Skip to main content

GDPR Compliance

Ovyxa is fully compliant with the EU General Data Protection Regulation (GDPR). This page explains our legal basis, what data we process, and your rights.

Legitimate Interest (Article 6(1)(f) GDPR)

Our strict mode operates under legitimate interest as the legal basis:

  • Purpose: Audience measurement and website analytics
  • Necessity: Data collected is minimal and necessary for analytics
  • Balancing test: Visitor privacy rights outweigh our interests, so we:
    • Don't collect PII
    • Don't track across sites
    • Don't store IP addresses
    • Provide aggregated data only

This approach has been validated by the French CNIL and other EU authorities for similar privacy-first analytics.

Contract Performance (for our customers)

When you use Ovyxa as a customer:

  • Legal basis: Article 6(1)(b) - necessary for service delivery
  • We process your account data to provide the analytics service

Data We Process

End-User (Visitor) Data

When someone visits a website using Ovyxa:

Data PointPurposeRetentionStored?
Page URLTrack pageviews6-24 monthsYes
ReferrerIdentify traffic sources6-24 monthsYes
IP AddressDerive country only0 (RAM only)No
User-AgentIdentify browser/device0 (parsed, discarded)No (categories only)
Country CodeGeographic analytics6-24 monthsYes
Browser TypeTechnical analytics6-24 monthsYes
Device TypeTechnical analytics6-24 monthsYes
OS FamilyTechnical analytics6-24 monthsYes
TimestampTemporal analytics6-24 monthsYes

Customer (Account) Data

When you create a Ovyxa account:

  • Email address (authentication, billing, support)
  • Account name (identification)
  • Payment information (via Stripe, we don't store credit cards)
  • Usage data (plan limits, billing)

Retention: Duration of account + 7 years (tax/legal requirements)

What We DON'T Collect

Explicitly excluded from collection:

  • Personal identifiable information (names, emails of visitors)
  • Precise geolocation (city, postal code, coordinates)
  • Full IP addresses
  • Cross-site identifiers
  • Biometric data
  • Behavioral profiles
  • Any special category data (Article 9)

Data Subject Rights

Under GDPR, individuals have the following rights:

Right of Access (Article 15)

For website visitors:

  • We don't store PII, so there's no personal data to access
  • All data is aggregated and anonymous

For Ovyxa customers:

  • Log in to view all your account data
  • Export your analytics data anytime
  • Contact us for a complete data export

Right to Rectification (Article 16)

Customers: Update your account details in settings

Visitors: No personal data stored to rectify

Right to Erasure (Article 17)

Customers:

  • Delete your account in Settings
  • All associated data will be deleted within 30 days
  • Anonymized analytics may remain (no personal link)

Visitors:

  • No personal data stored, nothing to erase
  • Site owners can delete all analytics for their site

Right to Restriction (Article 18)

Contact us to restrict processing of your customer data while disputes are resolved.

Right to Data Portability (Article 20)

Export your analytics data in machine-readable formats:

  • CSV export
  • JSON export via API
  • Available for all customers

Right to Object (Article 21)

Website visitors:

  • Use Do Not Track (DNT) browser setting (honored by Ovyxa)
  • Use ad blockers (we don't circumvent them by default)
  • Contact site owner to request exclusion

Customers:

  • Delete your account to stop all processing

Data Transfers

No Third-Country Transfers

  • All data stored in EU/EEA data centers
  • No transfers to USA, UK, or other third countries
  • All sub-processors are EU-based (see below)

Sub-Processors

We use the following sub-processors (all EU-based):

Service ProviderPurposeLocationSafeguards
OVHcloudInfrastructure hostingFranceGDPR-compliant DPA
ScalewayInfrastructure hostingFranceGDPR-compliant DPA
StripePayment processingEU instancesStandard Contractual Clauses

Complete sub-processor list maintained at: [ovyxa.com/subprocessors]

Data Protection Measures

Technical Measures

  • Encryption in transit: TLS 1.3 for all connections
  • Encryption at rest: Full disk encryption (AES-256)
  • Access control: Role-based access, 2FA for staff
  • Pseudonymization: IP addresses hashed if used, never stored raw
  • Data minimization: Only essential fields collected

Organizational Measures

  • Data Protection Officer: Available for GDPR inquiries
  • Staff training: All staff trained on GDPR compliance
  • Access logging: All data access logged and audited
  • Incident response: 72-hour breach notification process
  • Regular audits: Annual compliance reviews

Data Processing Agreement (DPA)

All Ovyxa customers act as Data Controllers for their website analytics data.

Ovyxa acts as a Data Processor on behalf of customers.

We provide a Data Processing Agreement that includes:

  • Scope and purpose of processing
  • Data security obligations
  • Sub-processor management
  • Data subject rights assistance
  • Breach notification procedures
  • Audit rights

Download our DPA template or contact sales@ovyxa.com for a signed copy.

Records of Processing Activities

We maintain detailed records as required by Article 30:

  • Name and contact details of controller/processor
  • Purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • Data retention periods
  • Security measures description

Available upon request from regulatory authorities.

Data Protection Impact Assessment (DPIA)

We've conducted a DPIA for our core analytics processing:

Assessment:

  • Systematic monitoring: Yes (analytics)
  • Large scale: Potentially yes
  • Sensitive data: No
  • Innovative technology: No

Risk level: Low

Rationale:

  • No PII collected
  • No profiling or automated decisions
  • Aggregated data only
  • Strong technical safeguards

Full DPIA available upon request for enterprise customers.

Breach Notification

In the unlikely event of a data breach:

  1. Detection: Automated monitoring and alerting
  2. Assessment: Within 24 hours of detection
  3. Notification to authority: Within 72 hours (if required)
  4. Notification to customers: Without undue delay (if high risk)
  5. Documentation: All breaches logged regardless of severity

Contact: security@ovyxa.com

Exercising Your Rights

For Website Visitors

If you visited a website using Ovyxa:

  1. Contact the website owner (they control the data)
  2. Use browser settings (DNT, ad blockers)
  3. Ovyxa doesn't store your personal data

For Ovyxa Customers

To exercise your rights:

  1. Email: privacy@ovyxa.com
  2. In-app: Account Settings > Privacy & Data
  3. Mail: Ovyxa SAS, [Address], France

We respond within 30 days (GDPR requirement).

Supervisory Authority

Our lead supervisory authority is:

Commission Nationale de l'Informatique et des Libertés (CNIL)

  • Address: 3 Place de Fontenoy, 75007 Paris, France
  • Website: cnil.fr
  • Phone: +33 1 53 73 22 22

You have the right to lodge a complaint with CNIL or your local data protection authority.

Children's Privacy

Ovyxa does not knowingly collect data from children under 16. Website owners are responsible for compliance with local age restrictions.

Changes to This Policy

We will notify customers of material changes to our data processing:

  • Email notification (30 days advance notice)
  • In-app notification
  • Updated version number and "last updated" date

Contact Us

Data Protection Officer:

  • Email: dpo@ovyxa.com
  • Mail: Ovyxa SAS, ATTN: DPO, [Address], France

General Privacy Questions:

We're committed to transparency and compliance. If you have questions about our GDPR compliance, please reach out.