GDPR Compliance
Simple Analytics is designed to work without collecting personal data. Because GDPR applies to personal data, avoiding it significantly reduces compliance obligations.
No personal data
We do not collect names, emails, IPs, or device fingerprints.
No consent required
No cookies or tracking means no consent banners needed.
EU-based
Dutch company, EU infrastructure, EU data residency.
No data transfers
Analytics data never leaves the European Union.
Privacy fundamentals
Simple Analytics avoids collecting personal data entirely. This removes most GDPR obligations around consent, data subject rights, and lawful basis for processing.
What we don't collect
- No names, emails, stored IP addresses, or device fingerprints
- No cookies placed on visitor devices
- No local storage or session storage used
- No fingerprinting techniques employed
What we do collect
We collect a limited set of non-personal metrics to provide website analytics. These metrics are not linked to individuals and cannot be used to identify users.
- Page URL and referrer
- UTM parameters
- Time zone (instead of IP-based geolocation)
- Device and browser type (via anonymized user agent)
Why this matters for GDPR
- No consent banners required
- No data subject access requests to manage
- Privacy by design and by default (Article 25)
- Compatible with strict cookie policies and consent-free setups
Legal framework
Understanding the legal roles and jurisdiction under which Simple Analytics operates.
Legal roles under GDPR
GDPR defines roles such as data controller and data processor for personal data processing. Because Simple Analytics does not process personal data, these roles do not apply in the same way.
- Customers are not acting as controllers of personal data via Simple Analytics
- Simple Analytics is not acting as a processor of personal data
- Standard controller–processor agreements are generally not required
Legal entity & jurisdiction
Simple Analytics is a Dutch company, operating under the laws of the Netherlands and the European Union.
- Registered in the Netherlands (EU)
- Subject to Dutch and EU privacy law
- Dutch Data Protection Authority (AP) as supervisory authority
Data residency
All analytics data is processed and stored within the European Union. No visitor data is transferred outside the EU.
International data transfers
- Data processed and stored in the Netherlands (EU)
- No transfers to the US or other third countries
- Infrastructure providers selected for EU data residency
- Cloudflare used only for CDN/DDoS, no analytics data stored outside EU
Documentation & certifications
We support legal and procurement teams with documentation and responsive communication.
Data Processing Agreement (DPA)
A Data Processing Agreement is not required when using Simple Analytics, as no personal data is processed. We understand that some organizations require a DPA as part of their procurement process. We support this and can review and sign customer-provided agreements, provided they align with how the service operates.
- A DPA is not required due to the absence of personal data
- We can review and sign customer-provided DPAs
- Agreements must align with our privacy-first architecture
SOC 2 Type II
We are currently working toward SOC 2 Type II certification.
- Audit in progress
- Covers security, availability, and confidentiality
- Report will be available upon completion
Customer compliance support
- Documentation available for vendor assessments
- Support for procurement reviews
- Responsive to compliance questionnaires
For compliance or legal questions:
Open contact form