Privacy is Not an Afterthought, It's Our Foundation

TrueMetric does not use any browser cookies (first-party or third-party) or other persistent client-side storage mechanisms (like localStorage) for tracking visitors.

This means:

• Immunity to cookie consent banner fatigue and rejection for analytics tracking.
• Compliance with PECR (ePrivacy Directive) requirements regarding cookie usage for analytics.
• Tracking works even if users block cookies or clear them frequently.
• No cross-site tracking capabilities via cookies.

Visitor IP addresses are considered personal data under GDPR. We handle them with extreme care:

• IPs are used only momentarily in memory during the request.
• We use the IP solely for deriving geographic location (Country/Region/City) and generating a daily `visitId`.
• The full IP address is never stored on disk or in our database logs.
• Enhanced privacy measures: We truncate IP addresses (removing the last octet for IPv4, last 80 bits for IPv6) during processing to further reduce identifiability.
• This process makes it impossible to identify or track an individual user via their IP address over time in our system.

Instead of traditional session tracking with cookies, we've developed a privacy-preserving alternative called "Daily Activity Tracking" using sophisticated pseudonymization techniques:

• We generate a pseudonymous daily `visitId` hash derived from:
• Truncated IP address (with identifying portions removed)
• User agent information
• Current date (YYYY-MM-DD format)
• A secret, daily rotating salt value
• This allows us to recognize page views from the same visitor within the same 24-hour period only.
• The daily salt rotation and date inclusion ensure that it's impossible to link visits from the same person across different days.
• Our hash algorithm (SHA-256) ensures this process is one-way and cannot be reversed to identify individuals.
• This approach provides essential metrics like daily unique visitors, bounce rates, and pages per visit while maintaining strong privacy protections.

We only collect the data absolutely necessary to provide core web analytics:

• Page URL
• Referrer URL
• User Agent string (for browser/OS/device type)
• Derived Geographic Location (Country/Region/City - from discarded IP)
• UTM parameters (if present)
• Screen resolution
• Pseudonymous daily `visitId`

We do not collect granular user flow paths, mouse movements, form inputs, or any other potentially sensitive behavioral data. Website owners can configure even more limited data collection (such as country-only geolocation) if desired.

All analytics data collected by TrueMetric's hosted solution is processed and stored on infrastructure located within the European Union.

This helps businesses comply with GDPR data transfer requirements and addresses concerns about data access by non-EU authorities. For ultimate control, explore our self-hosting option.

TrueMetric provides a public-facing Privacy Dashboard for each website, giving visitors full transparency into data collection practices:

• A clear visual summary of key privacy practices (no cookies, no IP storage, etc.)
• Detailed explanation of what data is collected and how it's used
• Information about data retention periods
• Sample privacy policy text for website owners
• Options for visitors to understand and control their data

This transparency builds trust with site visitors and helps website owners demonstrate compliance with privacy regulations. The Privacy Dashboard is accessible without requiring authentication.

TrueMetric supports two distinct legal approaches to help website owners meet their compliance obligations:

While TrueMetric provides the tools and infrastructure to support both approaches, the final responsibility for determining the appropriate legal basis rests with the website owner as the data controller.

TrueMetric respects visitor choices about tracking and provides several control options:

• Do Not Track (DNT) signals: TrueMetric can be configured to respect browser DNT signals.
• Opt-out mechanisms: Site owners can implement easy opt-out controls for visitors.
• Consent preferences: When using the opt-in approach, visitors have granular consent options.
• Privacy Dashboard access: Visitors can view the public Privacy Dashboard to understand exactly what data is collected.
• No long-term tracking: By design, the daily identifier reset ensures visitors cannot be tracked beyond a 24-hour period.

These controls ensure that TrueMetric respects user autonomy while still providing valuable analytics data to website owners.