Gdpr Compliance
Statalog is designed so that GDPR compliance is the default state, not an optional configuration. This page explains the legal basis for that claim and how it compares to cookie-based analytics tools.
What data Statalog collects
Understanding GDPR compliance requires understanding exactly what data is processed. Statalog records:
- Page URL — the path and query string of the visited page (query strings containing sensitive parameters can be stripped in settings)
- Referrer — the referring URL, if present
- Country — derived from the visitor's IP address via a GeoIP lookup; the IP itself is immediately discarded
- Device type, browser family, OS family — derived from the User-Agent string; the raw User-Agent string is immediately discarded
- Timestamp — when the pageview occurred
- Custom events — only what you explicitly instrument with
statalog('event', ...)
Statalog does not collect or store: IP addresses, User-Agent strings, names, email addresses, device identifiers, advertising IDs, cookies, or any other personal data as defined under GDPR Article 4(1).
Why no consent banner is required
The GDPR requires a lawful basis (Article 6) only when personal data is processed. Aggregate, anonymised statistics are not personal data. Because Statalog does not process personal data, Article 6 does not apply, and no consent is required.
This is consistent with guidance from multiple European data protection authorities, including the French CNIL, which has explicitly indicated that cookie-less analytics that do not allow individual re-identification may be deployed without consent.
Additionally, because Statalog sets no cookies, the ePrivacy Directive (the "cookie law") does not apply. The Directive requires consent for storing or accessing information on a user's device — since no storage occurs, the requirement is not triggered.
Comparison with Google Analytics 4
| Statalog | Google Analytics 4 | |
|---|---|---|
| Cookies set | None | _ga (2-year expiry), _ga_* |
| IP address stored | No | Anonymised but still processed |
| Cross-site tracking | No | Yes (via Google Signals) |
| Data transferred to US | No (your region) | Yes (EU → US) |
| Consent banner needed in EU | No | Yes |
| Schrems II concerns | No | Yes |
GA4 requires a consent management platform (CMP) and a cookie banner for EU visitors because it sets persistent cookies and transfers data to Google's US servers. Both of these facts have legal implications under GDPR and the ePrivacy Directive. Statalog has neither issue.
CCPA compliance
The California Consumer Privacy Act (CCPA) grants California residents rights over their personal information, including the right to know what is collected, the right to delete, and the right to opt out of the "sale" of their personal information.
Because Statalog does not collect personal information from your visitors (as defined under CCPA Section 1798.140(o)), you have nothing to disclose, nothing to delete, and nothing to opt out of. Statalog does not sell data to any third party.
DNT (Do Not Track) header
Statalog respects the DNT: 1 request header. Visitors who have enabled Do Not Track in their browser are excluded from all analytics data. No pageview, event, or session record is created for DNT-enabled visitors. This applies even though DNT has no binding legal force under current law — it reflects Statalog's design philosophy of defaulting to privacy.
Data Processing Agreement (DPA)
Cloud customers who require a formal Data Processing Agreement for their own GDPR compliance documentation can request one by emailing support. The DPA describes Statalog's role as a data processor for your account data (your email address, site configurations, and billing information), which is personal data under GDPR and is handled accordingly.
Note that the DPA covers your account data, not your visitors' analytics data — because the analytics data is not personal data, no DPA is required for the analytics processing itself.
Data residency
Cloud accounts are hosted in your selected region. Analytics data does not leave that region for processing. No analytics data is shared with advertising networks, data brokers, or any third party.
Your visitors' rights
Because Statalog does not store personal data about individual visitors, there is no individual-level data to access, rectify, or erase in response to a DSAR (Data Subject Access Request). If a visitor contacts you under their GDPR rights, the accurate answer is that no personal data relating to them is stored in your analytics system.
Self-hosted (Community edition)
When you self-host Statalog, you are the data controller and data processor for all data the installation handles. Statalog (the company) processes no data on your behalf. Your infrastructure, retention policies, and compliance obligations are your own to manage. The privacy-by-design architecture (no cookies, no IP storage, daily-rotating hashes) applies equally in the Community edition.