Privacy Battles
Plausible
Privacy Score
94
%
⚔️
Abralytics
Privacy Score
28
%

Designated DPO or GDPR correspondent

Compliant
Partially Compliant
Not Compliant

Plausible doesn't mention having a DPO or GDPR correspondent but has a privacy dedicated email contact available on its website: privacy@plausible.io

Compliant
Partially Compliant
Not Compliant

Abralytics doesn't mention having a DPO or GDPR correspondent and doesn’t display a privacy dedicated contact channel.

Privacy Policy

Compliant
Partially Compliant
Not Compliant
Compliant
Partially Compliant
Not Compliant

Regarding website and cloud: https://www.abralytics.com/privacy

It is unclear whether the privacy policy available on Abralytics website applies both for the website and cloud service.

Besides, it doesn’t provide sufficient information to data subjects regarding Article 13 and 14 of the GDPR (data retention periods, legal basis, etc.).

Country & Type of Data storage

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
Estonia 🇪🇪  (EU) 🇪🇺

Storage Facilities:
All analytics data is processed by German cloud provider Hetzner, in Germany.

Possibility to host Plausible Analytics on controller premises.

Compliant
Partially Compliant
Not Compliant

Company Headquarters:

Ireland (EU)

Storage Facilities:

Data is hosted in the EU but Abralytics doesn’t specify in which country, nor which external cloud provider it uses and what is its nationality.

Data transfers outside the EU

Compliant
Partially Compliant
Not Compliant

Plausible doesn’t transfer analytics data outside the EU.

Compliant
Partially Compliant
Not Compliant

Data is deemed not transferred outside the EU, but that information needs to be verified (cloud provider and its nationality are unknown).

Legal tools for Subcontractors

Compliant
Partially Compliant
Not Compliant

For every subcontractor, Plausible assesses its commitment to privacy and signs a DPA including controller-processor Standard Contractual Clauses.

Plausible has made public its list of subprocessors: https://plausible.io/privacy

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention any subcontractors nor its process to contract with them.

Data Breach Notification

Compliant
Partially Compliant
Not Compliant

In case of data breach, Plausible will notify the controller without undue delay by email (not later than 48 hours after having become aware of it) and provide a description of the incident as well as periodic updates about the incident, including its impact.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention directly notifying controllers of a data breach in a determined delay, nor providing assistance to controllers to notify the breach to the Supervisory authority.

Right Requests Process

Compliant
Partially Compliant
Not Compliant

Data requests will be forwarded to the controller without delay.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention providing assistance to controllers in case of a data subject's right request.

Data Privacy Impact Assessment

Compliant
Partially Compliant
Not Compliant

Plausible will provide assistance to the controller for DPIAs.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t specify having conducted DPIAs or providing assistance to controllers if needed.

Employee Trainings

Compliant
Partially Compliant
Not Compliant

Employees required to access analytics data are informed of the confidential nature of the data and comply with the GDPR obligations sets out in the DPA.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn't mention employee training or submission to NDAs.

Security Policy

Compliant
Partially Compliant
Not Compliant

Plausible doesn’t mention having a security policy.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention having a security policy.

Organizational and Technical Security Measures

Compliant
Partially Compliant
Not Compliant

Server security:
Cloud security relying on Hetzner.

Other measures:
data anonymisation, data pseudonymisation (hash), DDoS protection, back ups in a redundant site.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention having a security policy.

Data Encryption

Compliant
Partially Compliant
Not Compliant

Data is encrypted in transit (HTTPS) and at rest.

Compliant
Partially Compliant
Not Compliant

Data encryption is never mentioned.

Restriction of access

Compliant
Partially Compliant
Not Compliant

Plausible allows external access or processing of personal data to employees submitted to confidentiality clauses for IT support and maintenance.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention any specific restrictions of access to personal data.

Reuse of data

Compliant
Partially Compliant
Not Compliant

Plausible doesn’t reuse analytics data or share it with third-parties.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t sell any data. Controllers stay owners of personal data.

Exemption of cookie consent

Compliant
Partially Compliant
Not Compliant

Plausible doesn’t collect cookies.

Compliant
Partially Compliant
Not Compliant

YES, Abralytics doesn’t collect cookies.

Submission to Cloud Act/FISA

Compliant
Partially Compliant
Not Compliant

NO, data is stored in the EU by an European cloud provider.

Compliant
Partially Compliant
Not Compliant

NO, data is stored in the EU and anonymized (therefore no more considered personal).