LiteStats iconLitestats

Privacy Policy

Last updated: 9 July 2025

LiteStats ("we", "us", "our") operates the litestats.io website and analytics service. This Privacy Policy explains how we collect, use, store, and protect information when you use our service. By creating an account, you acknowledge that you have read and understood this Privacy Policy.

1. Information we collect

1.1 Account information

When you create an account, we collect your email address for authentication and account management. If you sign in via a third-party provider (e.g. GitHub), we receive your email and display name from that provider. We also store your chosen plan and billing status.

1.2 Analytics data (collected from your website visitors)

When the LiteStats tracking script runs on your website, we collect the following non-personal data from your visitors:

  • Page URL and referrer URL
  • Browser type, operating system, and device type (derived from user agent string)
  • Country (derived from IP address at the point of collection — the IP itself is never stored, logged, or persisted)
  • UTM campaign parameters (if present in the URL)
  • A random session identifier stored in sessionStorage (automatically cleared when the browser tab closes, and never shared across tabs or sites)
  • Pageview timestamps and session duration

1.3 Payment information

If you subscribe to a paid plan, payment is processed by Stripe. We do not store credit card numbers or bank details. We receive only a Stripe customer ID and subscription status.

1.4 What we do NOT collect

  • No cookies are set on your visitors' devices
  • No IP addresses are stored, logged, or persisted
  • No personal data, names, or email addresses of your visitors
  • No browser fingerprinting
  • No cross-site or cross-device tracking
  • No third-party tracking pixels or advertising scripts

2. How we use your information

  • Account email: authentication, account-related notifications (billing, security), and (only with your explicit opt-in consent) product updates
  • Analytics data: displayed on your dashboard as aggregated metrics to help you understand your website traffic. Analytics data is never used for advertising, profiling, or shared with third parties.

3. Legal basis for processing (GDPR)

  • Account data: processed under contractual necessity (Art. 6(1)(b) GDPR) — we need your email to provide the service you have requested
  • Analytics data: processed under legitimate interest (Art. 6(1)(f) GDPR) — aggregate website analytics that do not constitute personal data. Our legitimate interest is providing the analytics service you have engaged.
  • Marketing emails: processed under consent (Art. 6(1)(a) GDPR) — only sent if you explicitly opt in, and you may withdraw consent at any time
  • Payment data: processed under contractual necessity (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR) for tax and accounting requirements

4. Data hosting and sub-processors

All core data is hosted within the European Union. We do not sell, rent, or share your data with third parties, except through the following sub-processors which are strictly necessary to operate the service:

Sub-processorPurposeData location
Hetzner Online GmbHServer infrastructure (application, databases)Germany, EU
Stripe Inc.Payment processing (paid plans only)USA (EU-US Data Privacy Framework)
Amazon Web Services (SES)Transactional email deliveryEU (eu-west-1)

All sub-processors are bound by Data Processing Agreements and process data only on our documented instructions. For full details, see our Data Processing Agreement.

5. International data transfers

Your account data and analytics data are stored on servers located in Germany (EU), operated by Hetzner Online GmbH. Data does not leave the European Union except in the following limited cases:

  • Stripe (payment processing): Stripe is certified under the EU-US Data Privacy Framework and maintains Standard Contractual Clauses (SCCs) for data transfers.

No analytics data (pageviews, sessions, visitor metrics) is ever transferred outside the EU.

6. Data retention

  • Account data: retained for the lifetime of your account. Deleted within 30 days of account deletion.
  • Analytics data: retained for the lifetime of your account. Deleted when you remove a site or delete your account.
  • Payment records: retained as required by Irish tax law (minimum 6 years) after the end of the relevant financial year.
  • Server logs: access logs are retained for a maximum of 14 days for security and debugging purposes, then automatically purged.
  • Inactive accounts: accounts that remain inactive (no registered websites and no active subscription) for 60 days after the free trial expires will be permanently deleted. Accounts with registered websites but no recorded traffic for 210 days and no active subscription will also be deleted. You will receive at least one email notification 30 days before any deletion, with the option to keep your account by clicking a link in the email.

7. Your rights

Under GDPR, CCPA, and applicable privacy laws, you have the right to:

  • Access your data (Art. 15 GDPR) — request a copy of all data we hold about you
  • Export your data in a portable format (Art. 20 GDPR) — download your analytics data as CSV
  • Rectify inaccurate data (Art. 16 GDPR)
  • Delete your account and all associated data (Art. 17 GDPR — "right to be forgotten")
  • Restrict the processing of your data (Art. 18 GDPR)
  • Withdraw consent for marketing communications at any time
  • Object to processing based on legitimate interest (Art. 21 GDPR)
  • Lodge a complaint with your local data protection authority (in Ireland: the Data Protection Commission, dataprotection.ie)

To exercise any of these rights, go to Account Preferences → Privacy & Data or email us at privacy@litestats.io. We will respond to all requests within 30 days.

8. Cookies

The LiteStats website and tracking script do not use cookies. We usesessionStorage for temporary session management on tracked websites, which is automatically cleared when the browser tab is closed and does not persist across sessions. This does not require consent under the ePrivacy Directive as it is strictly necessary for the service requested by the user.

The LiteStats dashboard uses session-based authentication tokens stored in memory. No tracking cookies or third-party cookies are used anywhere in our service.

9. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption of all data in transit (TLS 1.2+)
  • Encrypted database connections
  • Access controls with the principle of least privilege
  • Input validation and sanitisation on all API endpoints
  • Rate limiting and bot detection
  • Regular security patching and monitoring
  • No storage of IP addresses or direct personal identifiers

10. Children's privacy

LiteStats is not directed to children under 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when it was last revised. Continued use of the service after changes take effect constitutes acceptance.

12. Data controller

The data controller for your account information is LiteStats, a sole trader registered in Ireland. For analytics data collected from your website visitors, you are the data controller and LiteStats acts as data processor on your behalf under the terms of our Data Processing Agreement.

13. Contact

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at privacy@litestats.io.