Privacy policy

Created on 4 December, 2024Information • 14 minutes read

Privacy policy for BasicWebstats

This privacy statement explains how we, BasicWebstats | Prompt media (the company behind BasicWebstats ), process personal data in our business according to the General Data Protection Regulation (GDPR) and other relevant data protection and privacy legislation applicable to our business.

Our commitment to data protection and privacy

BasicWebstats is an analytics company that prioritises privacy. We make money from our paying customers, so there is no need or reason to sell, rent or give away your data (that is not our business model, we are not going to do that either).

We have further strengthened our privacy efforts with a comprehensive GDPR project. . We reviewed all our obligations under the GDPR, updated our Article 30 registration of processing activities, conducted data protection risk assessments, formalised various policies and procedures, and carried out various other activities.

We have also formally appointed a Privacy Officer to help us keep constantly abreast of global data protection and privacy rules and regulations.

We hope to provide you with clear and transparent information on how we process your personal data (as a data controller) and on your data protection rights. If you feel that certain information is unclear or missing, please do not hesitate to contact us.

We begin this policy by describing our processing as the data controller of your personal data. We also process some personal data on your behalf, as a data processor, as described at the end.

Your data protection rights

  • Access and rectification: you can request a copy of the information we process about you and ask us to rectify inaccurate data.
  • Erasure or restriction: in certain circumstances, you can ask us to erase your data or restrict its processing, but we cannot erase data that we are legally obliged to process.
  • Object to processing: in some cases, you can ask us to stop processing your data.
  • Data portability: in some circumstances, you can ask us to transfer your data to you or another organisation.
  • If you are not satisfied with the way we process your data, you have the right to lodge a complaint with a national data authority. However, we hope you will contact us first so that we can try to resolve the matter in a satisfactory way for you.

Please contact us if you have any questions about how we handle your data or if you wish to exercise any of your rights. You are entitled to a response within 30 days.

How do we obtain your personal data?

We process personal data of potential or existing customers, website visitors and vendors and cooperation partners.

We may process personal data when you:

  • Contact us online (email, video calls, social media, etc.) or communicate with us by phone
  • Use our services/software (BasicWebstats)
  • Provide products/services to us or enter into a partnership with us

It is voluntary to provide us with personal data, but we cannot provide you with our services if you do not.

We do not rent, buy or sell personal data from or to others, do not use automated decisions or profiling when processing your personal data, and do not process special category data as referred to in Article 9 of the GDPR.

Purpose, legal basis and retention periods

We only process your personal data if we have a purpose and a legal basis to do so. Under GDPR Article 6-1, the legal bases we rely on are:

  1. Your consent
  2. We have a contractual obligation (contract)
  3. We have a legal obligation
  4. We have a legitimate interest

As a rule, we do not process personal data longer than necessary to fulfil the purpose of the processing. To comply with this, we have regular internal GDPR audits during which we formally review our data protection and privacy activities with the intention of adjusting, updating and, if necessary, deleting personal data.

We only retain data for as long as we are required to by applicable legal obligations, such as accounting, tax, employment law or other relevant rules and regulations. An example is the Dutch Income Tax Act, which requires us to keep data for as long as someone is a customer and at least five years thereafter.

Details on the processing of your personal data

This section describes when and how we process your data, for what purposes and what are our legal grounds for doing so (legal bases). We also specify the retention periods for processing.

We process personal data when:

You communicate with us

Regardless of your relationship with us, as a potential or existing customer, vendor or otherwise, we process your personal data when you communicate with us. This may be when you contact us via email, phone (call, text) or social media. Depending on where and how you contact us, this may include your name, contact details, IP address and other information you send to us. We use a customer service system to manage personal data of potential and existing customers.

The purpose of this is to answer your queries and, in some cases, to keep records in case of complaints or legal claims. The legal basis is f), where our legitimate interest is to respond to your queries and, in some cases, to keep records in case of complaints or legal claims.

We check this data during our regular GDPR audits and delete personal data if necessary. We usually keep this kind of personal data for a maximum of two years or six years if we have a legal obligation in accordance with accounting rules.

You sign up for a trial version of BasicWebstats

We want you to try out BasicWebstats before you spend money on it. That's why we offer a 7-day free trial. To get access, you need to share your e-mail address and billing address, set a password, select your preferred subscription and enter your payment details. At the end of the trial, you will be asked to activate and pay for the subscription, unless you pay automatically then it will be activated immediately or that you cancel the account. We will send you a few emails during your trial period. If you do not want to receive these emails, you can easily unsubscribe at any time by clicking the unsubscribe link in each email.

The purpose of this processing is to give you access to a trial version of our service and the legal basis is b) contract. We review this data during our regular GDPR audits and delete personal data if necessary, but no later than two years after you signed up for the trial period.

You subscribe to BasicWebstats (become a customer)

When you purchase a subscription, we already have the personal data you provided when you signed up for a trial period. We also have your order/billing history. You can add other personal details in your account dashboard, such as address, company name and VAT number. If you choose to become an affiliate, we will ask for your bank details.

The purpose of this processing is to fulfil our obligation to provide the services you have purchased and manage the customer relationship. The legal bases are b) contract and c) legal obligation related to accounting, tax and other business laws we have to comply with.

We process the data as long as you are a customer and we have a legal obligation according to the applicable rules and regulations to which we are bound. We are required by law to keep business data, including personal data, for as long as someone is a customer and at least six years thereafter for accounting purposes.

You will receive marketing as an existing customer

If we have an existing customer relationship with you, we may send you emails with a promotional element (this happens very rarely). The personal data we process areyour name and e-mail address. The purpose is to send you news and offers related to your subscription. The legal basis is f), where our legitimate interest is to offer our relevant products and services. The legal basis may also be a), where you have given us permission for such marketing.

You can unsubscribe from marketing e-mails at any time by clicking on the unsubscribe link in any such e-mail. We will process the data for as long as we have a customer relationship with you or if the processing is based on your consent, until you withdraw it. If you ask us to stop sending you promotional material, your account will be marked in our internal database as ‘unsubscribed from marketing’ and you will no longer receive marketing e-mails from us. We are still required to process data for accounting, tax and other business purposes if you are our customer.

You respond to our surveys

We sometimes send surveys to our customers to improve our product. Responding to our surveys is entirely voluntary. We process personal data such as your name, contact details and any other information you wish to share with us. We do not process personal data if a survey is anonymous.

The purpose is to collect your feedback to continuously improve our products and services and provide you with better customer service in the future. The legal basis is a) consent. We check this data during our regular GDPR audits and delete personal data if necessary; however, no later than two years after answering the survey.

You provide services to or cooperate with us

When you enter into an agreement with us as a supplier, partner or data processor, we process personal data such as your name, contact details and correspondence. The purpose is to enter into this agreement and communicate with you before, during and after our formal business relationship.

The legal bases are b) contract, c) legal obligation related to accounting, tax and other business laws we must comply with, and f) our legitimate interests to communicate with you before, during and after our formal business relationship (described in the section ‘You communicate with us’ above). We retain personal data for as long as we have a formal business relationship and for up to 5 years thereafter, in accordance with our legal obligations for accounting, tax and other business purposes.

You use our website

When you use our website, we briefly process your IP address and user agent, which are considered personal data under the GDPR. We also keep partial access logs. We do not track which pages are viewed, only the time and total number of requests per IP. The purposes for this processing are a) to protect us from cyber attacks such as the DDoS attack and b) to analyse our website traffic to optimise and effectively run our business. The legal basis is f), where our legitimate interests are to protect our business from cyber-attacks and optimise and run our business effectively.

PS: We do not use cookies or similar technology on our website and we do not collect personal data requiring consent under the ePrivacy Directive (Directive 2009/136/EC). We use our own ePrivacy Compliant Analytics service.

Who we share your personal data with

To run our business efficiently and securely, we sometimes need to share your personal data with other (trusted) parties, such as:

  • Data processors: providers of various services that process your personal data on our behalf
  • Our accountant
  • Professional advisers from other sectors, such as law and finance
  • IT support, where necessary
  • Government agencies: when we are required to report to them

We require all these recipients to secure data in accordance with good information security and according to the requirements of this Privacy Statement. We monitor and ensure the quality of all suppliers and data processors and enter into a data processing agreement/addendum where necessary.

We use data processors for:

  • E-mail, calendar and digital meetings
  • Accounting
  • This website, including online payment providers
  • Transaction emails to customers
  • Support ticket system

We do not publish further details (such as names) of our data processors to protect our business. If you want to know more about our processing and who we share your personal data with, please contact us. We practice data minimisation, so we only use data providers to process your personal data when necessary (e.g. Stripe for payment processing).

Transfer of personal data outside the EU/EEA

In some cases, your personal data will be transferred to a ‘third country’, i.e. outside the EU/EEA. For example, when we use data processors to manage email services. We only use data processors we trust, who are well known, reputable and have a data processing agreement/addendum.

We have ensured that any data processor in a third country has the necessary safeguards, such as the EU adequacy decision, standard contractual clauses (SCC) or binding corporate rules (BCR).

We conduct risk assessments for each data processor we use in our business. In addition, we carry out an additional risk assessment when your personal data is transferred outside the EU/EEA. In particular, we assess the data processor's technical and organisational security measures, reputation and safeguards for international transfers of personal data.

In line with the Schrems II ruling and the EDPBs recommendations, we also conducted a transfer impact assessment (TIA). We have developed a new technique called EU Isolation to address the ruling - it is available to all customers in all plans.

If you still have concerns or questions, please contact us.

Information security

We take information security as seriously as privacy, and we will always do our utmost to protect your personal data to the best of our ability. For example, we use strong passwords, data encryption, two-factor authentication and various other measures to secure our data and prevent unauthorised persons from accessing, modifying, deleting or in any way affecting the data we store, including your personal data.

We only allow others to access or process your personal data according to our instructions and only when strictly necessary (e.g. in the unlikely event that we need IT support).

We have established and implemented a dedicated IT security policy for technical and organisational measures and a routine for managing data breaches. Suppose we face a personal data breach, i.e. a security breach leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to personal data, and this poses a medium to high risk to the affected individuals. In this case, we will notify the national data authority within 72 hours. If the risk to data subjects is deemed high, we will inform them directly if possible.

Our role as a data processor

When you use BasicWebstats on your website, we process data from your website visitors on your behalf. In this case, you are the controller of this data and we are your data processor. We comply with the requirements according to GDPR Article 28, such as:

  • Carry out our processing only on your behalf and according to your instructions
  • Using sufficient technical and organisational security measures to protect the data we process on your behalf
  • Require our employees to keep your data confidential

We also engage other (sub)processors according to your general written consent and will notify you of any intended changes regarding such (sub)processors so that you can object to such changes if you do not consent to them.

You can view a detailed data summary of what happens when you use BasicWebstats on your website. And you can view our privacy compliance section for more information.

We process minimal personal data on your behalf

Because we built BasicWebstats from the beginning with privacy in mind, we have minimised the amount of personal data processed to only the IP address and User-Agent (in line with one of the fundamental principles of the GDPR; Article 5(1)(c) ).

The IP address and User-Agent are considered personal data under the GDPR, and the legal basis for processing is usually consent or legitimate interest. Since the IP address is provided by the ISP and not by the user's terminal equipment, we do not consider such information as ‘information stored in the terminal equipment’. IP addresses provided in this way are therefore outside the scope of Article 5(3), and the consent requirement does not apply under the ePrivacy Directive (Directive 2009/136/EC). Moreover, User-Agent is not requested via end devices, it is sent to us by your browser and it is impossible for us not to receive it. Note: this may change in the future if browsers start removing User-Agent strings.

In accordance with the Schrems II ruling, we process data of visitors from the EU in the EU - read more about EU isolation here.

Accessing and correcting your personal data

You have the right to view your personal data and request a correction if you believe it is incorrect. If you have submitted personal data and would like to see it or have it corrected, please contact us using the contact details below.

Contacting us

If you have any questions about this Privacy Policy or wish to access your data, please send a written request to:

BasicWebstats | Prompt Media, PO Box 56907, 1040 AX Amsterdam, the Netherlands

Or send an e-mail to: contact form.

This privacy statement was last updated: 1 December 2024