Simple Analytics and Data Protection – What Belongs in the Privacy Policy

The Dutch analytics tool completely refrains from cookies, IP addresses and fingerprinting. For website operators, the documentation effort is significantly reduced, but transparent privacy policies are also legally required for cookie-less systems.

A. Purpose and Function of Simple Analytics

Simple Analytics is a data-protection-friendly web analytics tool that is characterised by strict data minimisation. Unlike Google Analytics or Matomo, it does not require any cookies on the user's terminal device and does not collect IP addresses or persistent identifiers.

The integration takes place via a small JavaScript snippet that is inserted into the <head> section or before the closing </body> tag of the website. The script automatically captures access data and sends it to the Simple Analytics servers without storing or processing personal data.

The business model is based on the idea: Anyone who does not store personal data does not need consent and does not generate compliance risks.

B. Mandatory Disclosures of the Privacy Policy when Using Simple Analytics

Under Art. 13, 14 GDPR, website operators must transparently inform their visitors about every data processing – even if this does not lead to personal data. The classic practice of writing a separate paragraph for each analytics tool is not legally ideal.

Topic-oriented approach: Instead of "Google Analytics vs. Plausible vs. Simple Analytics", it is more transparent to organise data processing by category:

• Website improvement and user analysis
• Server logs and security
• Conversion tracking and events

Simple Analytics can be presented under "Website improvement", with the addition: "We use Simple Analytics, a data-protection-compliant analytics tool without cookies. It does not collect IP addresses, no fingerprinting and no persistent IDs."

Minimum requirement: Name the tool and mention that you communicate EU hosting, cookie freedom and missing consent obligation.

C. Provider of Simple Analytics

Legal name: Simple Analytics B.V.
Country of seat: Netherlands (EU)
Place of incorporation: Bussum, Netherlands
Trade register number: 60978856 (Dutch Chamber of Commerce)

Privacy Policy: https://www.simpleanalytics.com/privacy
Documentation & compliance: https://docs.simpleanalytics.com/compliance

Hosting region: The servers and infrastructure are hosted in the Netherlands and other EU countries. Simple Analytics only uses European hosting providers and guarantees that visitor data is not forwarded outside the EU.

Legal form: Simple Analytics is a Dutch corporation (B.V. = Besloten Vennootschap), which corresponds to a GmbH in Germany.

D. Data Processing – Workflow in Steps

E. Data Collected by Simple Analytics

Simple Analytics collects no personal data within the meaning of the GDPR. Instead, the tool collects the following non-identifiable information:

Data categories:

• Web server log data: Timestamp, HTTP status code, requested page (URL), page title.
• Referrer data: The source of the page views (direct, search engine, external website).
• UTM parameters: Marketing campaign data in the URL (utm_source, utm_campaign, utm_medium).
• Device data: Device type (desktop, tablet, mobile), operating system (anonymised).
• Browser information: Browser type (Chrome, Firefox, Safari – without version number tracking).
• Rough location data: Country and rough city (time zone as proxy, no exact geolocation).
• Conversion events: If required: custom events, clicks, form submissions (provided no PII is sent along).

Particularity: Neither IP addresses nor cookies are captured or stored. There are no persistent user IDs and no fingerprinting. Each page view is a stand-alone transaction without reference to previous visits by the same user.

F. Purposes of Use

Simple Analytics is used for the following purposes:

General product improvement:

• Understanding visitor flows and usage patterns
• Optimisation of website structure and user guidance
• Identification of performance problems
• Business management and strategic planning

Expressly excluded:

• No individual user tracking across devices
• No profiling or creation of user profiles
• No use for personalised advertising or remarketing
• No sale or sharing of data with third parties for marketing purposes

G. Legal Bases for Simple Analytics

The legal admissibility of Simple Analytics is often misclassified. Here is the practical analysis:

1. § 25(1) TDDDG (formerly ePrivacy Directive):

The legal principle "Storing on the terminal device requires consent" does not apply to Simple Analytics, because no cookies are stored. Caution: Some analytics providers call themselves "cookieless", but use fingerprinting (IP + date hashed). Simple Analytics explicitly refrains from these methods.

Result: § 25(1) TDDDG does not apply. You do not need consent for the use of Simple Analytics.

2. Art. 6(1)(f) GDPR (legitimate interest):

The legally compliant argument: As a website operator, you have a legitimate interest in:

• Improvement of the website function
• Business management and optimisation
• Security and operational efficiency

However: This interest is controversial and must be justified in individual cases by a balancing with user rights. For public/commercial websites this is regularly recognised, for private sites less so.

3. Art. 6(1)(a) GDPR (consent) – the safe way:

Although technically not required (no terminal device storage), we recommend:

• Transparency banner or notice in the privacy policy
• Explicit consent in the terms of use or cookie banner (even without technical necessity)

This reduces legal risks and shows compliance awareness vis-à-vis supervisory authorities.

Conclusion: Simple Analytics is permissible without consent (no terminal device storage), but an explicit notice in the privacy policy is legally required.

H. Special Features and Notes

• ✓ No cookies: Simple Analytics does not use first-party or third-party cookies.
• ✓ No persistent IDs: No user IDs, no fingerprinting hashes (not even hashed).
• ✓ No IP addresses: IP addresses are not collected or stored.
• ✓ EU hosting: Servers in Netherlands/Iceland, guaranteed EU data localisation.
• ✓ DPA available: Simple Analytics provides Data Processing Agreements (under Art. 28 GDPR).
• ✓ Role: Processor: Simple Analytics acts on your instructions; you remain controller.
• ✓ Documentation: GDPR and UK GDPR compliance is documented; compliance page: https://docs.simpleanalytics.com/compliance
• ✓ Clean data deletion: Data is automatically deleted after a configurable period.

I. FAQ

J. Conclusion and CTA

Simple Analytics significantly reduces compliance complexity. Because no personal data is collected, you do not need a cookie banner, no user consents and no complex Data Processing Agreement (although formally recommended).

Important: Even with Simple Analytics, a privacy policy is required. You must transparently communicate that you use analytics and for what purpose. The minimum text should contain:

• Name of the tool: "Simple Analytics"
• Purpose: "Website optimisation and analyses"
• Legal basis: "Legitimate interest under Art. 6(1)(f) GDPR" or "Consent under Art. 6(1)(a) GDPR"
• Provider: "Simple Analytics B.V., Netherlands"
• Particularity: "No cookies, no IP addresses, EU hosting"

K. Curator