Axo Analytics
Axo Analytics

Privacy Policy for Axo Analytics

Last updated: August 19, 2025

At Unique-P GmbH, the company behind Axo Analytics, we prioritize your privacy and are committed to protecting your data in compliance with the General Data Protection Regulation (GDPR), Swiss data protection laws, and other applicable regulations. This privacy policy explains how we collect, process, store, and protect data, distinguishing between fully anonymized analytics data for website visitors and personal data processed for customers using our services. We aim to be transparent about our practices and your rights, fostering trust in our privacy-first approach.

Our Commitment to Privacy

Axo Analytics is designed with privacy at its core. We do not use cookies, sell data, or engage in cross-site tracking or profiling. Our analytics solution processes visitor data in a fully anonymized manner, ensuring it is not personal data under GDPR. For customers using our services, we process limited personal data (e.g., IP addresses, user agents) for security and debugging, with explicit consent via our terms and conditions. All data processing adheres to data minimization principles, and we store data in the EU to ensure compliance.

Your Data Protection Rights

Under GDPR, you have rights regarding your personal data, which we respect and facilitate:

  • Access and Correction: Request a copy of your personal data or correct inaccuracies.
  • Erasure or Restriction: Request deletion or restricted processing, subject to legal obligations.
  • Objection: Object to processing based on legitimate interests (e.g., marketing).
  • Data Portability: Request your data in a structured, machine-readable format.
  • Complaint: Contact a supervisory authority (e.g., Switzerland’s FDPIC or an EU DPA) if unsatisfied. We encourage you to contact us first to resolve concerns.

To exercise these rights, contact us at the details below. We respond within 30 days, as required by law.

How We Process Data

We handle two distinct types of data: (1) anonymized analytics data from website visitors, which is not personal data under GDPR, and (2) personal data from customers using our services, processed with consent for security and debugging.

1. Website Visitor Analytics (Fully Anonymized)

When you visit a website using Axo Analytics, we collect minimal, fully anonymized data to provide website owners with aggregated insights (e.g., page views, general device trends). This data is processed as follows:

  • Data Collected: We process a session-based identifier derived from IP address, user agent, and other non-sensitive data points, combined with a daily-rotating salt. This is immediately hashed using MD5 and truncated to the first 16 characters (64 bits), making it irreversible and unlinkable across days or sites.
  • Purpose: To provide website owners with anonymized analytics (e.g., traffic patterns, approximate device categories) without tracking individuals.
  • Lawful Basis: Not applicable, as the data is anonymized and not personal data under GDPR (Recital 26). The hashing and truncation ensure re-identification is not reasonably possible, aligning with EDPB Guidelines 01/2025 on anonymization.
  • ePrivacy Directive: No cookies or device storage are used, so consent is not required under Article 5(3). Website owners may offer an opt-out feature, which stops all data collection for a visitor.
  • Storage and Location: Processed in Cloudflare Workers and stored in Cloudflare R2 (EU region) and EU-based servers, ensuring no non-EU transfers.
  • Retention: Anonymized data is retained as needed for analytics purposes, with no personal data stored.

This approach mirrors privacy-first tools like Plausible and Matomo (cookieless mode), ensuring no personal data is processed for visitor analytics.

2. Customer Data (Personal Data for Security and Debugging)

When you sign up for or use Axo Analytics as a customer (e.g., via free trial or paid subscription), we process limited personal data with your consent, as agreed in our terms and conditions:

  • Data Collected:
    • Account Data: Email address, billing address, payment details, and password for trial or subscription access. Optional data (e.g., company name, VAT number) may be added in your dashboard.
    • Security Logs: IP addresses and user agents are stored temporarily for security and debugging (e.g., detecting threats or resolving technical issues). These are not anonymized but are processed securely.
    • Marketing (Optional): Name and email for promotional communications, if you opt in.
    • Surveys (Optional): Name, contact details, and feedback if you participate in voluntary surveys.
  • Purpose:
    • Provide and manage your account (trial or subscription).
    • Ensure service security and troubleshoot issues (logs).
    • Send relevant updates or offers (marketing, if opted in).
    • Improve services via survey feedback.
  • Lawful Basis:
    • Consent: You agree to personal data processing for security and account management via our terms and conditions.
    • Performance of a Contract: Account and billing data are necessary to deliver services.
    • Legitimate Interest: Marketing to existing customers (with unsubscribe option) and survey processing to improve services.
    • Legal Obligation: Retaining billing data for tax/accounting compliance.
  • Storage and Location: Account data is stored on EU-based servers. Security logs are stored in Cloudflare’s GDPR-compliant infrastructure (EU region) for 7 days, then deleted.
  • Retention:
    • Account data: Retained while you remain a customer and up to 6 years for legal compliance (e.g., tax laws).
    • Security logs: 7 days, strictly for security/debugging.
    • Marketing/survey data: Until you withdraw consent or up to 2 years post-interaction.

3. When You Communicate with Us

If you contact us (e.g., via email or social media), we process data like your name, contact details, and message content to respond and manage inquiries. Security logs (IP, user agent) may be temporarily stored for 7 days.

  • Lawful Basis: Legitimate interest (to address inquiries and ensure security).
  • Retention: Correspondence is retained as needed for accountability; security logs for 7 days.
  • Location: Processed and stored in the EU.

4. When You Supply Services or Collaborate

For vendors or partners, we process name, contact details, and correspondence to manage our relationship.

  • Lawful Basis: Performance of a contract, legal obligations (e.g., accounting), or legitimate interest.
  • Retention: Duration of the relationship plus up to 6 years for legal purposes.
  • Location: EU-based storage.

Sharing Your Data

We share personal data only when necessary, with:

  • Data Processors: GDPR-compliant providers (e.g., Cloudflare for security, email/payment systems) under data processing agreements.
  • Professional Advisors: For legal, accounting, or tax purposes.
  • Authorities: If required by law.
  • IT Support: For technical issue resolution (rare).

All recipients are vetted for compliance, and we minimize shared data. Cloudflare logs (containing IP/user agent) are retained for 7 days in the EU and deleted thereafter.

International Data Transfers

Customer data and analytics data are stored and processed within the EU (Cloudflare R2 and EU servers), avoiding non-EU transfers. For any non-EU processors (e.g., payment providers), we use GDPR safeguards like standard contractual clauses (SCCs).

Information Security

We use encryption, strong passwords, and two-factor authentication to secure data. Access is restricted to authorized personnel. Security logs are stored for 7 days in Cloudflare’s GDPR-compliant systems.

Our Role as a Data Processor

When you use Axo Analytics on your website, we act as a data processor under GDPR Article 28, processing visitor data per your instructions. You, as the data controller, define the purpose and lawful basis (e.g., legitimate interest or visitor consent). Our analytics data is fully anonymized (not personal data), and we:

  • Use robust security measures.
  • Process data only per your instructions.
  • Offer a data processing agreement (DPA), soon publicly available.
  • Store data in the EU, compliant with Schrems II.

No ePrivacy Directive consent is needed, as we use no cookies or device storage.

Contact Us

For questions, to exercise your rights, or for further details, contact:

Unique-P GmbH
Burengasse 11, 4655 Stüsslingen, Switzerland
Email: [email protected]

We are committed to prompt, transparent responses.