Data protection

Thanks to the data protection-friendly default settings, etracker analytics is GDPR-compliant by default. The required data processing agreement (DPA) is automatically concluded when you create an account or place a written order. In addition, you must refer to the use of etracker in your privacy policy on your website and offer an opt-out. For this purpose, we provide a text with an opt-out button in your account: Data protection → Data protection notice.

You can contact our Data Protection Officer or our Privacy Manager Elke Hollensteiner. The best way to reach both is at privacy@etracker.com.

Only the active reading of information stored on the user’s device using JavaScript requires consent. The guidance issued by the supervisory authorities for telemedia providers from December 1, 2021 (OH Telemedien 2021) states that

“In contrast, it is already considered access to information on end users’ end devices if the properties of an end device are actively read out – for example using JavaScript code – and transmitted to a server for the creation of a fingerprint.”

Although JavaScript code is used in event or eCommerce tracking, no information is read from the end device, but instead information about elements or metadata about the content of the website is recorded: Which elements were clicked on? Which products were placed in the shopping cart? And so on. However, no JavaScript code is used to collect data about the end device. Likewise, no browser fingerprinting is used in the sense of the orientation aid:

“Browser fingerprinting is now also frequently used. This refers to the process of creating a unique and long-lasting (hash) value or image on the server side as the result of a mathematical calculation of browser information, such as screen resolutions, operating system versions or installed fonts.” The etracker session token procedure is explicitly designed to exclude long-lived identifiers or hash values by adding character strings that change daily to the session identifiers. Uniqueness is also not ensured by shortening the IP address beforehand and re-identification or targeted re-targeting of certain users is excluded.

The Technical and Organizational Measures are part of the Data Processing Agreement (DPA) and are attached to it as Annex 1. You can access the DPA with the TOMs at any time in your account: Settings → Data processing agreement.

You can access the data processing agreement (DPA) concluded with etracker in your account at any time. You can also find the date of consent here. Log in to your account and go to: Settings → Data processing agreement.

Yes, the data protection notice is also available in English. Set the language of the account under Profile → My data → Display and language to English, or use the language switcher at the bottom of the drop-down menu.

As soon as this is done, the data protection notice will be available in the account in English: Privacy → Data protection notice.

If the opt-out button is not displayed after inserting the opt-out option provided by us, please check whether the etracker tracking code is implemented on the page on which the opt-out button is to be displayed. It is also possible that JavaScripts are blocked by the browser, add-ons or CMS.

If the opt-out button from the account cannot be displayed or inserted in the privacy policy, alternatives can be viewed here: https://help.etracker.com/article/datenschutzhinweis/

The “Account” menu item is only available to users with administration rights.

In the etracker script, the setting of cookies is prevented by the attribute data-block-cookies with the value true. You can see whether the cookie-less version is installed on your website in the etracker code on the web pages: If data-block-cookies="true" is already set, etracker will not set any cookies by default.

By default, the reports in etracker analytics only contain anonymized data. The IP address, which is necessarily transmitted during Internet connections, is shortened as early as possible in the memory of the data acceptance server and thus anonymized. According to the definition of the General Data Protection Regulation, anonymization already constitutes processing. In this respect, there is no web analysis without the processing of personal data.

Due to the very broad definition of Art. 4 No. 1, 13, 14 and 15 GDPR, the following additional data may be considered personal data:

• User IDs: randomly generated values (example: 108bf9a85547edb1108bf9a85547edb1), which can be stored in cookies with the user’s consent
• Device identifiers, only if app tracking is used
• Identifiers optionally provided by the client or contained in the website including the URL

Links from marketing platforms or URLs after a login often contain identifiers of the respective advertising services. URL parameters are not recorded by etracker analytics by default. We have also implemented various mechanisms to anonymize even supposed identifiers in the actual URL. In its judgment of 09.11.2023 in case C-319/22, the ECJ also ruled that such identifiers are only considered personal if the data recipients can reasonably be expected to have means at their disposal that allow the identifiers to be assigned to an identified or identifiable natural person.

The personal data stored as part of our contractual relationship will be deleted 90 days after the end of the contract, unless longer storage is required in order to comply with statutory retention periods.

The aggregated reporting data are purely statistical evaluations that do not contain any personal data. These will be deleted after termination of the contractual relationship. However, the etracker customer can also delete the data in their account at any time before this: Integration→ Statistics Reset.

Raw data is deleted as standard at intervals after the contractually agreed retention period of 13 months has expired.