Skip to main content
Zenovay
Free4 minutesBeginner

Where is my data stored? (Data residency)

Zenovay's primary data is stored in the EU (Frankfurt, eu-central-1) on Cloudflare and Supabase infrastructure. Here's the full picture, including international transfers.

data-residencyeufrankfurtgdprschrems
Last updated:

Short answer: your analytics data lives in the EU. The primary database is hosted by Supabase in Frankfurt (eu-central-1), and edge requests are served by Cloudflare's globally distributed network with EU points-of-presence taking the closest hop for European visitors.

Primary storage: EU (Frankfurt)

The Supabase Postgres database that holds your analytics events, visitor records, websites, team data, and audit log runs in eu-central-1 (Frankfurt, Germany). This is true for every Zenovay customer regardless of plan.

Data committed to Postgres stays in the EU. Backups are encrypted at rest and stored in the same region.

Edge: globally distributed, EU-resident persistence

Tracking requests are served by Cloudflare Workers, which run on the closest available point-of-presence for low latency. The Workers do not persist data — they validate and forward events to the EU primary store. Cloudflare's Frankfurt, Amsterdam, Paris, and London POPs are the typical hops for European traffic.

KV (rate-limit counters, real-time visitor counts) is geographically replicated but treated as ephemeral cache — anything sensitive is hashed before it lands in KV, and KV entries expire on a short TTL.

International transfers

Some of our subprocessors are US-based and process small slices of your data:

  • Stripe (payments) — billing email, payment method metadata. PCI DSS Level 1 certified.
  • Resend (transactional email) — your email address and the message body.
  • OpenAI (the AI insights and chat features, when you use them) — the natural-language query you submit and a redacted slice of the analytics needed to answer it.

For these transfers we rely on:

  • The EU–US Data Privacy Framework (DPF) for Stripe, Resend, and OpenAI (all are DPF-certified).
  • Standard Contractual Clauses (SCCs) as the backup mechanism.

The full subprocessor list and the international-transfer mechanism for each one is published on our DPA / legal page.

What about analytics events themselves?

Visitor events (pageviews, custom events, geolocation, hashed IDs) never leave EU primary storage except in two cases:

  1. When you export them via the dashboard or API — at which point you control where the export lives.
  2. When you opt in to the AI insights feature — a redacted aggregate is sent to OpenAI to generate the explanation, and is not retained for training.

Related articles

Where can I find Zenovay's DPA?

The Data Processing Agreement (DPA) is the contract you sign when you process EU personal data through Zenovay. Here's where to find it and how to execute it.

Data Export for Users

Export visitor data for GDPR data portability requests and compliance requirements. Learn about export in this privacy compliance guide.

Data Retention Policies

Understand Zenovay's two-phase data retention lifecycle, plan-specific retention periods, and how to recover hidden data through upgrades.

Was this article helpful?