OpenAnalyticsAPI
Features Pricing Docs UTM Builder Meta Tags Checker Speed Test
Sign in Get started
Docs / GDPR & privacy

GDPR & privacy

How OpenAnalyticsAPI is built to support GDPR-friendly analytics setups.

Not legal advice. This page describes how the platform is built and configured. Whether a specific deployment is GDPR-compliant depends on your jurisdiction, your overall site, your other tooling, and your consent setup. Confirm with your DPO or legal counsel before relying on any single description below.

Cookieless by default

The default tracking mode does not set any cookie on the visitor's browser. Users are identified anonymously through a fingerprint hash (User-Agent + Accept-Language + anonymized IP) combined with a server-side salt that rotates every 24 hours. The salt rotation means the same user appears as a different anonymous ID from one day to the next.

In this mode, a cookie banner may not be required for analytics. Consent obligations still depend on your jurisdiction, your overall site setup, and any other trackers you use.

IP anonymization

IP addresses are anonymized server-side before storage: the last octet (IPv4) or last 80 bits (IPv6) are set to zero. Geo enrichment (country, region, city) happens against the full IP before anonymization and is stored separately. Raw IPs are never written to long-term storage.

Do Not Track

Add data-respect-dnt="true" on the snippet's script tag to make the SDK a no-op when the browser sends a Do Not Track signal. Off by default — most jurisdictions don't require honoring DNT, but you can opt in if you want stricter behavior.

Programmatic opt-out

For pages where you implement your own consent banner, call window.oa('optOut') as soon as the user declines consent. The tracker immediately:

  • Stops sending further events, replay chunks, and heatmap data from this browser.
  • Clears the locally-stored anonymous ID (_oaa_uid) and session ID (_oaa_sid).
  • Notifies the replay and heatmap addons (loaded on the same page) so they halt their observers and drop any in-flight buffers — no data from the moment of opt-out is sent.
  • Persists the opt-out in localStorage (_oaa_optout=1) so it survives reloads.

window.oa('optIn') removes the opt-out flag. The tracker keeps the current page's listeners in their no-op state, so a page reload is recommended after opt-in to fully re-initialize the snippet (otherwise this page view won't be tracked, but the next page load will be).

// Inside your consent banner handler
if (userDeclined) {
  window.oa('optOut');
}

if (userAccepted) {
  window.oa('optIn');
  window.location.reload(); // recommended: re-initializes the tracker
}

A fresh anonymous ID is generated after opt-in. Pre-opt-out activity is not retroactively linked to post-opt-in activity — that's intentional, so the same device looks like a new visitor.

DSAR endpoints Beta

Dedicated REST endpoints for Data Subject Access Requests are available in beta for authenticated API users. All three require an oa_live_* Bearer token scoped to the project.

  • ExportGET /v1/projects/{id}/privacy/user/{user_id} returns a sanitized JSON export of one end-user's events, sessions, and replay metadata. Raw IP, raw User-Agent, properties values, precise geo, and raw replay chunk content are never included. The export is capped at the last 90 days and 10,000 events by default (override with from/to); it sets truncated: true when the cap is hit.
  • DeleteDELETE /v1/projects/{id}/privacy/user/{user_id} queues an asynchronous deletion/anonymization request and returns 202 Accepted. No data is deleted inline — a background worker processes the queue. Re-requesting while one is already pending returns the existing request.
  • StatusGET /v1/projects/{id}/privacy/requests/{request_id} polls a queued deletion request (pendingprocessingcompleted/failed).

The user_id is whatever value you passed to identify calls — hash before sending so lookups work without exposing raw PII. For bulk or out-of-band deletions you can still email privacy@openanalyticsapi.com.

Data retention

  • Free: 90 days
  • Pro: 12 months
  • Business: 24 months
  • Enterprise: custom

Retention is enforced automatically by ClickHouse TTL — there is no manual purge to run.

EU data residency

By default, ingest and storage run on EU VPS nodes (Germany, Czech Republic, Netherlands). Business+ customers can opt into EU-only residency, which guarantees that no data leaves the EU even for ad-hoc operations.

Session Replay safety

Replay is an optional addon, off by default. When enabled:

  • All <input>, <textarea>, and any element marked with data-oa-mask are masked on-device before any data leaves the browser.
  • You must not configure replay to capture passwords, payment cards, health data, or other special-category personal data — see the Terms of Service for the full list.
  • Replays inherit the project retention setting and can be individually deleted from the console.

Data processing agreement (DPA)

A standard DPA is available on request for Business and Enterprise customers (and Pro on a case-by-case basis). Email privacy@openanalyticsapi.com.

Subprocessors

We use exactly two subprocessors: Stripe (payment processing) and our domain registrar. Everything else (ingest, query, storage, replay storage, mail relay, alerting) runs on our own VPS fleet. See the Privacy Policy for the full list.

← Conversions & goals Back to docs

Part of the Open API ecosystem

OpenPushAPI OpenNewsAPI OpenCacheAPI OpenCertAPI OpenGifAPI OpenMailAPI OpenCDNApi OpenCronApi