Privacy Battles
Swetrix
Privacy Score
64
%
⚔️
Visitor Analytics
Privacy Score
100
%

Designated DPO or GDPR correspondent

Compliant
Partially Compliant
Not Compliant

Swetrix doesn't mention having a DPO or GDPR correspondent but has a privacy dedicated email contact available on its website: contact@swetrix.com.

Compliant
Partially Compliant
Not Compliant

Visitor Analytics has appointed a Data Protection Officer who can be contacted at the following address: dpo@visitor-analytics.io.

Country & Type of Data storage

Compliant
Partially Compliant
Not Compliant

Company Headquarters:

Ukraine

Storage Facilities:

Analytics data is stored in German by US cloud provider Cloudflare.

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
Germany and Romania (EU)

Storage Facilities:
All analytics data is processed by German cloud provider Hetzner, in Germany.

Data transfers outside the EU

Compliant
Partially Compliant
Not Compliant

Data is deemed not transferred outside the EU.

If ever, Swetrix commits only to transferring personal data outside the EU if adequate security controls are in place.

Compliant
Partially Compliant
Not Compliant

Data is never transferred outside the EU.

If ever, Visitor commits only to transferring personal data outside the EU if an adequate level of data protection is established.

Legal tools for Subcontractors

Compliant
Partially Compliant
Not Compliant

Subcontractors are subjects to the same protection level as set out in Swetrix’s Privacy Policy: https://swetrix.com/privacy 

Swetrix has made public its list of subprocessors: https://swetrix.com/privacy 

Swetrix doesn’t specify if written contracts are signed with subcontractors, nor if they inform controllers about adding a new subcontractor to the analytics service.

Compliant
Partially Compliant
Not Compliant

Subcontractors are subjects to written agreements providing the same protection level as set out in Visitor’s DPA: https://www.visitor-analytics.io/fileadmin/visitor-analytics/downloads/dpa/20210622_visitor-analytics_data-processing-agreement_en.pdf

Visitor has made public its of subprocessors: https://www.visitor-analytics.io/fileadmin/visitor-analytics/downloads/dpa/20210622_visitor-analytics_data-processing-agreement_en.pdf

Prior to adding new subprocessor or replacing an existing subprocessor, Visitor informs controllers and provides a reasonable deadline for them to object.

Data Breach Notification

Compliant
Partially Compliant
Not Compliant

Swetrix doesn’t mention directly notifying controllers of a data breach in a determined delay, nor providing assistance to controllers to notify the breach to the Supervisory authority.

Compliant
Partially Compliant
Not Compliant

Visitor commits to notify controllers without undue delay after becoming aware of a security incident, to assist controllers in fulfilling their notification and communication obligations, and to take appropriate measures to mitigate the possible adverse effect of the incident.

Right Requests Process

Compliant
Partially Compliant
Not Compliant

Swetrix doesn’t mention providing assistance to controllers in case of a data subject's right request.

Compliant
Partially Compliant
Not Compliant

Visitor Analytics will notify the concerned controller promptly (maximum 5 working days) in writing of any communication received from a data subject relating to its rights and will assist the controller within the scope of its ability to fulfil the request.

Data Privacy Impact Assessment

Compliant
Partially Compliant
Not Compliant

Swetrix doesn’t specify having conducted DPIAs or providing assistance to controllers if needed.

Compliant
Partially Compliant
Not Compliant

Visitor assists controllers in ensuring compliance with their obligations in respect of DPIAs and prior consultation.

Employee Trainings

Compliant
Partially Compliant
Not Compliant

Swetrix doesn't mention employee training or submission to NDAs.

Compliant
Partially Compliant
Not Compliant

Visitor ensures all persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security Policy

Compliant
Partially Compliant
Not Compliant

Swetrix doesn’t mention having a security policy.

Compliant
Partially Compliant
Not Compliant

Visitor has obtained an ISO 27001 certification, for which a security policy is necessary.

Organizational and Technical Security Measures

Compliant
Partially Compliant
Not Compliant

Server security:

Cloud security relying on Cloudflare.

Other measures:

Data pseudonymisation (salted hash), data backups, data encryption.

Compliant
Partially Compliant
Not Compliant

Visitor has obtained an ISO 27001 certification, for which a security policy is necessary.

Data Encryption

Compliant
Partially Compliant
Not Compliant

Data is encrypted in transit (HTTPS).

Compliant
Partially Compliant
Not Compliant

Data encryption in transit (SSL).

Restriction of access

Compliant
Partially Compliant
Not Compliant

Swetrix doesn’t mention any specific restrictions of access to personal data.

Compliant
Partially Compliant
Not Compliant

Visitor allows access or processing of personal data  by employees for IT support and maintenance. The internal access to data (e.g., by employees) is regulated through the concept of least privilege.

A special script and encrypted keys are used to access personal data and audits are conducted to ensure controls are enforced.

Reuse of data

Compliant
Partially Compliant
Not Compliant

Swetrix doesn’t reuse personal data, nor sell it.

Compliant
Partially Compliant
Not Compliant

Visitor Analytics is only providing data to each controller based on the Data Processing Agreement signed between the two parties and will not share personal data without the controller’s consent, except under certain limited circumstances, such as when required by law.

Exemption of cookie consent

Compliant
Partially Compliant
Not Compliant

YES, Swetrix analytics script is fully cookieless.

Compliant
Partially Compliant
Not Compliant

YES, Visitor doesn’t collect unnecessary cookies.

Cookies collected relate to ignoring a data subject’s visit on a website.

Submission to Cloud Act/FISA

Compliant
Partially Compliant
Not Compliant

NO, data is hashed and not stored on servers more than 30min.

Compliant
Partially Compliant
Not Compliant

NO, data is stored in the EU by an European cloud provider.