Compliance Overview

HitKeep can support a strong privacy and compliance posture. It does not make a deployment automatically compliant just because you install it.

The right way to read the compliance docs is:

• HitKeep can reduce your compliance surface
• HitKeep exposes controls that support common obligations
• you still need the right lawful basis, notices, contracts, and request-handling workflows

That matters especially for:

• GDPR
• PECR / ePrivacy-style storage rules
• CCPA / CPRA

Note

This section is product documentation, not legal advice. Privacy compliance depends on your jurisdiction, deployment model, data flows, and business practices. Review your setup with qualified counsel before treating any analytics deployment as compliant.

Short Answer

Regime	Does HitKeep help?	Main caveat
GDPR	Yes, materially	You still need lawful basis, transparency, retention, contracts, and transfer analysis
PECR / ePrivacy	Yes, partly	HitKeep is cookie-free by default, but the current tracker uses sessionStorage, so device-storage rules may still apply
CCPA / CPRA	Yes, partly	You still need notices, request methods, and opt-out handling where sale/share rules apply

What HitKeep Does Today

The current product gives you several controls that matter for privacy programs:

• Self-hosting or managed cloud: run HitKeep on your own infrastructure or in HitKeep Cloud in the EU or US
• No analytics cookies by default: the public tracker does not set browser cookies for analytics
• Public tracker uses sessionStorage: hk.js stores a short-lived session identifier in browser sessionStorage
• Do Not Track respected by default: browsers sending DNT: 1 are skipped unless you explicitly override that behavior with data-collect-dnt="true"
• No third-party frontend assets: dashboard assets and the tracker are served from your own origin
• No phone-home telemetry: no external analytics vendor call is required for core product operation
• Data export and portability: site and user takeout in open formats
• Retention controls: per-site retention and Parquet archiving
• Deletion primitives: admins can delete users and sites; tenant-scoped analytics data is removed with the site lifecycle
• Security controls: HTTP-only auth cookies, TOTP, passkeys, rate limiting, trusted proxies, and same-origin serving

Start With The Right Question

The most important compliance question is not:

“Is HitKeep compliant?”

It is:

“How does HitKeep change the technical and contractual risk profile of our analytics deployment?”

For most teams, the practical advantages are:

• smaller analytics surface than ad-tech stacks
• clearer data ownership
• self-hosting when needed
• explicit EU / US cloud region choice
• open-format export and retention controls

The practical caveat is also clear:

• the current public tracker is cookie-free, but not storage-free
• therefore PECR / ePrivacy analysis still matters

Pick The Relevant Regime

• GDPR: data minimization, lawful basis, retention, international transfers, and cloud hosting
• PECR / ePrivacy: cookies, sessionStorage, consent analysis, and dashboard cookies
• CCPA / CPRA: notice, rights, service-provider positioning, and consumer request handling

HitKeep Cloud

If you use HitKeep Cloud, add these extra checks to your compliance review:

• choose the correct region at signup
• ensure your privacy notice describes the hosted service relationship
• review the Privacy Policy (Cloud)
• review the Terms of Service (Cloud)
• confirm your own subprocessor, transfer, and retention requirements are satisfied

Sources

• EUR-Lex: General Data Protection Regulation (GDPR)
• European Commission: Data protection in the EU
• ICO: Cookies and similar technologies
• ICO: What are the exceptions?
• CPPA: FAQs
• CPPA regulations PDF