Privacy Compliance

At Tinylytics, we take privacy seriously. Our analytics platform is built from the ground up to be compliant with major privacy regulations, specifically the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This document outlines how we achieve compliance with these regulations.

Core Privacy Principles

Our approach to privacy is built on these fundamental principles: - Collect only what’s necessary - Process transparently - Store securely - Delete promptly - Give users control

GDPR Compliance

We comply with GDPR requirements through the following measures:

1. Data Minimization (Art. 5)

  • Only essential analytics data is collected
  • User agent strings are truncated to 50 characters
  • IP addresses are used only for hash generation, never stored
  • Geographic data limited to country level only (via Cloudflare)
  • No personal identifiable information (PII) is stored

2. Right to Erasure (Art. 17)

  • One-click account deletion available
  • All associated data is immediately deleted upon account cancellation
  • Automatic deletion of unconfirmed accounts after 7 days
  • Server logs are filtered for sensitive data and deleted after 7 days

3. Transparency (Art. 12-14)

  • Clear privacy policy explaining all data collection
  • Detailed technical documentation about data handling
  • No hidden tracking or data collection methods
  • All data processing purposes clearly stated
  • Clear disclosure of third-party services (Cloudflare, Sentry.io, Lemon Squeezy, and Paddle)

4. Data Security (Art. 32)

  • SSL encryption for all data transmission
  • Cloudflare as security buffer and CDN provider
  • Server logs filtered and deleted after 7 days
  • Regular salt rotation for hash generation
  • Rate limiting to prevent abuse
  • Hosted in Europe

5. Consent & Right to Object (Art. 7, 21)

  • Simple mechanism to ignore your own hits via URL parameters
  • No tracking cookies used (only session cookies for logged-in users)
  • Clear instructions for opting out in documentation

CCPA Compliance

Our CCPA compliance is built into our core service design. We exceed CCPA requirements by not collecting, selling, or sharing any personal information:

1. No Personal Information Sale

  • We never sell any data to third parties
  • No data sharing for marketing purposes
  • No advertising or tracking mechanisms
  • Limited third-party usage (Cloudflare, Sentry.io, Lemon Squeezy, and Paddle) for essential services only

2. Data Rights

  • Immediate account deletion available
  • Automated data removal process
  • Clear documentation of all data handling
  • Transparent data collection practices
  • Clear disclosure of all third-party relationships

3. Data Collection Transparency

  • Clear listing of all collected data categories
  • Explicit purposes for each data type
  • No collection of personal information beyond essential analytics
  • All data processing is documented and necessary for service operation
  • Full disclosure of third-party service providers and their roles

Technical Implementation

Our privacy-first approach is implemented through:

  1. Unique Hit Generation

    • Daily reset of unique identifiers
    • One-way hash generation
    • No persistent identifiers
  2. Data Storage

    • Server logs deleted after 7 days
    • Secure, EU-based hosting
    • Regular data cleanup
  3. Security Measures

    • Rate limiting
    • Request filtering via Cloudflare
    • Regular security updates

Third-Party Services

We limit third-party service usage to essential operations only: - Cloudflare (Security & CDN) - Lemon Squeezy and Paddle (Payment processing) - Sentry.io (Error tracking, customer ID only)

As stated in our privacy policy: “Except for debugging, or delivering images, as mentioned above, we do not share any data with a third party nor do we ever sell your data. We respect you as a human being.”

Verification and Updates

We regularly review and update our privacy practices to ensure continued compliance. Our commitment to privacy goes beyond mere regulatory compliance – it’s a core part of our service offering.

For specific implementation details about how we handle analytics data, see our unique hits documentation.

Contact

For privacy-related questions or to exercise your rights under GDPR or CCPA, please contact us at [email protected].