Piwik PRO and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Piwik PRO as a web analytics tool, it processes visitor data (IP addresses, usage behaviour, device information and interaction data) for the purpose of reach measurement and website optimisation on the basis of consent or, in the case of anonymised use, on the basis of legitimate interests. This documentation summarises which information on processing with Piwik PRO belongs in the privacy policy.

A. Purpose and Function of Piwik PRO

Piwik PRO is an analytics suite of the Polish company Piwik PRO Sp. z o.o., which in addition to web analytics also includes tag management, consent management and Customer Data Platform (CDP). For the typical application – the integration of the analytics function – a JavaScript tracking code (pixel/snippet) is integrated into the source code of the website. This code automatically captures visitor and interaction data and transfers it to Piwik PRO servers. The data serves to analyse usage patterns, conversion tracking and improvement of the website offering.

Piwik PRO differs from solutions such as Google Analytics in that the website operator – not Piwik PRO – retains control over the data, that complete EU hosting is possible and that consent-free, anonymised measurement is offered. The other functions (tag manager for managing tracking codes, consent manager for cookie banners, CDP for user profiles) play a subordinate role for the data protection documentation, provided only the analytics integration is used.

B. Mandatory Disclosures of the Privacy Policy when Using Piwik PRO

A privacy policy must contain the following information on tools such as Piwik PRO under the GDPR: the purposes of the processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), any legitimate interests of the controller (Art. 13(1)(d) GDPR), the recipients or categories of recipients of the data (Art. 13(1)(e) GDPR), third-country transfers and protection mechanisms (Art. 13(1)(f) GDPR) as well as the retention period or criteria for determining it (Art. 13(2)(a) GDPR).

A widespread but not recommended practice is the so-called "text template per tool" – a separate paragraph in the privacy policy for each analytics tool. This leads to documents that are difficult to read, redundant and difficult to maintain. A topic-oriented approach is better: a section on "reach measurement and website analytics" with general purposes and legal bases, supplemented by a recipient list in the annex in which all analytics tools used are listed with their providers, locations and links to their privacy policies. This better corresponds to the transparency requirement of the GDPR (Art. 12(1)).

C. Provider of Piwik PRO

Company name: Piwik PRO Sp. z o.o. (Spółka z ograniczoną odpowiedzialnością)

Address: Ul. Świętego Antoniego 2/4, 50-073 Wrocław (Breslau), województwo DOLNOŚLĄSKIE, Poland

Country of seat: Poland (EU Member State)

Data Protection Officer/Contact: Piwik PRO provides information on data protection compliance at https://piwik.pro/privacy-compliance/ and https://piwikpro.de/datenschutz/. For questions on data processing, the data protection office can be contacted at gdpr@piwik.pro. The provider's privacy policy can be found at https://piwikpro.de/datenschutz/.

Role: Piwik PRO regularly acts as processor – the website operator remains controller.

D. Data Processing with Piwik PRO – Workflow in Steps

E. Data Collected by Piwik PRO

Piwik PRO automatically captures technical and behaviour-oriented data on every visit. This includes the visitor's IP address, unique visitor and session IDs, information on browser and operating system, device type and screen resolution, visited pages and their order, time spent per page, clicks on links/buttons, referrer information, rough geographical location data (determined from the IP address at city/municipality level), UTM parameters from links and defined conversion events (e.g. "Form submitted", "Download performed").

This data can be classified into the following standardised data class types:

• Web server log data: IP address, timestamp, URL of the requested page, HTTP referrer, browser name and version, operating system.
• Click paths and navigation behaviour: Order of visited pages, links to the page, clicks on certain UI elements.
• Device data: Device type (desktop/tablet/mobile phone), operating system, screen resolution, orientation (portrait/landscape).
• Browser information: Browser name, version, installed plug-ins/extensions (if captured).
• Rough location data: Country, region, city (based on the IP address; no geolocation accurate to street/house number).
• Interaction data: Scroll depth, time spent per element, clicks on buttons, possibly keyboard input (with the session recording function activated – this must be explicitly switched on).
• Conversion events: User-defined goals (e.g. registration, purchase, download).
• User profiles and segments: When using the CDP function, aggregated interest profiles or cohorts based on behaviour.
• Technical telemetry data: JavaScript errors, page load times, API errors.

F. Purposes of Use when Using Piwik PRO

The website operator uses the data captured with Piwik PRO primarily for reach measurement (how many visitors, page views, sessions), for analysing user behaviour (which content is of interest, what is the time spent, where are the bounce points), for optimising the website (which changes have a positive effect on conversion), for tracking marketing campaigns (UTM parameters) and for improving products and services. When using the CDP function, user profiles can be created and used for targeted approaches.

These purposes can be classified into the following standardised purpose-of-use classes:

• General product improvement: Aggregated analysis of usage patterns (e.g. "80% of visitors navigate to section X") to optimise the structure and content.
• User-individual product improvement: Tracking of individual visitor journeys to remedy UX problems or to personalise content (typically requires extended consent).
• General marketing: Measurement of the reach and effect of advertising campaigns via UTM parameters or pixel tracking; benchmarking against industry averages.
• User-individual marketing: Retargeting, audience segmentation and targeted approach based on captured behaviour (requires consent).
• Security and abuse protection: Detection of suspicious access patterns, bot detection, protection against DDoS attacks.

G. Legal Bases for Piwik PRO

Tool category: Piwik PRO is primarily a tracking tool of the Statistics/Analytics category, optionally also tracking of the Marketing category, if the data is used for retargeting or marketing optimisation.

Applicable legal bases:

1. Consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG): This is the regularly applicable legal basis for tracking cookies or similar storage techniques (e.g. visitor IDs) used by Piwik PRO. The website operator must obtain freely given, specific and informed consent of the visitor before setting the tracking code – typically via a cookie banner or consent management platform.

2. Legitimate interests (Art. 6(1)(f) GDPR): With cookie-less, anonymised measurement (Piwik PRO offers a consent-free tracking variant in which identifiers such as session hash are used instead of cookies and no tracking of individual users is possible), Art. 6(1)(f) GDPR may be considered – the legitimate interests of the website operator in improvement and business management. However, this view is disputed in legal practice and data protection supervision; a case-by-case examination is required.

Important note: The applicable legal basis is case-dependent and is to be examined in individual cases by the website operator with advice from data protection professionals or a lawyer. This is not a final legal assessment.

H. Special Features and Notes on Piwik PRO

• Data protection impact assessment (DPIA): When processing visitor data, a DPIA under Art. 35 GDPR may be considered. A complete risk analysis is recommended.

• Data Processing Agreement (DPA): Piwik PRO provides templates for a Data Processing Agreement. A signed DPA is a prerequisite for the lawfulness of the processing on behalf. A hard-copy DPA can be requested at legal+dpa@piwik.pro.

• EU hosting as standard option: To avoid third-country transfers, website operators in the EU should choose the EU Cloud option (e.g. hosting in Germany, the Netherlands or Sweden). US Cloud options lead to transfer to a third country and require appropriate protection mechanisms (Standard Data Protection Clauses, possibly adequacy decision).

• Opt-out and consent manager integration: Piwik PRO offers opt-out options; details can be found at https://help.piwik.pro/support/privacy/setting-consent-manager/. Integration with consent management platforms (e.g. Cookie Information) is also possible.

• Anonymisation and pseudonymisation options: The website operator can anonymise IP addresses, use session hashes instead of cookies or activate fully anonymised measurement. This reduces or eliminates the data protection classification as personal.

• ISO 27001 and SOC 2 certification: Piwik PRO is certified to ISO 27001 and meets SOC 2 standards, which indicates technical data security.

• Concerns with session recording: If the website operator uses Piwik PRO's session recording function (heatmaps, session playback), additional precautions are required to prevent sensitive user input (passwords, credit card data) from being recorded.

I. FAQ on Piwik PRO and Data Protection

J. Conclusion and Call-to-Action

Piwik PRO is a European, data-protection-friendly analytics tool with EU hosting, consent manager integration and anonymised tracking options. Website operators should transparently document the data processed, purposes and legal bases in their privacy policy.

A widespread misuse is the so-called "text template per tool" – a separate paragraph for each analytics system. This makes privacy policies unreadable, redundant and difficult to maintain. Better: Topic-oriented structure (e.g. a section "Web analytics") with general purposes and legal bases, supplemented by a recipient list in the annex with names, location and links to privacy policies and DPA links of all tools used.

K. Curator