Understanding Roles: You vs. Us
Infinity Metrics is a self-hosted analytics software.
This means you (our customer) install and run the software on your own
servers. Consequently:
-
You are the Data Controller for the website visitor
data collected through your installation of Infinity Metrics.
-
We (Infinity Metrics, the company) are the Data Processor
only for the limited personal data we collect directly from you (our
customer) via our website (getinfinitymetrics.com) for account management
and payment processing (see our Privacy Policy).
-
We do not process, store, or have access to the website
visitor data collected by your self-hosted instance of Infinity Metrics.
This page explains how the design of the Infinity Metrics software
helps you meet your GDPR obligations as a Data Controller for the analytics
data you collect.
How the Software Design Aids Compliance
Infinity Metrics is designed with privacy at its core, making GDPR
compliance simpler for website owners using our self-hosted software.
No Cookies, No Consent Banners Needed (for Analytics)
Traditional analytics tools often use persistent cookies, requiring
consent banners under GDPR. The Infinity Metrics software avoids this:
-
Zero cookies used by the software - The tracking script
does not set cookies on your visitors' browsers for analytics purposes.
-
Consent banners often not required for analytics - Since
the software doesn't use cookies or collect personal data (when configured
correctly), you likely don't need specific cookie consent banners *for
the analytics function*. You may still need banners for other cookies
or tracking used on your site.
-
Focus on User Experience - Helps you avoid intrusive
consent popups related to analytics tracking.
Note: While the software avoids cookies, you, as the Data
Controller, must still ensure your overall data collection practices comply
with GDPR, including providing transparency in your site's privacy policy.
How the Software Protects Visitor Personal Data
The Infinity Metrics software is designed to minimize the collection
of personal data as defined by GDPR:
-
Designed for minimal data collection - The software
aims to collect only aggregated, anonymized metrics necessary for understanding
website trends.
-
IP address anonymization - IP addresses are used briefly
for country-level geolocation, then immediately hashed (using a salt
unique to your installation) and discarded. The original IP is never
stored permanently by the software. This hashing process is one-way and
designed to prevent re-identification.
-
No cross-site tracking - The software operates only
on the site where you install it. It does not track users across different
websites.
-
No persistent user identifiers - The software generates
user signatures based on IP address (anonymized) and User-Agent, salted
uniquely per day per site. This prevents long-term tracking of individuals
across days.
-
Focus on aggregated metrics - The primary output is
anonymized, aggregated data (e.g., page views, visitor counts, session
duration) that cannot reasonably be used to identify individuals.
Software's Technical Approach to Privacy
How Infinity Metrics Works Without Cookies
Instead of cookies, the software uses a privacy-preserving method to
distinguish visits within a limited timeframe:
-
Daily Anonymous Signatures - For each visitor on a
given day, a unique signature is generated using their anonymized IP
address, User-Agent string, and a site-specific, daily-rotating salt.
This allows distinguishing unique visits within a day without long-term
tracking.
-
One-way hashing - This signature is created using
a secure, one-way hash function. It's mathematically infeasible to
reverse the hash to get the original IP or User-Agent data.
-
Not stored on device - No identifiers are stored on
the user's device by the analytics script.
-
Session Calculation - Sessions are calculated based
on the time between events from the same daily anonymous signature,
typically resetting after 30 minutes of inactivity.
How the Software Handles IP Addresses
IP addresses must be handled carefully under GDPR. Here's the
software's process:
-
IP address is briefly held in memory for country lookup (if
enabled).
-
IP is immediately hashed using a secure one-way algorithm combined
with a unique, daily-rotating salt specific to your website
installation.
-
Original IP address is permanently discarded and never stored on
disk.
-
The hash cannot be reversed to reveal the original IP address.
-
The use of a unique, daily-rotating salt for each installation
makes pre-computed attack methods like rainbow tables infeasible.
Recovering the original IP from the hash is computationally
impractical with current technology, estimated to take decades or
longer.
-
Neither you nor we can access the original visitor IP addresses
from the stored data.
Data Processed by Your Infinity Metrics Installation
Data Type |
How It's Processed |
GDPR Consideration (for Customer) |
Country |
Derived from IP during processing, then IP is discarded |
Generally not personal data when aggregated |
Browser & OS |
Extracted from User-Agent string (e.g., "Chrome", "Windows") |
Generally not personal data when aggregated |
Page Views |
Counted anonymously by URL path |
Not personal data |
Referrer Source |
Recorded as domain name (e.g., "google.com") |
Generally not personal data |
Device Type |
Categorized as mobile, tablet, or desktop |
Not personal data |
Session Duration |
Calculated based on time between events linked by daily
anonymous signature |
Not personal data when aggregated |
UTM Parameters |
Extracted from URL query strings (e.g., utm_source) |
Potentially personal data if misused; customer responsibility |
Custom Events |
Data defined and sent by the customer via the SDK |
Potentially personal data depending on what is sent; customer
responsibility |
Important: You, the customer, are responsible for ensuring
that you do not configure custom events or use UTM parameters in a way
that sends personal data to your Infinity Metrics instance unless you have
a valid legal basis and meet necessary GDPR requirements (like consent,
if applicable).
GDPR Rights and Your Visitors (Data You Collect)
GDPR grants individuals rights regarding their personal data. Because
the Infinity Metrics software is designed *not* to collect personal
data that identifies individuals:
-
Right to access / rectification / erasure ('to be forgotten') - Since no identifiable personal data is stored by the software's default
configuration, there is typically no personal data for visitors to access,
correct, or delete from the analytics system.
-
Right to data portability - Aggregated, anonymous data
is not subject to portability requirements.
-
Right to object to processing - Visitors can typically
object by using browser privacy settings (like Do Not Track, which Infinity
Metrics can be configured to respect) or browser extensions that block
tracking scripts.
You must inform visitors about the analytics data you collect (even if
anonymous) in your website's privacy policy and explain how they can
exercise their rights, potentially including how to opt-out of
tracking if you offer such a mechanism.
Your Responsibilities as a Data Controller
While the Infinity Metrics software aids compliance, as the Data
Controller for your visitor data, you must:
-
Maintain a clear Privacy Policy: Inform your visitors
that you use analytics, what data is collected (even if anonymous), why,
and that it's hosted on your servers. Explain the privacy measures taken
(like IP anonymization).
-
Ensure Lawful Basis: Determine your legal basis for
processing analytics data (likely Legitimate Interest for anonymous,
aggregated data, but potentially Consent if you collect identifiable
data via custom events/UTMs).
-
Configure Responsibly: Ensure you do not configure custom
events or use UTM parameters to collect personal data without a proper
legal basis and disclosures.
-
Secure Your Server: Protect the server hosting your
Infinity Metrics installation and the collected data according to security
best practices.
-
Data Processing Agreement (DPA): Since we (Infinity
Metrics, the company) do not process your visitors' data, a DPA between
you and us is generally not required *for that data*. You may need DPAs
with your hosting provider or other processors.
Data Processing by Us (Infinity Metrics, the Company)
Separately from the data you collect with your self-hosted instance,
we, Infinity Metrics (the company), act as a Data Controller for the
personal data we collect directly from our customers (you) and
visitors to our website (`getinfinitymetrics.com`). This includes:
-
Account Information: Name, email address, company details
provided during sign-up or purchase. Legal basis: Performance of Contract.
-
Payment Information: Processed via Stripe (our payment
processor). We do not store full credit card details. Legal basis: Performance
of Contract.
-
Website Analytics (`getinfinitymetrics.com`): We use
our own Infinity Metrics software to collect anonymous, aggregated statistics
about visitors to our website. This includes page views, referrers, device
types, country, etc., using the same privacy-preserving techniques described
above (no cookies, IP anonymization). Legal basis: Legitimate Interest.
-
Communication Data: Information you provide when contacting
us for support or inquiries. Legal basis: Legitimate Interest, Performance
of Contract.
We process this data in accordance with our Privacy Policy. We implement appropriate technical and organizational measures to
protect this data.
Sample Privacy Policy Statement (For Your Website)
You can adapt the following text for your website's privacy policy:
"We use Infinity Metrics, a self-hosted web analytics software, to
collect anonymous statistics about how visitors use our website.
We host this software on our own servers, meaning no third-party
company (including the makers of Infinity Metrics) has access to
this data.
This analytics service does not use cookies. It collects
anonymized information such as page views, approximate session
duration, referral sources (the website you came from), general
browser and device type (e.g., Chrome on Desktop), and
country-level location derived from your IP address. Your IP
address is anonymized immediately upon processing and the original
IP is never stored.
We use this aggregated data solely to understand website traffic
patterns and improve our website's performance and content. We
cannot identify you or track your specific browsing habits across
different websites using this data. The legal basis for this
processing is our legitimate interest in understanding and
improving our website."
Legal Basis for Your Analytics Processing
As the Data Controller for the analytics data you collect using your
self-hosted Infinity Metrics instance, you need a legal basis under
GDPR.
-
Legitimate Interest: For collecting anonymous, aggregated
website statistics (like page views, browser types, country), Legitimate
Interest is often the appropriate legal basis. You must balance this
interest against the rights and freedoms of your visitors (which are
minimal when data is truly anonymous). You should document this assessment
(LIA).
-
Consent: If you configure Infinity Metrics (e.g., via
custom events or UTM parameters) to collect data that could be considered
personal data, or if required by specific local laws (like ePrivacy Directive
nuances), you may need to obtain explicit consent *before* collecting
that data.
Consult with legal counsel to determine the appropriate legal basis
for your specific implementation and data collection practices.
Conclusion
The Infinity Metrics software is engineered to facilitate GDPR
compliance for website analytics by minimizing data collection,
avoiding cookies, and anonymizing potential identifiers like IP
addresses. However, as a self-hosted solution, ultimate responsibility
for GDPR compliance rests with you, the customer, as the Data
Controller for the data you collect on your servers. Ensure you
understand your obligations, maintain a transparent privacy policy,
and configure the software responsibly.