Zenovay Help Center

Learn how Zenovay helps you comply with GDPR (General Data Protection Regulation) for your website analytics.

The General Data Protection Regulation is an EU law that:

Protects personal data of EU residents
Requires consent for data collection
Grants data access and deletion rights
Mandates data breach notifications
Imposes significant fines for non-compliance

GDPR applies if you:

Are based in the EU/EEA
Have visitors from the EU/EEA
Offer goods/services to EU residents
Monitor behavior of EU residents

Privacy-First Design

Zenovay is designed with privacy in mind:

Feature	Description
No cookies by default	Can work without cookies
IP anonymization	Hash or truncate IPs
Data minimization	Only collect necessary data
EU data residency	Option for EU-only storage
Data portability	Export visitor data
Right to erasure	Delete visitor data

Data We Collect

Standard Collection (Privacy Mode):
├── Page URL (anonymized)
├── Referrer (domain only)
├── Browser type
├── Device type
├── Country (from IP, then discarded)
└── Session identifier (non-persistent)

Extended Collection (with consent):
├── Full page URL with parameters
├── Full referrer URL
├── User identifier
├── Custom event properties
└── Revenue data

Configuration Options

Privacy Mode

Enable privacy-first tracking in the dashboard:

Go to Settings → Privacy
Toggle Privacy Mode ON
Save changes

Privacy mode:

No cookies used
IP addresses never stored
No cross-session tracking
GDPR compliant without consent

IP Anonymization

IP anonymization is configured in the dashboard:

Go to Settings → Privacy
Find IP Address Handling
Select Full Anonymization (recommended for GDPR) or Partial Anonymization (last octet zeroed)
Save changes

// Only track after consent
if (hasGDPRConsent('analytics')) {
  const script = document.createElement('script');
  script.src = 'https://api.zenovay.com/z.js';
  script.setAttribute('data-tracking-code', 'YOUR_TRACKING_CODE');
  document.head.appendChild(script);
}

Lawful Basis for Processing

When using full tracking features:

Implement cookie consent banner
Wait for explicit opt-in
Load tracking script after consent
Provide easy opt-out

Legitimate Interest (Article 6.1.f)

When using privacy mode:

Document your legitimate interest
Conduct balancing test
Provide opt-out mechanism
Minimize data collection

Privacy Mode + Legitimate Interest

Legitimate Interest Assessment

Purpose: Understanding website usage to improve user experience

Necessity: Analytics essential for:
  - Identifying broken pages
  - Understanding traffic sources
  - Improving content

Balancing Test:
  - Minimal data collected
  - No personal identification
  - No cross-site tracking
  - Clear privacy policy
  - Easy opt-out available

Conclusion: Legitimate interest applies in privacy mode

Right to Information (Article 13/14)

Provide clear privacy policy:

## Analytics Data Collection

We use Zenovay Analytics to understand how visitors
use our website. We collect:

- Pages visited
- Time spent on pages
- Browser and device type
- Country (from IP address, then discarded)

We do not:
- Use tracking cookies
- Store IP addresses
- Track across websites
- Sell data to third parties

Data is stored in the EU and retained for [X] months.

Right of Access (Article 15)

Users can request their data:

User submits request
You identify their data in Zenovay
Export via the dashboard or API
Provide within 30 days

Via Dashboard: Go to Settings → Privacy → Data Export, enter the user identifier, and generate an export.

Via API:

# Retrieve analytics data for a website (filter by visitor as needed)
curl -X GET "https://api.zenovay.com/api/external/v1/analytics/{websiteId}/visitors" \
  -H "X-API-Key: zv_YOUR_API_KEY"

Right to Erasure (Article 17)

Delete user data on request:

User requests deletion
Identify their visitor ID
Delete via the dashboard
Confirm deletion

Via Dashboard: Go to Settings → Security → Data Deletion, enter the user or visitor identifier, and confirm deletion.

See Right to Erasure for details.

Right to Restriction (Article 18)

Pause processing while dispute is resolved:

Via Dashboard: Go to Settings → Security → Data Restrictions to restrict processing for a specific visitor. This pauses data collection and hides existing data until the restriction is lifted.

Right to Data Portability (Article 20)

Export data in machine-readable format:

Via Dashboard: Go to Settings → Privacy → Data Export, enter the user identifier, choose JSON or CSV format, and generate the export.

Via API:

# Retrieve analytics data in JSON format
curl -X GET "https://api.zenovay.com/api/external/v1/analytics/{websiteId}/visitors" \
  -H "X-API-Key: zv_YOUR_API_KEY"

Data Processing Agreement

When Required

A DPA is required when Zenovay processes data on your behalf.

Getting a DPA

Go to Settings → Legal
Click Data Processing Agreement
Review terms
Sign electronically
Download copy

DPA Contents

Our DPA includes:

Subject matter and duration
Nature and purpose of processing
Types of personal data
Categories of data subjects
Rights and obligations
Sub-processor list
Security measures
Audit rights

EU Data Residency

Data Location

By default, data may be stored in:

European Union (Frankfurt)
United States (with SCCs)

EU-Only Storage

Enterprise plans can restrict to EU:

Go to Settings → Privacy
Enable EU Data Residency
All data stored in EU only

Zenovay integrates with:

Cookiebot
OneTrust
Osano
Termly
Custom solutions

Cookiebot Example

window.addEventListener('CookiebotOnAccept', function() {
  if (Cookiebot.consent.statistics) {
    loadZenovay();
  }
});

function loadZenovay() {
  const script = document.createElement('script');
  script.src = 'https://api.zenovay.com/z.js';
  script.setAttribute('data-tracking-code', 'YOUR_TRACKING_CODE');
  document.head.appendChild(script);
}

OneTrust Example

OneTrust.OnConsentChanged(function() {
  if (OnetrustActiveGroups.includes('C0002')) { // Performance
    loadZenovay();
  }
});

Documentation Requirements

Privacy Policy

Include:

What data you collect
Why you collect it
How long you keep it
Who has access
User rights
How to opt out

Records of Processing

Maintain documentation:

Categories of data
Purpose of processing
Data retention periods
Security measures
Sub-processors used

If using cookies:

List all cookies
Explain purpose
State duration
Link to opt-out

Compliance Checklist

Technical Measures

Enable privacy mode or get consent
Configure IP anonymization
Set appropriate data retention
Implement consent integration
Enable EU data residency (if needed)

Legal Measures

Organizational Measures

Train team on GDPR
Appoint DPO (if required)
Establish breach procedures
Regular compliance audits

Enforcement and Fines

Potential Penalties

Tier	Maximum Fine	Examples
Lower	€10M or 2% revenue	No DPA, poor records
Higher	€20M or 4% revenue	No consent, ignoring rights

Recent Enforcement

Analytics-related fines have been issued for:

Transferring data to US without safeguards
No valid consent for analytics
Ignoring opt-out requests

Best Practices

Start with Privacy Mode

Enable privacy mode and full IP anonymization in the dashboard under Settings → Privacy. This gives you minimal tracking without requiring consent. Your script tag stays simple:

<!-- Minimal tracking, no consent needed -->
<script
  defer
  data-tracking-code="YOUR_TRACKING_CODE"
  src="https://api.zenovay.com/z.js"
></script>

Don't pre-check consent boxes
Make rejection as easy as acceptance
Allow granular choices
Remember preferences
Allow withdrawal

Regular Reviews

Audit data collection quarterly
Review sub-processors annually
Update policies when changes occur
Test data subject request handling

GDPR Compliance Overview

What is GDPR?

Who Does GDPR Apply To?

Zenovay's GDPR Compliance