Privacy Policy

Last updated: April 27, 2026

1. Introduction

Host Server SRL ("we", "us", "our", or "Statalog") operates the Statalog website and service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Important Distinction: Statalog collects two types of data:

• Visitor Analytics Data: Anonymous, aggregated data about your website visitors (cookieless, no personal data)
• User Account Data: Your email, account settings, and billing information

This policy explains how we handle both. Please read it carefully.

2. Information We Collect

2.1 Visitor Analytics Data (Collected on Your Behalf)

When you add Statalog to your website, we collect anonymous analytics about your visitors:

• IP Address: Used only to determine geographic location (country level), then immediately discarded
• User-Agent: Device type, browser, operating system
• Page URL: Pages visited on your site
• Referrer: Where the visitor came from
• Events: Custom events you track (e.g., button clicks, form submissions)

What we do NOT collect: Cookies, persistent identifiers, personal data, passwords, credit cards, or any sensitive information.

Visitor Identification: Visitors are identified using a daily-rotating hash of (IP + User-Agent + salt). This identifier:

• Resets every 24 hours — the same person cannot be tracked across days
• Cannot be reversed to identify an individual
• Does not persist on the visitor's device (no cookies)

2.2 User Account Data

When you sign up for Statalog, we collect:

• Email Address: For authentication and communication
• Password: Stored securely using bcrypt hashing (we cannot read it)
• Account Preferences: Timezone, language, notification settings
• Billing Information: Handled by Stripe (we do not store credit card numbers)
• API Keys: For REST API access (hashed and stored securely)

2.3 Integration Data

If you connect optional integrations, we collect:

• Google Search Console: Your GSC authorization token (stored encrypted, auto-refreshed)
• Webhooks: You specify the endpoint; we send event payloads to your URL

3. How We Use Your Data

3.1 Visitor Analytics Data

We use visitor analytics data to:

• Generate reports in your dashboard (traffic, sources, devices, etc.)
• Calculate conversion goals and funnels
• Provide real-time visitor insights
• Detect and filter bot traffic

You own this data. Statalog is a data processor, not the owner. We do not sell, share, or use your visitor data for any purpose other than providing the service.

3.2 User Account Data

We use account data to:

• Authenticate you and maintain your account
• Process billing and subscriptions (via Stripe)
• Send service-related emails (password reset, billing receipts, important notices)
• Provide customer support
• Comply with legal obligations

4. Data Storage & Location

All data is stored in the European Union to ensure GDPR compliance.

• User Account Data: MySQL database (EU region)
• Visitor Analytics Data: ClickHouse (EU region)
• Payment Information: Stripe (PCI DSS compliant, we don't store credit cards)

5. Data Retention

5.1 Visitor Analytics Data

Retention depends on your account status:

• Active Domain: Data is retained according to your plan settings
• After Domain Deletion: Data is permanently deleted 30 days after you delete the domain
• After Subscription Expiration: Data is retained for 3 days, then permanently deleted
• Recovery Window: You can request to restore a deleted domain within 29 days of deletion

5.2 User Account Data

Account data is retained as long as your account is active. When you delete your account:

• Personal data is deleted within 30 days
• Billing records retained for 7 years (tax/legal requirement)
• You can request data export before deletion

6. Your Rights (GDPR & CCPA)

6.1 European Union (GDPR)

If you are in the EU, you have the right to:

• Access: Request a copy of all data we hold about you
• Rectification: Correct inaccurate data
• Erasure: Delete your account and all associated data (subject to legal retention requirements)
• Data Portability: Download your data in a portable format
• Objection: Opt-out of certain processing

To exercise these rights, contact us at support@statalog.com.

6.2 California (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know: What personal data we collect and how it is used
• Delete: Request deletion of your personal data (with exceptions)
• Opt-Out: Opt-out of the sale or sharing of personal information (we do not sell your data)
• Correct: Request correction of inaccurate data

To submit a request, contact us at support@statalog.com.

7. No Cookies

Statalog does not use cookies to track visitors. Visitor identification is based on daily-rotating hashes, not persistent cookies or fingerprints.

This means:

• No consent banner is required on your website
• Visitors cannot be tracked across days
• Full GDPR compliance without extra effort

8. Third-Party Services

8.1 Stripe (Payment Processing)

Billing and subscriptions are handled by Stripe. We do not store credit card information. Stripe's Privacy Policy applies to payment data: stripe.com/privacy

8.2 Google Search Console (Optional)

If you connect GSC, we store your authorization token (encrypted). This data is used only to fetch your GSC keywords and display them in your dashboard. Google's Privacy Policy applies: policies.google.com/privacy

8.3 Webhooks (Optional)

If you use webhooks, we send event payloads to your specified endpoint. You control the webhook URL and can disable webhooks at any time.

9. Data Breach & Security

We implement industry-standard security measures to protect your data:

• TLS/SSL encryption for all data in transit
• Encrypted storage for sensitive data (passwords, tokens)
• Regular security audits and monitoring
• Access controls and least-privilege principles

In the event of a confirmed data breach affecting personal data, we will notify affected users within 72 hours as required by GDPR.

10. Data Processing Agreement (DPA)

Enterprise customers may request a Data Processing Agreement (DPA) for GDPR compliance. Contact us at support@statalog.com for details.

11. Do Not Track (DNT)

If your browser sends a "Do Not Track" (DNT) signal, Statalog will respect it and exclude you from analytics tracking.

12. Children's Privacy

Statalog is not intended for users under 13 years old. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of Statalog after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or your data, contact us:

• Email: support@statalog.com
• Address: Host Server SRL, Iasi, Romania 700382

This Privacy Policy is provided for informational purposes. For legal interpretation or specific compliance questions, please consult with a legal professional.