First, let’s answer the two obvious questions:
- BytesMatter does not collect any personally identifiable information (PII)
There are no tricks here. We do not try to hide information on the user’s device, as that would be considered personal data by GDPR.
But you’re all about web and performance analytics. How do you process meaningful information?
When a good pattern has been developed, and that good pattern has been developed in the open (source), then we see no need to reinvent the wheel.
The folks at Plausible (who are building an alternative to Google Analytics) came up with the pattern we have also implemented.
In short, in order to group page views into unique visitors, we generate a random string based on data that browsers send with every request:
- The url of the requested page
- The IP address
- The user-agent string
to this we add a daily dose of salt. What? A salt is basically another random string we generate EACH DAY.
So, we take these 4 pieces and use them to generate a hash, which is essentially a random string with the following properties:
- Given the same input in the same order it will produce the same string
- This string cannot be “undone” to identify the individual parts that make it up
Think of a hash as a cake, made up of ingredients. Preparing the cake each time with the same ingredients will produce the cake, but the cake cannot but undone to get back to the original ingredients.
This gives us a way to analyse how users interact with your site without actually knowing anything about those users.
Daily dose of salt?
As mentioned we include a random string as part of the hash. We change this random string, or salt, every day, and because this makes up one of the ingredients of the hash, this change has the side effect of a user visiting the site on two different days will appear to you as 2 unique visitors. This make it even harder to identify real users (using, for example, behavioural patterns). For the purposes of our analytics, we don’t need to track user behaviour over multiple days or sessions, so that works just fine for us.
Out with the old
On top of this, each day we delete data that is outside of the retention window you signed up for + 7 days. After this we only retain aggregations for monitoring trends in performance and related user behaviour.
So in summary:
- no cookies, or any data stored on user devices
- no PII stored on our (EU hosted) stores.
- we cannot track users across different days, devices, or even browsers.
- we actively delete data that is no longer useful to you.
All this means, any measurements are collected completely anonymously, so no need for cookie banners or GDPR consent. (see Recital 26 ).