Privacy Battles
Simple Analytics
Privacy Score
94
%
⚔️
Matomo
Privacy Score
94
%

Designated DPO or GDPR correspondent

Compliant
Partially Compliant
Not Compliant

Simple Analytics doesn’t process personal data, therefore does not have to designate a DPO.

Simple has a privacy dedicated email contact available on the website: privacyquestions@simpleanalytics.com

Compliant
Partially Compliant
Not Compliant

DPO is external. It is ePrivacy GmbH who can be reached on privacy@matomo.org or by post.

Privacy Policy

Compliant
Partially Compliant
Not Compliant

Regarding cloud:
A Cloud Privacy Policy is not necessary as no personal data is processed in the Cloud.

Regarding website:
https://simpleanalytics.com/privacy-policy

Compliant
Partially Compliant
Not Compliant

Country & Type of Data storage

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
The Netherlands 🇳🇱  (EU) 🇪🇺

Storage Facilities:
All analytics data is processed by Dutch cloud providers Worldstream and Leaseweb.

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
New Zealand 🇳🇿

Storage Facilities:
Servers, databases and logs are hosted in Frankfurt, Germany (cloud provider is AWS New Zealand). Offsite backups are stored in Dublin, Ireland.

Possibility to host Matomo Analytics on client premises.

Data transfers outside the EU

Compliant
Partially Compliant
Not Compliant

Data is never transferred outside the EU.

Compliant
Partially Compliant
Not Compliant

The adequate level of protection in New Zealand has been approved by the European Commission.

Every transfer of personal data by Matomo to a country which is not a member state of either the EU or the EEA is submitted to prior consent of the controller.

Legal tools for Subcontractors

Compliant
Partially Compliant
Not Compliant

Simple has only one subcontractor for CDN that is called BunnyCDN and is part of a company called BunnyWay, located in Slovenia (EU). They have concluded a written agreement protecting personal data processed on BunnyCDN's part.

Compliant
Partially Compliant
Not Compliant

Subcontractors are subjects to written agreements substantially similar to Matomo’s DPA: https://fr.matomo.org/matomo-cloud-dpa/

Matomo has made public its list of subprocessors: https://fr.matomo.org/matomo-cloud-privacy-policy/

Prior to modifying the list of subprocessors, the controller will be notified by email and is able to object.

Data Breach Notification

Compliant
Partially Compliant
Not Compliant

Simple shares technical incidents on its website: https://status.simpleanalytics.com/?ref=simpleanalytics.com

Simple doesn’t process personal data and therefore a data breach cannot be materialized nor notified.

Compliant
Partially Compliant
Not Compliant

In case of data breach, Matomo will inform without undue delay the controller by email and provide a description of the incident as well as periodic updates, including the impact on the controller.

Right Requests Process

Compliant
Partially Compliant
Not Compliant

Simple doesn’t process personal data therefore does not have to fulfill this GDPR obligation.

Compliant
Partially Compliant
Not Compliant

Data request will be forwarded to the controller without delay.

Data Privacy Impact Assessment

Compliant
Partially Compliant
Not Compliant

Simple doesn’t process personal data therefore does not have to fulfill this GDPR obligation.

Compliant
Partially Compliant
Not Compliant

Matomo will provide assistance to the controller for DPIAs.

Employee Trainings

Compliant
Partially Compliant
Not Compliant

Simple doesn't process personal data and therefore is not obliged by the GDPR to have its employees subject to confidentiality obligations and trainings on personal data management.

Compliant
Partially Compliant
Not Compliant

All employees required to access the personal data are deemed informed of the confidential nature of the personal data.

Security Policy

Compliant
Partially Compliant
Not Compliant

Simple doesn’t mention having a security policy.

Compliant
Partially Compliant
Not Compliant

Matomo doesn’t mention having a security policy.

Organizational and Technical Security Measures

Compliant
Partially Compliant
Not Compliant

Server security:
Cloud security relies on Worldstream and Leaseweb.

Other measures:
Anonymisation and pseudonymisation of data, password encryption, backups on external servers.

Compliant
Partially Compliant
Not Compliant

Matomo doesn’t mention having a security policy.

Data Encryption

Compliant
Partially Compliant
Not Compliant

Data is encrypted at rest.

Compliant
Partially Compliant
Not Compliant

Data is encrypted in transit (HTTPS) and at rest.

Restriction of access

Compliant
Partially Compliant
Not Compliant

Simple doesn’t process personal data therefore does not have to fulfill this GDPR obligation.

Compliant
Partially Compliant
Not Compliant

A subset of employees has access to the products and to personal data via controlled interfaces. Access is enabled through “just in time” requests for access; all such requests are logged.

Backend production environment is accessible by a dedicated group of Privileged Users approved by senior management. Privileged Users may only access backend production environment via a bastion host (2 factor authentication and SSH to log in).

Reuse of data

Compliant
Partially Compliant
Not Compliant

Swetrix doesn’t reuse personal data, nor sell it.

Compliant
Partially Compliant
Not Compliant

Matomo does not pursue its own purposes with this data processing.

Exemption of cookie consent

Compliant
Partially Compliant
Not Compliant

YES, Simple doesn’t set any cookies.

Compliant
Partially Compliant
Not Compliant

YES, if controller disables « cross domain tracking » and « third party cookies » functionalities.

Submission to Cloud Act/FISA

Compliant
Partially Compliant
Not Compliant

NO, data is stored in the EU and anonymized (therefore no more considered personal).

Compliant
Partially Compliant
Not Compliant

NO, when data is stored on controller premise.

NO, if controller enables data anonymization when using the Cloud solution.