Last updated: September 30, 2024

This Platform Privacy Policy is dedicated to Clients and users of tinyvisits.com provided by the Algopine s.r.o., with its registered seat at Klincová 37 Bratislava 821 08, Slovakia, company ID no. (IČO): 51983702 (hereinafter referred to as “Tinyvisits“, “we“ or “us“) and explains how we handle the Platform Data via our Services or Platform on behalf of our Clients, as defined below.

For the purposes of this Platform Privacy Policy:

“Clients” are typically website providers or publishers who use our Platform or Services based on Terms of Use;

“Data Processing Agreement” means the agreement pursuant to the Article 28 GDPR between Clients as controllers and us as their processor which is part of the Terms of Use;

“Platform” means the platform tinyvisits.com owned and operated by Algopine as a strictly privacy respectful website analytics SaaS;

“Platform Data” mean any data whether personal data or not (e.g. hashed and masked IP address, user agent, website, aggregated statistics, cookie ID, approximate geographical location, e.g. city, state, etc.) that our clients entrust for our processing by uploading it to the Platform or by providing it to us via use of our Services under the Data Processing Agreement;

“SaaS” means Software as a Service, it is a cloud-based model for delivering software applications involved in Platform to Client´s website.

“Services” are SaaS that Algopine provides via the Platform to its Clients, in particular:

• Data Collection and Analysis: Regular collection, processing, and analysis of data from the Client's website to gain valuable insights into visitor behavior;
• Report Preparation: Creation of regular, automated reports displayed through dashboard or delivered via email, including summaries, graphs, and tables, containing key metrics such as page views, unique visitors, most popular pages, and traffic sources;
• Consent Management Platform (CMP) Implementation and Management: Implementation and management of a Consent Management Platform (CMP) in accordance with applicable laws and regulations, enabling the Client to obtain and manage user consent for the use of cookies and other tracking technologies;
• User Behavior Tracking: Tracking of user behavior on the website based on granted consent, to provide the Client with detailed information on user interaction with the website.

“Terms of Use” mean terms of use governing the use of Platform available at tinyvisits.com/terms and updated therein from time to time. We act as data processor when providing Services and processing Platform Data via the Platform. We do not process Platform Data as a data controller and we do not maintain or take any ownership of the Platform Data. Platform Data is under sole legal control of Clients and its processing is governed by the Data Processing Agreement. We as a controller processing personal data pursuant to Corporate Privacy Policy of Algopine available at algopine.com/privacy-policy for our own purposes which are not linked with Tinyvisits. The Services are provided through our centrally hosted online Platform which is designated to use certain types of information (depending on individual product), that all together we call Platform Data, which includes information sent to or uploaded to us by Clients mainly regarding the way as the Client´s website used by visitors, e-commerce customers or other types of Client´s website users. Tinyvisits stores data it receives from Clients pursuant to a legal contract containing binding obligations on Algopine as the Tinyvisits provider, including limiting its processing of personal data only on instruction of the Clients. We may set additional rules for our Clients regarding how data is collected and used for the Services, but such data is collected and used subject to the individual privacy notice for each Clients generally acting as the data controller responsible for their own websites and applications. Tinyvisits and its Clients use a number of different technologies to collect data and to provide Services, including cookies, information stored in cookies and browser local storage or others.

Tinyvistis is a privacy-first solution. We believe that privacy should be at the core of any web analytics. That's why we support our clients in implementing solutions that are designed with privacy in mind from the start. We strive to enhance our Client’s approach to Privacy using website analytics with tools provideing privacy by design in the best way possible. Therefore, Platform Data are very limited to achieving Client´s purposes of the processing. Platform Data allows easily viewing and understanding all core website visitor metrics – (e.g. page views, uniques, popular pages, URLs, browser descriptors , referrers, user browser agents). Platform data also involved all important metrics to understand how Client´s visitors interact with their websites. Platform data can be used to uncover trends to optimize Client´s content pages or whole websites and to understand where visitors or end customers are coming from.

Tinyvisits automatically masks the last 3 digits of the IP address during the start of processing of each collected event. Even then, the masked IP address is just temporarily used to perform an approximate geo-location lookup, and the actual event is only stored using the cookie ID. Finally, the masked IP address is only processed dynamically and in memory on the Tinyvisits servers, and only the cookie IDs are persisted in Tinyvisits database storage.

Importantly Platform Data also contain registered credentials of Client´s users of Tinyvisits (e.g. username, login, password and email address for accessing Platform dashboard or for sending periodic automated emails with latest website statistics). This question is often asked by our Clients and their legal counsels. We believe a part of Platform Data containing aggregated and anonymized website analytics and statistics is not personal data, but we are also processing personal data (e.g. processing and storing pageview events based on cookie IDs, or processing IP addresses before performing automated last 3-digit IP addresses masking, or sending emails to Client´s registered user of Tinyvists etc.). Furthermore, we do not see whole complexity of all processing operations and purposes of how Clients may use the Platform Data and/or our Platform. Nevertheless, some Platform Data are always considered personal data, for example login credentials or general user data about particular end users of the Platform that relate to our Client’s employees or representatives. To safeguard our Clients' data and maintain strong security standards, we treat all Platform Data as personal data, even if certain components might not technically qualify as such. This aligns with our commitment to the confidentiality provisions outlined in Terms of Use. Each Client acting as a controller is free to determine its own purposes of processing with regards to any Platform Data that is personal data. These are defined in the Data Processing Agreement and should be generally aligned with Clients’ own privacy policy notices. From our observations, there are certain typical purposes and legal bases often pursued by our Clients, we have included these in the Data Processing Agreement. However, the below table provides only generalized information to our Clients, the listed details are for information only and are not legal advice. Clients are solely responsible to rely on sufficient legal basis to the extent they believe personal data is included in the Platform Data. In any case, we will always process any personal data included in the Platform Data only to the extent required for provision of Services or to comply with our rights and obligations under the Terms of Use, to the extend allowed by the applicable law.

Typical Client purposes	Legal grounds typically relied upon by Clients
Using of marketing analytics tools	Clients’ legitimate interests on advanced analysis of its website traffic as per Art. 6(1)(f) GDPR
Targeting and personalization of Ads	Data subject´s consent pursuant to the Art. 6(1)(a) GDPR.
Fulfilling of the legal obligations (related to GDPR consent)	Fulfilling of legal obligation pursuant to the Art. 6 (1) (c) GDPR (in relation to consent management – revoking and keeping evidence about granting and withdrawal of the consent)
Statistical purposes	Legal ground of the original purpose within the regime of compatible purposes under Art. 6(4) GDPR and Art. 89 GDPR, as explained by recital 50 GDPR

We acknowledge confidentiality and value of the Platform Data and we are not exploiting the Platform Data in a not allowed way. In particular, we are not:

• selling your personal data to anyone;
• monetizing your personal data by other means;
• claiming ownership over your personal data;
• bartering your personal data for other services or products.

We do not knowingly process personal data relating to children less than 13 years of age (or 16 if the age of consent is higher in a particular country) or permit Clients to provide us with such data. If we become aware that a Client has provided us with any personal data of children, we delete such data from our databases.

We do not knowingly process sensitive or special categories of personal data, including the following:

• Special categories of personal data as defined in Article 9 of the GDPR, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data uniquely identifying a natural person, or data concerning a person’s sex life or sexual orientation;
• Sensitive data including Social Security Numbers or other Government-issued identity cards, CVC codes and other credit card details, information about an individual's health or medical conditions or treatments, including genetic, genomic, and family medical history.

The Data Processing Agreement explains that as an immanent feature of our Services, we collect pageview events and create certain aggregated statistical data for Clients. Providing rigorous non-identification and Client non-attribution warranties and conditions are met (such as replacement of page and domain URLs, referrers, cookie IDs and user agents in pageview events by fully random strings without remembering the replacement mappings), we are allowed to use this fully anonymized data for our own specific processing purposes (e.g. development, improvement, testing and load testing of the software applications). The resulting data is not related or linkable to any individual and not even to any specific Client, domain or webpage. Details are agreed in Data Processing Agreement incorporated as addendum in the Terms of Use. We take confidentiality of Platform Data very seriously and share it with our recipients only on need-to-know basis maintaining the confidentiality of the data recipients. Depending on the purpose of processing and particular circumstances typical recipients of the Platform Data are:

• Providers of platforms for email communication with customers;
• Providers of cloud and hosting services (e.g. Worldstream, Hetzner) – as a necessary technology vendors supporting running of the Platform.

We also use sub-contractors to support us in providing services who might process personal data for us. These sub-contractors mainly include developers, hosting, cloud and similar software service providers located or with servers located in the EU/EEA, mainly but not limited to Hetzner and WorldStream. We ensure that selection of our sub-contractors and any processing of personal data by them is compliant with the GDPR. We may release personal data and any other information we possess when necessary or appropriate to comply with the law; cooperate with law enforcement or national security requirements; respond to lawful requests; or to enforce our Terms of Use. To ensure data privacy and security and with effort to easier compliance to our Clients, we prioritize EU/EEA data storage for all Platform Data. We exclusively partner with hosting and data center providers located within the EU/EEA. For providing our Services, we only use the following hosting / data centers / payment providers located in the EU/EEA:

Sub-processor	Privacy Policy	Provided services	Location of Platform Data
Hetzner GmbH	https://www.hetzner.com/legal/privacy-policy	Data hosting (Server provider)	Germany
Worldstream B.V.	https://media.worldstream.com/media/Worldstream-Privacy-Statement-ENG.pdf	Data hosting (Server provider)	The Netherlands
Billwerk+Denmark A/S	https://www.billwerk.plus/data-protection-notice/	Payment processor	Denmark

Our sub-processors, as authorized by our Clients in Data Processing Agreements, are always listed in this sub-processor list:

Sub-processor	Provided services
Hetzner GmbH	Data hosting (Server provider)
Worldstream B.V.	Data hosting (Server provider)
Billwerk+Denmark A/S	Payment processor

Where we process personal data on behalf of the Clients, the retention periods are set-out by the them and we have no control over that. As soon as our contract with the Clients ends, we are under obligation to either return all personal data to the Clients or securely erase all personal data, at the choice of the Clients. The same applies to our own purposes of processing which are undertaken only on personal data currently processed by us for the Client. If our contract with the Client ends – by default – we do not keep your personal data for our own purposes. This way, we comply with basic principles relating to processing of personal data achieving data minimization, storage limitation and purpose limitation. Based on your individual instruction expressed in settings of Tinyvisits we can keep your Platform Data maximally 2 months after the end of sub-scription of Services pursuant to Terms of Use. Subject to our right to retain are (i) copies of transactions between the Clients and Tinyvists, (ii) information relating to any dispute or potential fraud, (iii) any additional information we need to keep protecting our legal rights or the rights of others, and iv) website pageview data, dashboard login data or other Platform network data identified as malicious, nefarious or otherwise related to potential security attacks on the Platform. We are committed to providing our Clients, as data controllers, with the necessary materials and information to conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the GDPR taking into account the nature of processing and the information available to us. Based on this fact we are publishing this Platform Privacy Policy. We would like to notify Slovak Clients that part of our Services is profiling pursuant Art. 4 (4) GDPR what triggering your obligation as Controller to perform DPIA pursuant Art. 35 (4) GDPR based on black list of risky processing operations. For any further inquiries related to DPIAs in the context of integration of Tinyvisits to Controller´s website do not hesitate to contact our Privacy team. The security of your personal data is important to us. Tinyvists follows generally accepted industry standards and has appropriate measures in place to ensure that your data is protected against unauthorized access or use, alteration, unlawful, or accidental destruction and accidental loss. No method of transmission over the internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. We have adopted appropriate organizational and technical measures required under the GDPR to protect personal data and in general we can proudly declare to our Clients that:

• All data transfers through public networks (internet) are encrypted in transit with trustworthy, strong and modern cryptography;
• Relevant identifiers collected by Tinyvisits are pseudonymized or masked as soon as it is possible and replaced by anonymized identifiers (e.g. masked IP addresses);
• Dashboard access is user and password protected, passwords are persisted using a hashing function with salt;
• All software components of Services are regularly updated, patched and scanned against known vulnerabilities;
• Analytics events and suspicious activities are recorded into logs and evaluated;
• Platform Data will be accessed only by our well trained personnel bound by non-disclosure agreements and instructions issued pursuant Art. 29 and Art. 34 (4) GDPR;
• Data backups are encrypted and stored at securely and geographically separated infrastructure;
• We exclusively partner only with reputable vendors that provide robust security attestations and relevant certifications.

For more information see Annex of our Data Processing Agreement involved into Terms of Use. Tinyvisits uses cookies in order to function correctly within provision of Services for own Controller´s purposes. It means that we use cookies and similar technologies on Client´s website after integration of our snippet and consent management platform. This enables us to collecting statistics and creating metrics related to analytics of Client´s website as well as creating evidence about GDPR/e-Privacy compliance for our Client. Based on precision information obligations of the Controller provided in CJEU Case C-673/17 Planet49 we recommend to our Clients informing about these cookies as result of integration of Tinyvisits to Controller´s / Client´s website in their cookie policy with reference on this information:

Cookie Name	Description of cookie purpose	Type of cookie	Expiry
"tivi-consent"	Consent respecting pageview analytics measurement / Page view tracking cookie	Analytics	30 days
"JSESSIONID“	Login/authentication mechanism for accessing dashboard	Functional	7 days

We may change this Platform Privacy Policy from time to time by posting the most current privacy policy and its effective date on our website. In case we change this privacy policy substantially, we may bring such changes to your attention by explicit notice, on our websites.