Widgets Tracking Widget Privacy & Data

Privacy & Data Policy

Tracking Widget — Website-Kit Platform
Last updated: April 2026

This page describes how the Website-Kit Tracking Widget collects, processes, and stores data about visitors to websites that embed it. Website operators can link to this page from their own privacy policies to inform their users.

1. Data Controller

The Website-Kit Tracking Widget is operated by Website-Kit. The widget is embedded by independent website operators ("customers") who are responsible for informing their own users about data processing in accordance with applicable law. Website-Kit acts as a data processor on behalf of the website operator.

2. What Data Is Collected

When a visitor loads a page that embeds the Tracking Widget, the following information is transmitted to Website-Kit servers:

  • Page URL — the address of the visited page (without query parameters containing personal data)
  • Referrer URL — the page the visitor came from, if available
  • Browser & operating system — derived from the User-Agent string (e.g. "Chrome 124 / Windows")
  • Screen resolution — used for display statistics
  • Country — derived from the anonymized IP address (see below)
  • Session identifier — a randomly generated, non-personal token stored in the browser (localStorage or cookie) to distinguish sessions
  • Custom events — optional events that the website operator has explicitly configured (e.g. button clicks)

No personal information such as names, email addresses, or login credentials is ever collected.

3. IP Address Anonymization

IP addresses are anonymized immediately upon receipt.

The last octet of every IPv4 address (and the last 80 bits of every IPv6 address) are removed before any processing or storage takes place. The full IP address is never written to disk.

Example: 192.168.1.42 becomes 192.168.1.0

The anonymized IP is used solely to derive the visitor's country and is then discarded. It is not used for fingerprinting, profiling, or any cross-site identification.

4. Data Aggregation & Retention

Raw event records are stored only temporarily and are subject to strict retention limits:

Data type Retention period Notes
Raw event records Max. 30 days Automatically deleted after aggregation
Aggregated daily statistics Per subscription plan Fully anonymous, no personal data
Session tokens (browser) Session / 30 min Stored in visitor's browser only
IP addresses Never stored Anonymized before any storage

Each night, an automated aggregation process reads raw events and computes anonymous statistics (page views, sessions, countries, browsers, etc.). After aggregation, raw detail records are deleted. What remains are only aggregate counts — no individual visitor records.

5. Hosting Location & Legal Basis

100% hosted in Germany — within the European Union

All data is processed and stored exclusively on servers located in Germany. German and EU data protection law — including the General Data Protection Regulation (GDPR) — applies in full. This represents the highest standard of data protection available within the European Union.

No data is transferred to third countries outside the EU/EEA.

The legal basis for processing visitor data is the website operator's legitimate interest in understanding how their website is used (Art. 6(1)(f) GDPR), provided that the operator has included appropriate disclosure in their own privacy policy. Operators are advised to consult their legal counsel regarding their specific obligations.

6. Cookies & Local Storage

The Tracking Widget stores a randomly generated session identifier in the visitor's browser using either localStorage or a first-party cookie (depending on configuration). This identifier:

  • Contains no personal information
  • Is generated fresh for each browser/device
  • Is used solely to distinguish individual sessions and avoid double-counting page views
  • Expires at the end of the session or after 30 minutes of inactivity
  • Is never shared with third parties

Because the widget does not use tracking cookies for advertising, profiling, or cross-site identification, it can typically be classified as a technically necessary / analytics cookie under ePrivacy and GDPR guidance. Website operators should verify this classification for their own jurisdiction.

7. Third-Party Sharing

Website-Kit does not sell, share, or transfer visitor data to any third parties. Data is used exclusively to provide analytics to the website operator who has embedded the widget.

8. Visitor Rights

Because raw event data is aggregated and anonymized within 30 days and no persistent personal identifiers are stored, it is technically not possible to identify or isolate data belonging to a specific individual after aggregation. For requests regarding data collected before aggregation, visitors may contact the website operator who is the data controller for their site.

9. Contact

For questions about data processing by Website-Kit as a platform, please contact us via the details in our Imprint.

Back to Tracking Widget