Legal

Privacy policy

Last updated: 22 April 2026

Note: the legally binding version is the Danish one at statsly.app/privatliv. This English version is provided for convenience.

1. Introduction

Statsly is built on the principle of as little data as possible. We do not track personal data about your visitors, we set no tracking cookies, and all data is stored in the EU. This policy describes how we process personal data about you as a customer of Statsly.

2. Data controller

The data controller for processing of personal data about Statsly customers is:

Jakob Krogh
Freelance developer
Aalborg, Denmark
Email: hello@statsly.app

3. What data we process

When you create an account

  • Email address (required, used for login and service communication)
  • Password — stored only as a bcrypt hash, cannot be read by us
  • Account creation time

When you use the service

  • IP address — stored briefly (up to 1 hour) for rate limiting and abuse prevention
  • Session cookies on my.statsly.app — strictly necessary, no tracking

If you are a Business customer

  • Name, company name, optional VAT/CVR number, and billing address — necessary for invoicing and tax documentation
  • Payment history

Visitor data on your websites

When the Statsly script runs on your website, aggregated and anonymized visitor data is collected: pageview, referrer, browser, OS, device type, country. No IP addresses are stored and no cookies are set. We cannot identify individual visitors, and you are the data controller for this data — we are the data processor. You can request a data processing agreement (DPA) by writing to hello@statsly.app.

4. Purposes and legal basis

  • Provision of the service — contractual performance (GDPR art. 6(1)(b))
  • Invoicing and tax documentation — legal obligation (Danish tax control law, GDPR art. 6(1)(c))
  • Security and abuse prevention — legitimate interest (GDPR art. 6(1)(f))
  • Service communication (e.g. important operational notices) — legitimate interest

5. Retention and deletion

  • Account data: stored as long as your account exists. On termination, everything is deleted after 30 days.
  • IP addresses for rate limiting: up to 1 hour.
  • Invoice data: 5 years after the end of the fiscal year they relate to, per Danish tax control law.
  • Visitor data (your websites): controlled by you. You can delete it via the dashboard any time.

6. Recipients and processors

We use the following data processors, all with data processing agreements:

  • Brevo (Sendinblue SAS, EU) — transactional email (verification, invoice notifications)
  • Cloudflare, Inc. — Turnstile captcha and CDN. Cookie-free.
  • EU hosting provider — server operation (Ubuntu + Docker, data in Germany/Denmark)
  • Factofly ApS (CVR 39781689, Denmark) — invoicing, payment collection and VAT/tax handling on behalf of Statsly

We do not sell or share personal data with third parties for marketing or other purposes.

7. Transfers outside the EU/EEA

As a rule, no personal data is transferred outside the EU/EEA. Cloudflare's global CDN may in rare cases route static assets through non-EU countries; this happens under Cloudflare's data processing agreement with Standard Contractual Clauses (SCC) as the transfer basis.

8. Your rights

You have the right to:

  • Access the personal data we process about you
  • Rectification of incorrect or incomplete data
  • Erasure ("right to be forgotten"), with the exception of data we are legally required to retain (e.g. invoicing data)
  • Restriction of processing
  • Data portability — to receive your data in a structured, commonly used format
  • Object to processing based on legitimate interest
  • Withdraw consent, where processing is based on consent

Contact us at hello@statsly.app — we reply within 30 days. You also have the right to complain to the Danish Data Protection Agency.

9. Security

We apply technical and organizational security measures:

  • TLS 1.2+ on all traffic
  • Passwords hashed with bcrypt (cost 10)
  • EU servers with continuous security updates
  • Access restricted by least privilege
  • No third-party tracking or ads

10. Cookies

Statsly.app uses no tracking cookies. The only cookies that may be set are strictly necessary session cookies on my.statsly.app, which are needed to keep you logged in. These do not require consent under the ePrivacy directive.

When you use the Statsly script on your own website, no cookies are set for your visitors either.

11. Mobile app

The Statsly app for iOS and Android is a client that reads data from your own Statsly account via Umami's API. The app:

  • Stores your login token securely in Keychain (iOS) or EncryptedSharedPreferences (Android) — never in plaintext.
  • Does not cache your visitor data locally — everything is fetched on demand over HTTPS.
  • Uses no third-party analytics, crash reporting or advertising SDKs.
  • Does not request access to contacts, photos, location, camera or microphone.

You can delete your account and all associated data via the delete-account page.

12. Changes to this policy

We may update this policy. Material changes are announced by email and on this page at least 30 days before they take effect.

13. Contact

Questions about this policy or our data processing? Write to hello@statsly.app.

Jakob Krogh
Aalborg, Denmark