GDPR
HitKeep can materially improve the technical side of a GDPR posture. It does not decide your lawful basis or make controller obligations disappear.
Where HitKeep Helps Under GDPR
Section titled “Where HitKeep Helps Under GDPR”Data minimization and purpose limitation
Section titled “Data minimization and purpose limitation”GDPR Article 5 requires personal data to be:
- processed for specified purposes
- adequate, relevant, and limited to what is necessary
HitKeep helps here by keeping the analytics surface comparatively narrow:
- no advertising integrations
- no built-in cross-site profiling product
- no analytics cookies by default
- no third-party frontend script dependency for the dashboard
The public hit schema stores analytics fields such as:
- path
- referrer
- user agent
- language
- country code
- UTM parameters
- session ID and page ID
Importantly, the hit schema does not include a stored IP-address column. IP addresses are still processed transiently for things like GeoIP resolution, trusted-proxy handling, and IP exclusions, so the overall analytics processing is still privacy-relevant.
Storage limitation
Section titled “Storage limitation”GDPR Article 5 also requires personal data to be kept no longer than necessary.
HitKeep supports this directly with:
- global and per-site retention controls
- Parquet archiving before pruning
- operator-controlled retention windows instead of vendor-imposed plan defaults
Data portability
Section titled “Data portability”GDPR Article 20 establishes a right to data portability in applicable cases.
HitKeep supports portability with:
- user takeout
- site takeout
- export formats including JSON, CSV, Parquet, and XLSX
Privacy by design and by default
Section titled “Privacy by design and by default”GDPR Article 25 requires controllers to implement data protection by design and by default.
Relevant HitKeep defaults include:
- cookie-free public analytics by default
- same-origin asset serving
- zero telemetry
- DNT-respecting behavior by default
- local-first / self-hostable storage design
That does not mean every deployment automatically satisfies Article 25, but it is a materially better starting point than many hosted analytics tools.
Security of processing
Section titled “Security of processing”GDPR Article 32 requires appropriate technical and organisational measures.
Relevant HitKeep controls include:
- HTTP-only session cookies
- TOTP and passkeys
- per-IP rate limiting
- Sec-Fetch validation
- trusted proxy controls
- self-hosted or region-pinned cloud deployment
Where GDPR Still Depends On You
Section titled “Where GDPR Still Depends On You”HitKeep does not decide these controller obligations for you:
- your lawful basis under Article 6
- your privacy notice
- your record of processing
- your data retention policy
- whether your implementation triggers a DPIA
- your processor contracts and transfer assessments
International Transfers and Data Residency
Section titled “International Transfers and Data Residency”HitKeep can reduce GDPR Chapter V transfer issues because you can:
- self-host in your own environment
- choose EU-hosted managed cloud
- avoid third-party frontend analytics delivery
But transfers can still happen if you choose services outside your preferred jurisdiction, such as:
- external SMTP providers
- S3/object storage outside the EU
- reverse proxies or CDNs outside the EU
- US-region cloud for EU data
The dashboard also includes an optional server-side favicon proxy to DuckDuckGo’s favicon service. That means the browser is not contacting a third party directly, but your server may still make that outbound request. If you need a stricter GDPR posture, disable or proxy that behavior within your own boundary.
HitKeep Cloud and GDPR
Section titled “HitKeep Cloud and GDPR”If you use HitKeep Cloud, treat the service relationship as part of your GDPR assessment:
- choose the right region at signup
- ensure your privacy notice reflects the hosted analytics service
- review the Privacy Policy (Cloud)
- review the Terms of Service (Cloud)
- confirm your transfer and processor documentation requirements
Practical GDPR Checklist
Section titled “Practical GDPR Checklist”- Decide your lawful basis for analytics.
- Document the analytics purpose in your privacy notice.
- Decide whether your current tracker setup requires consent in your jurisdiction.
- Set a defensible retention window.
- Document export / deletion handling in internal procedures.
- Review cloud-region and transfer implications before production use.