Stats
Features Pricing
🇵🇱 Polski 🇬🇧 English
Login Sign up

Privacy Policy

Last updated: 2026-06-03

Operator of the Stats service ("Operator", "we"): Sterta.pl Jarosław Krawczyk, al. Sybiraków 2, 10-257 Olsztyn, Poland, Tax ID (NIP) 582-117-20-35. Contact: see the Contact page.

1. Data controller

The controller of Users' (account holders') personal data is the Operator named above. For privacy matters, use the Contact page.

For data collected via the tracking script on the User's websites, the User is the controller and the Operator acts as a processor.

2. What data we process

2.1. Account data

  • email address, optionally company name,
  • hashed password (we never store plaintext passwords),
  • billing and invoice data (if VAT invoices are selected),
  • record of Terms/Privacy acceptance (date + version), login and security logs.

2.2. Analytics data (privacy-friendly)

  • The Service is cookieless – it does not use cookies that identify visitors or persistent identifiers,
  • a visit identifier is derived from technical data (e.g. hashed IP + browser) and rotates every 24h,
  • we do not store full IP addresses in an identifying manner, nor sensitive visitor data,
  • we collect aggregated data: pageviews, sources, country/region, device, events.

3. Purposes and legal bases (GDPR)

  • providing the Service and account handling – Art. 6(1)(b) (contract),
  • billing and accounting obligations – Art. 6(1)(c) (legal obligation),
  • security, abuse prevention, Service improvement – Art. 6(1)(f) (legitimate interest),
  • marketing communication, where granted – Art. 6(1)(a) (consent).

4. Retention

The selected Plan's retention primarily defines how much analytics history is visible in the dashboard, reports and exports (from 30 days to several years). After a Plan expires, a grace period applies, after which older data may no longer be available in the dashboard. Physical cleanup of analytics stores, logs and technical backups runs asynchronously according to system retention, TTL mechanisms and backup policy. Account data is kept until account deletion; billing data is kept for the period required by law.

5. Recipients and processors

We use trusted providers acting on our behalf: hosting/infrastructure and payment providers (Stripe, PayU, Paddle) for payments and invoicing. We share only the data necessary to deliver these services.

The full, current list of processors handling data collected via the script on the User's websites is available in the Data Processing Agreement (DPA).

6. Transfers outside the EEA

If a provider processes data outside the European Economic Area, it is based on appropriate safeguards (e.g. EU Standard Contractual Clauses).

7. Your rights

You have the right to access, rectify, erase, restrict processing, data portability and to object. You may also lodge a complaint with a supervisory authority. To exercise your rights, use the Contact page.

8. Cookies and browser storage

The analytics script deployed on the User's websites does not set cookies and does not use persistent visitor identifiers. Browser local storage (localStorage) is used only when the User intentionally enables the identification feature (identify()) — in which case a single key (_stats_vid) is stored; for ordinary, anonymous traffic this storage is not used.

In the User panel and dashboard we use only strictly necessary session/functional cookies (login, preferences, theme). We do not use third-party marketing or profiling cookies.

9. US residents (CCPA/CPRA)

This section applies to residents of California and, where applicable, other US states with similar laws.

Categories of data collected: account data (email, optional company name, billing data) and privacy-friendly analytics data (technical and event data, without persistent visitor identification). Sources: directly from the User and automatically from the analytics script. Purposes and legal bases are described in sections 2–3.

We do not sell or share personal information as defined by the CCPA/CPRA, and we do not use sensitive personal information for purposes other than providing the Service.

Your rights: the right to know (what we collect and why), access, delete, correct, opt out of the "sale/sharing" of data, limit the use of sensitive personal information, and the right to non-discrimination for exercising these rights.

How to exercise: submit a request via the Contact page. We verify requests using account data; an authorized agent may also submit a request on your behalf. We respond within the timeframes required by law (generally within 45 days).

10. Security

We apply technical and organizational measures (e.g. encrypted connections, password hashing, access control, data minimization). No system, however, is 100% secure.

11. Changes to this Policy

We may update this Policy. We will inform about material changes, and the current version with its date is always available on this page.

12. Contact

For privacy matters, use the Contact page.

© 2026 Stats. All rights reserved.

Terms of Service Privacy Policy DPA Contact | Polski English