processor list
- Data subject rights procedures
- Breach notification commitments
Contact support@zenovay.com to request a DPA.
Best Practices for Compliance
1. Update Your Privacy Policy
Clearly explain your use of analytics in your privacy policy.
2. Provide Opt-Out Mechanism
Add an opt-out button on your privacy policy page.
3. Respect User Preferences
Integrate with your consent management platform (CMP) if you use one.
4. Configure Data Retention
Set appropriate retention periods based on your business needs.
5. Document Your Legal Basis
Document why you're processing data (legitimate interest, consent, etc.).
6. Handle Data Subject Requests
Establish a process to handle access, deletion, and portability requests.
Legitimate Interest Assessment (LIA)
Under GDPR Article 6(1)(f), website analytics can be processed under legitimate interest:
Purpose: Understanding website traffic and user behavior to improve services
Necessity Test:
- ✅ Less invasive than alternatives (no cookies, no PII)
- ✅ Cannot achieve purpose through other means
- ✅ Data minimized to what's necessary
Balancing Test:
- ✅ User impact is minimal (no tracking across sites)
- ✅ Users can easily opt-out
- ✅ Data is anonymized and aggregated
- ✅ No sensitive data collected
Conclusion: Legitimate interest is appropriate for basic website analytics with Zenovay's privacy-first approach.
This is a general assessment. Consult with your legal team to ensure compliance with your specific situation and jurisdiction.
CCPA Compliance
For California users, Zenovay helps you comply with CCPA:
- No sale of personal information - We never sell user data
- Right to know - API access to user data
- Right to delete - Deletion API available
- Right to opt-out - Built-in opt-out mechanism
Regional Settings
Zenovay stores all customer data in the EU by default (Frankfurt, eu-central-1). No additional configuration is required for EU data residency. For questions about data residency, contact support@zenovay.com.
Compliance Checklist
- Update privacy policy to mention Zenovay
- Configure data retention period
- Add opt-out button to privacy page
- Set up Do Not Track respect
- Document legal basis for processing
- Establish data subject request procedure
- Review and sign DPA with Zenovay
- Train team on privacy procedures
Additional Resources
Need Help?
For GDPR-specific questions or compliance assistance, contact our privacy team at support@zenovay.com.
This guide provides general information about GDPR compliance with Zenovay. It does not constitute legal advice. Consult with your legal counsel for specific compliance requirements.