Matomo Analytics and Data Protection – What Website Operators Need to Know

If a website operator uses Matomo – whether self-hosted or cloud – it processes website visit data for analysis and optimization. The data protection requirements differ significantly: with self-hosted Matomo, the operator itself is the controller without a third-country transfer (if the server is located in Germany/EU); with Matomo Cloud, InnoCraft Ltd (Wellington, New Zealand) is the processor with potential third-country transfer to New Zealand. This information is based on provider information and publicly available sources.

A. Purpose and Function of Matomo Analytics

Matomo is an open-source web analytics platform (formerly Piwik) – a solution for the collection and analysis of website visit data. It is used by operators to understand user behavior, measure conversion rates and optimize website performance.

Integration function: The operator embeds a JavaScript tracking code in its website. This code records on visit, similar to Google Analytics or etracker:

• Visited pages (URLs)
• Dwell time, clicks, scroll depth
• Conversion events (purchase, request, registration)
• Device, browser, location information

Particularity: Matomo is the only Google Analytics alternative that exists as open source – and can therefore be operated in two variants:

1. Matomo Self-Hosted: Operator installs Matomo on its own server (e.g. in own data center or rented infrastructure). Operator is the controller – only its own server, no third-country transfers (if server in Germany/EU).

2. Matomo Cloud: Operator uses Matomo hosting from InnoCraft Ltd. InnoCraft is the processor, servers are in the EU (Germany, France) – but the parent company is based in New Zealand.

B. Mandatory Disclosures in the Privacy Policy regarding Matomo

Under the GDPR, the operator must disclose different information depending on the variant:

General (both variants):

• Purpose (Art. 13(1)(c)): Website analysis, visitor measurement, conversion tracking, optimization
• Recipients (Art. 13(1)(e)):
  • Self-hosted: Only the operator (controller)
  • Cloud: InnoCraft Ltd as processor
• Retention period (Art. 13(2)(a)): Configurable (typically: 3-36 months)
• Opt-out (important): Matomo opt-out URL

Specific self-hosted:

• Legal basis: Legitimate interests (Art. 6(1)(f)) or consent (Art. 6(1)(a)) – depending on configuration
• Third-country transfer: None (if server EU/Germany)

Specific cloud:

• Legal basis: Legitimate interests (Art. 6(1)(f)) or consent (Art. 6(1)(a))
• Third-country transfer (Art. 13(1)(f)): To New Zealand; legal justification required (SCC or similar)

Note: Tool-specific text blocks are problematic. Better: topic-oriented structure (chapter "Website analytics") with clear distinction between self-hosted and cloud.

C. Provider of Matomo: InnoCraft Ltd

(Relevant only for Matomo Cloud; for self-hosted, the operator itself is the controller)

• Legal name: InnoCraft Limited
• Registered office: 150 Willis Street, Wellington 6011, New Zealand
• Country of registered office: New Zealand (third country, not in the EEA)
• Privacy Policy: https://matomo.org/privacy-policy/
• DPF status: Matomo (InnoCraft) is not certified under the Data Privacy Framework (DPF). DPF certification would govern data transfers USA↔EU, but Wellington is not on the DPF list.
• DPA: Available for cloud customers; DPA template on the Matomo website at https://matomo.org/
• Data storage Matomo Cloud: Servers in EU (Germany, France); but parent company in New Zealand

D. Data Processing by Matomo – Process

D.1 Self-Hosted Matomo

D.2 Matomo Cloud

E. Data Collected when Using Matomo

Matomo collects data types similar to other web analytics tools:

• Web server log data: IP address, date/time/time zone, request URL, HTTP referrer, HTTP status code, user agent
• Click paths: Visited pages in order, clicked links, internal search terms (if Matomo search tracking is activated)
• End-device data: Device type (desktop/tablet/mobile), operating system, display resolution, plug-in information
• Browser information: Browser name, browser version, user agent string, Do Not Track setting
• Coarse location data: IP-based location (down to city level; more precise geolocation possible but data-protection-relevant)
• Conversion events: Custom events (e.g. purchase, download, contact request, video play)
• Interaction data: Scroll depth (if activated), mouse movements (if activated), dwell time per page
• User account data: If user ID tracking activated: username, email address, anonymized user ID
• Search terms: For internal website searches: search text, search results, clicks on search results

Note: Matomo is highly configurable – more or less data may be collected depending on activation.

F. Purposes of Use when Using Matomo

The data is processed for the following purposes:

• Functional provision: Provision of the analytics service (reporting, dashboards, API)
• General product improvement: Optimization of frequently visited content, performance improvement
• General marketing: Reach analysis, traffic source attribution, campaign measurement
• User-individual product improvement: Personalization based on user segments, optimization based on user behavior
• Security and abuse protection: Bot detection, spam filtering, anomaly detection
• Business planning and management: Data basis for strategic decisions
• Compliance (cloud only): Matomo can provide raw data logs for audit and support

G. Legal Bases for Matomo Analytics

G.1 Matomo Self-Hosted

Step 1 – Categorization: Matomo Self-Hosted is under the operator's control – the operator is the controller.

Step 2 – Legal bases:

• Cookieless anonymisation possible: Legitimate interests Art. 6(1)(f) GDPR (if IP is immediately anonymized)
• With cookies: Consent Art. 6(1)(a) in conjunction with § 25(1) TDDDG or legitimate interests (disputed)

Note: With self-hosted, the operator should configure Matomo such that no or anonymized cookies are set in order to avoid consent.

G.2 Matomo Cloud

Step 1 – Categorization: Matomo Cloud is a processor relationship (Art. 28 GDPR). InnoCraft is the processor.

Step 2 – Legal bases:

• Default: Legitimate interests Art. 6(1)(f) GDPR (operator has interest in website optimization)
• With tracking cookies: Consent Art. 6(1)(a) in conjunction with § 25(1) TDDDG

Third-country transfer to New Zealand:

• Status: Unclear. Matomo is not certified under DPF.
• Legal justification required: check whether SCC (Standard Contractual Clauses) or similar mechanisms are in place
• Data Protection Impact Assessment (DPIA) recommended, especially if conversion data or user IDs are processed

Case-by-case examination required: Operator should clarify with Matomo how the third-country transfer to New Zealand is regulated.

H. Special Features and Notes regarding Matomo

H.1 Self-Hosted

• Full control: Operator is controller, not Matomo. Full control over data, storage location, retention period.
• No third-country transfer: If server is located in Germany/EU, no third-country transfers.
• No processor agreement needed: No DPA with Matomo required (Matomo is just software).
• Technical requirements: Operator must provide server, set up SSL certificate, perform backups, install updates.
• Cost model: Open source, free; only server infrastructure costs.
• Consent-free variant possible: IP anonymisation and cookie deactivation enable legitimate interests without consent.

H.2 Matomo Cloud

• Processor agreement required: Conclude DPA with InnoCraft (is available by default).
• Third-country transfer unclear: New Zealand is outside DPF. Operator should clarify how data protection is ensured. Data protection impact assessment may be required.
• Servers in EU: Matomo Cloud stores in Germany/France (EU). But parent company is based in New Zealand.
• Technical simplicity: No server administration necessary; Matomo manages infrastructure.
• Cost model: Subscription-based (monthly/yearly fees).
• Sub-processors: Matomo may work with cloud infrastructure providers; sub-processor list in the DPA.
• Accountability: Operator must document that DPA has been concluded and that legal justification of third-country transfer has been examined.

I. FAQ regarding Matomo Analytics

J. Conclusion and Recommendation regarding Matomo Analytics

Summary: Matomo is a European-friendly analytics alternative to Google Analytics – especially the self-hosted variant, which gives the operator full control and does not require a third-country transfer. The cloud variant is more convenient but has a third-country transfer to New Zealand.

Common error with self-hosted: Operators install Matomo and set standard cookies without configuring IP anonymisation and cookie deactivation. This then requires CMP banner and consent. Better: cookieless configuration from the start.

Common error with cloud: Operators use Matomo Cloud without checking how the third-country transfer to New Zealand is lawfully ensured. DPIA should be carried out.

Best practice:

1. Prefer self-hosted (if you are technically capable) → full control, no third-country transfer
2. Cookieless configuration → activate IP anonymisation, deactivate cookies → no consent needed
3. Keep retention period short (3-6 months)
4. Transparent privacy policy distinguishes between self-hosted and cloud
5. For cloud: carry out DPIA, document legality of third-country transfer