Statcounter and Data Protection – What Belongs in the Privacy Policy
Compact guide to Statcounter: processed data, purposes, legal bases (GDPR) and what website operators must include in their privacy policy.
Statcounter and Data Protection – What Belongs in the Privacy Policy
Statcounter is a globally used web analytics tool that captures and analyses visitor data. Website operators using Statcounter must transparently document this use in their privacy policy – also with EU hosting. This guide shows which information is legally required and how it is formulated.
A. Purpose and Function of Statcounter
Statcounter is a web analytics service that captures, stores and analyses visitor data from websites and applications. The service works via a JavaScript snippet or alternatively via 1-pixel tracking graphics.
Function:
- Counting visits and determining visitor numbers
- Referrer sources (where visitors come from)
- Geographical data (country, city, time zone)
- Browser, operating system and device information
- Click paths and user behaviour (scroll depth, time spent)
- Search terms (if available)
- Screen resolution and language settings
- Conversion events (custom events)
The analytics code is embedded on every page of the website and sends data to the Statcounter servers on every visit.
B. Mandatory Disclosures of the Privacy Policy when Using Statcounter
Website operators are obliged to disclose the use of Statcounter in their privacy policy. This is both a GDPR requirement (transparency obligation under Art. 13, 14 GDPR) and a requirement of the Telemedia Act (TMG) and the Telecommunications Digital Services Act (TDDDG).
The privacy policy must contain the following information:
- Name and contact of the provider (Statcounter International Ltd., Dublin, Ireland)
- Processed data types (IP addresses, cookies, browser data, location data)
- Processing purposes (website analysis, visitor counting, behaviour analysis)
- Legal bases (user consent, legitimate interest)
- Retention period (regularly 6–24 months)
- Data transfer to the US provider or EU servers (depending on configuration)
- Data subject rights (access, erasure, objection)
- Opt-out options (if available)
Privacy policy in minutes — easy to maintain, no subscription.
Instead of an unreadable text block per tool: a topic-oriented, hybrid approach with a clear list of recipients — maintainable, transparent, GDPR-compliant.
- No subscription, no hidden costs
- Easy to maintain thanks to a topic-based structure instead of tool-by-tool blocks
- Curated by Dr. Thomas Helbing, certified specialist for IT law
The generator is offered by matterius GmbH. matterius is not a law firm and does not provide legal advice.
C. Provider of Statcounter
Provider:
- Company name: Statcounter International Ltd.
- Founder & managing director: Aodhan Cullen
- Seat: Dublin, Ireland (EU)
- Website: www.statcounter.com
- Privacy Policy: https://statcounter.com/privacy/
- Data Protection Officer: Available via the website
Statcounter is a European provider based in Dublin, Ireland. This is legally relevant since the provider is established within the EU and the GDPR is therefore directly applicable.
D. Data Processing – Workflow in Steps
The website operator integrates the Statcounter JavaScript snippet or a tracking pixel into its website (e.g. in the header or footer).
Every time a visitor accesses the website, the script is automatically executed. It captures visitor data such as IP address, browser type, referrer and other data.
The captured data is transferred via HTTPS to the Statcounter servers (in Ireland or optionally in the EU).
Statcounter stores and processes this data. The standard retention period is regularly 6 to 24 months, depending on the customer contract and the data protection configuration.
The website operator can log into their Statcounter dashboard and retrieve reports (e.g. visitor numbers, top pages, referrers).
After expiry of the retention period, Statcounter automatically deletes the data (or upon request).
E. Data Collected by Statcounter
Statcounter collects the following data types:
Web server log data
- IP addresses (full or anonymised)
- HTTP referrer
- User agent string
- Timestamp of access
Click paths and user behaviour
- Visited pages (PageViews)
- Time spent on the website
- Scroll depth
- Clicked elements (if configured)
- Outbound links
Device data
- Device type (desktop, tablet, smartphone)
- Operating system (Windows, macOS, iOS, Android)
- Screen resolution
- Colour table depth
Browser information
- Browser type and version
- JavaScript activation
- Plug-ins (Flash, etc.)
- Language setting
- Time zone
Rough location data
- Country
- State/region
- City
- Time zone
- GPS coordinates (if communicated by the browser and configured)
Conversion events (if configured)
- Custom events (e.g. form submissions, button clicks)
- Goal completions
Cookies and identifiers
- Statcounter sets persistent cookies (regularly
__sc_prefix) to recognise visitors - localStorage and sessionStorage (depending on configuration)
This data is not considered personal as long as the IP address is anonymised or hashed and there is no link to identified persons. In practice, however, much of this data is treated as personal, in particular if the IP address is stored.
F. Purposes of Use
Statcounter processes the data mentioned for the following purposes:
Product improvement and analysis
- Analysis of visitor numbers and trends
- Identification of popular pages
- Improvement of website performance
- Optimisation of user experience
Reporting and insights
- Provision of analytics reports for the website operator
- Generation of heatmaps and session recordings (if configured)
- Benchmarking against industry averages
Technical functionality
- Maintenance and monitoring of the service
- Fraud detection and abuse prevention
- Security monitoring
Aggregation and anonymisation (optional)
- Generation of anonymous statistics
- Use for the Statcounter platform analyses (as provider)
G. Legal Bases for Statcounter
The processing of visitor data by Statcounter is based on different legal bases, depending on the configuration and context:
1. Consent (Art. 6(1)(a) GDPR) – cookies and tracking
For the storage of cookies and the assignment of visitor data to specific persons, explicit consent is regularly required. § 25(1) TDDDG also regulates this for cookie banners.
Legal obligation:
- Display cookie banner before code loading
- Obtain consent (not objection)
- Rejection must be just as easy as consent
- Store and prove consent
2. Legitimate interest (Art. 6(1)(f) GDPR) – anonymous statistics
If the IP address is fully anonymised and visits cannot be assigned to individual persons, a legal basis under Art. 6(1)(f) GDPR may be conceivable (the website operator has a legitimate interest in anonymous website analysis).
However: Practical anonymisation is difficult, since IP addresses, often combined with other data (browser, OS, screen resolution), enable identification (fingerprinting).
3. Legal requirement (Art. 6(1)(c) GDPR) – rare
In rare cases, the processing may be justified by a legal obligation (e.g. evidence of website availability for regulated industries).
Practical recommendation: The basis is regularly user consent. The website operator should obtain consent before loading the Statcounter code (cookie consent banner).
H. Special Features and Notes on Statcounter
Important points for legally secure use:
-
EU seat: Statcounter has its seat in Ireland (EU), therefore no third-country transfers under Art. 44–49 GDPR are required. The data does not leave the EU (unless specifically configured).
-
Data Processing Agreement (DPA): A valid DPA must be concluded between the website operator and Statcounter. This is regularly available on the Statcounter website and should be signed before use.
-
Opt-out options: Statcounter offers an opt-out tool (www.statcounter.com/opt-out/) with which visitors can refuse their tracking. This option should be mentioned in the privacy policy.
-
Cookie settings: The website operator should check whether the visitor has accepted the cookie categories for tracking (e.g. in a cookie banner) and only then load the Statcounter code.
-
IP anonymisation: Statcounter offers the possibility to anonymise or shorten IP addresses. This should be activated in the settings to increase data protection compliance.
-
Sub-processor: Statcounter may use sub-processors (e.g. for hosting, data processing). These must be listed in the DPA.
-
Data protection notices to visitors: The privacy policy must be retrievable before or immediately after data collection and contain all information under Art. 13 GDPR (if collected directly).
I. FAQ
J. Conclusion and CTA
The use of Statcounter is permissible from a data protection perspective, but requires careful documentation and configuration:
- Obtain consent – load cookie banner before tracking
- Conclude DPA – conclude a Data Processing Agreement with Statcounter
- Activate IP anonymisation – increase data protection
- Update privacy policy – document all points of this guide
- Enable data subject rights – right of access, erasure and objection
- Mention opt-out option – link to www.statcounter.com/opt-out/
A complete, legally secure privacy policy plays an important role for the GDPR compliance of your website.
Note: This guide provides an overview of the data protection requirements. It does not replace individual legal advice. For questions, a specialised data protection lawyer should be consulted.
Privacy policy in minutes — easy to maintain, no subscription.
Instead of an unreadable text block per tool: a topic-oriented, hybrid approach with a clear list of recipients — maintainable, transparent, GDPR-compliant.
- No subscription, no hidden costs
- Easy to maintain thanks to a topic-based structure instead of tool-by-tool blocks
- Curated by Dr. Thomas Helbing, certified specialist for IT law
The generator is offered by matterius GmbH. matterius is not a law firm and does not provide legal advice.
K. Curator
Authorship
This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.
matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.
Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.
According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.
Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.
His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.
For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.
More about Dr. Helbing: www.thomashelbing.com
Simple Analytics and Data Protection – What Belongs in the Privacy Policy
Compact guide to Simple Analytics: processed data, purposes, legal bases (GDPR) and what website operators must include in their privacy policy.
SurveyMonkey Embeds and Data Protection – What Belongs in the Privacy Policy
SurveyMonkey Embeds: processed data, GDPR legal bases, DPA and mandatory disclosures for the privacy policy when embedding surveys.