Privacy Policy

sub.analytics is operated by Tilman Richter, Auf den Häfen 5, 28203 Bremen, Germany. We are the data controller for account data. For website visitor data, we act as a data processor on behalf of our customers (website owners).

Contact: hello@subnodes.net

sub.analytics does not set any cookies in visitors’ browsers. Our tracking script does not read or write browser storage of any kind. No consent banner is required to use sub.analytics on your website.

When a visitor loads a page tracked by sub.analytics, our servers receive the following technical request data:

• IP address (used only for the hash below — never stored raw)
• User-agent string (browser and device type)
• Referrer URL
• Requested page URL
• Timestamp

To count unique daily visitors without identifying individuals, we compute a one-way hash: SHA-256(ip + user_agent + daily_salt). The salt rotates every 24 hours and is not stored after rotation. The hash itself expires and cannot be used to link records across days. The raw IP address is discarded immediately after hashing.

What we store permanently: page URL, referrer, country (derived from IP via GeoIP lookup before hashing), browser family, device type, and the daily hash. No personally identifiable information is retained.

Legal basis (GDPR Art. 6(1)(f)): legitimate interest of the website owner in understanding their traffic, balanced against the minimal privacy impact — since no personal data is stored and no cross-site tracking is possible.

When you create a sub.analytics account, we collect and store your e-mail address and a hashed version of your password. We use your e-mail to send billing receipts, service notices, and — with your consent — product updates.

Legal basis: GDPR Art. 6(1)(b) (performance of a contract) for account-related communications; Art. 6(1)(a) (consent) for marketing e-mails.

Payments are processed by Stripe, Inc. We do not store card numbers or payment details. Stripe acts as an independent data controller for payment processing; their privacy policy is available at stripe.com/privacy. We receive and store a Stripe customer ID and subscription status for billing management.

We use the following sub-processors:

• Hetzner Online GmbH — server infrastructure, located in Germany (EU)
• Stripe, Inc. — payment processing

All analytics data is stored on servers in Germany. No data is transferred outside the European Economic Area as part of the analytics service.

Aggregated analytics data is retained for as long as your account is active. Account data (e-mail, subscription status) is retained for the duration of the contractual relationship and deleted within 30 days of account deletion.

As a data subject, you have the right to: access the personal data we hold about you; request correction of inaccurate data; request erasure (“right to be forgotten”); object to processing; and request data portability. To exercise any of these rights, contact us at hello@subnodes.net.

You also have the right to lodge a complaint with the supervisory authority. The competent authority for Bremen, Germany is the Landesbeauftragte für Datenschutz und Informationsfreiheit Bremen.

analytics.subnodes.net (the sub.analytics web app) uses one functional cookie: a session cookie set by NextAuth to keep you logged in. This cookie is strictly necessary for the service to function and does not require consent under GDPR Recital 47. It is deleted when your session expires or you sign out.

No advertising, analytics, or third-party cookies are set on this domain.

We may update this policy from time to time. Material changes will be notified by e-mail at least 14 days in advance. The date at the top of this page always reflects the most recent revision.