Last updated: May 29, 2026

This Platform Privacy Policy is dedicated to Clients and users of tinyvisits.com provided by the Algopine s.r.o., with its registered seat at Klincová 37 Bratislava 821 08, Slovakia, company ID no. (IČO): 51983702 (hereinafter referred to as “Tinyvisits“, “we“ or “us“) and explains how we handle the Platform Data via our Services or Platform on behalf of our Clients, as defined below.

For the purposes of this Platform Privacy Policy:

“Clients” are typically website providers or publishers who use our Platform or Services based on Terms of Use;

“Data Processing Agreement” means the agreement pursuant to the Article 28 GDPR between Clients as controllers and us as their processor which is part of the Terms of Use;

“Platform” means the platform tinyvisits.com owned and operated by Algopine as a strictly privacy respectful website analytics SaaS;

“Platform Data” mean any data whether personal data or not (e.g. IP address, user agent, website, aggregated statistics, cookie ID, hashed cookie ID, approximate geographical location, e.g. city, state, etc.) that our clients entrust for our processing. The scope and nature of Platform Data depend on the Service mode selected by the Client:

• Full analytics mode: Includes persistent identifiers (e.g., cookie IDs) and online identifiers allowing for detailed visitor behavior analysis, processed only after obtaining end-user consent.
• Minimalistic analytics mode: Includes only temporary identifiers (e.g., IP addresses) which are processed exclusively in volatile memory (RAM) for immediate and irreversible anonymization. The stored Platform Data in this mode consists solely of anonymous aggregate statistics.“

In the Minimalistic analytics mode, the approximate geographical location is determined within the volatile memory (RAM) during the anonymization process. Once the statistical location (e.g., country or city) is extracted, the source IP address is immediately discarded.

“SaaS” means Software as a Service, it is a cloud-based model for delivering software applications involved in Platform to Client´s website.

“Services” are SaaS that Algopine provides via the Platform to its Clients, in particular:

• Data Collection and Analysis: Regular collection, processing, and analysis of data from the Client's website to gain valuable insights into visitor behavior;
• Report Preparation: Creation of regular, automated reports displayed through dashboard or delivered via email, including summaries, graphs, and tables, containing key metrics such as page views, unique visitors, most popular pages, and traffic sources;
• Consent Management Platform (CMP) Implementation and Management: Implementation and management of a Consent Management Platform (CMP) in accordance with applicable laws and regulations, enabling the Client to obtain and manage user consent for the use of cookies and other tracking technologies;
• User Behavior Tracking: Tracking of user behavior on the website based on granted consent, to provide the Client with detailed information on user interaction with the website.

To ensure the highest level of privacy, Tinyvisits operates in two distinct modes as selected by the Client:

1. Full analytics mode: We act as a Processor for the Client to provide comprehensive analytics. This mode uses cookies and similar technologies to track visitor journeys across the Client’s website. Data is only collected and processed after the Client’s Consent Management Platform (CMP) signals that valid consent has been obtained.

2. Minimalistic analytics mode: This mode is designed for consent-less aggregate statistical measurement. In this mode, we implement technical measures to ensure that:

• The visitor’s IP address is processed only in the volatile memory (RAM) and is masked/hashed immediately. No full IP address is ever written to disk or stored in our database.
• No cookies or persistent identifiers are stored in the visitor’s browser for tracking purposes. By default, the service does not store any cookies. The only exception is a technical entry in the browser's local storage in the event that a visitor opts out manually. This entry contains no unique identifier and serves solely to respect the visitor's choice not to be tracked.
• The resulting data is strictly anonymous and does not allow for the identification of an individual visitor, even when combined with other data.

We process Platform Data solely for the benefit of the specific Client. In both modes, we strictly prohibit cross-site tracking. Data collected from Client website is never combined or used to enrich profiles of visitors on another Client website.

“Terms of Use” mean terms of use governing the use of Platform available at tinyvisits.com/terms and updated therein from time to time.

We act as data processor when providing Services and processing Platform Data via the Platform. We do not process Platform Data as a data controller and we do not maintain or take any ownership of the Platform Data. Platform Data is under sole legal control of Clients and its processing is governed by the Data Processing Agreement. We as a controller processing personal data pursuant to Corporate Privacy Policy of Algopine available at algopine.com/privacy-policy for our own purposes which are not linked with Tinyvisits.

For the majority of our operations, we act strictly as a data processor for our Clients. In this role, we process visitor data (such as page views or "pings") solely to provide analytics insights based on the Client's instructions.

Notwithstanding our role as a processor, Tinyvisits acts as an independent data controller for the specific purpose of maintaining the security and stability of our infrastructure (the SaaS platform).

This processing is strictly limited to network security, operating firewalls, detecting and mitigating DDoS attacks, and conducting forensic analysis in the event of a security incident.

We rely on our legitimate interest (pursuant to Article 6(1)(f) of the GDPR and Recital 49) to ensure the security of our network and information.

For these security purposes, we may temporarily process raw technical data, including full IP addresses, before any anonymization for analytics takes place. This is necessary to identify and block malicious actors. This data is kept separate from analytical databases and is retained only for the duration necessary to resolve security threats.

The Services are provided through our centrally hosted online Platform which is designated to use certain types of information (depending on individual product), that all together we call Platform Data. This includes information sent to or uploaded to us by Clients mainly regarding the way as the Client´s website used by visitors, e-commerce customers or other types of Client´s website users.

Tinyvisits processes Platform Data pursuant to a binding legal contract (DPA), limiting the processing of personal data strictly to the instructions of the Client. While Clients act as independent data controllers for their websites, Tinyvisits provides the technical infrastructure and may set rules for data collection to ensure compliance and service quality.

Tinyvisits is a privacy-first solution. We believe that privacy should be at the core of any web analytics. That's why we support our clients in implementing solutions that are designed with privacy in mind from the start. We strive to enhance our Client’s approach to Privacy using website analytics with tools provideing privacy by design in the best way possible. Depending on the selected mode, we use different technologies to provide Services:

• Minimalistic analytics mode with cookie-less technology that does not store any information on the visitor's device. It relies on real-time processing to generate anonymous statistics.
• Full Analytics Mode where may use cookies or browser local storage to provide deeper behavioral insights, subject to visitor consent managed by the Client.

Platform Data is strictly limited to achieving the Client’s analytical purposes. It allows viewing core metrics such as page views, unique visits, popular pages, URLs, browser descriptors, referrers, and user-agent strings. These metrics help Clients uncover trends, optimize content, and understand traffic sources.

Tinyvisits uses the IP address at the beginning of processing each collected event to perform an approximate geo-location lookup (at a city or country level). In Minimalistic Mode the IP address is processed exclusively dynamically in the server's volatile memory (RAM) to create an anonymous identifier via cryptographic hashing. No IP addresses or persistent Cookie IDs are stored in the database. In Full Mode the event may be linked to a pseudonymized Cookie ID to allow for longitudinal analysis, while the raw IP address is still discarded after initial processing.

Importantly, Platform Data also contains the registered credentials of the Client’s authorized users (e.g., username, login, password, and email address) necessary for accessing the Platform dashboard and receiving automated statistical reports.

This question is often asked by our Clients and their legal counsels. We believe a part of Platform Data containing aggregated and anonymized website analytics and statistics is not personal data, but we are also processing personal data (e.g. processing and storing pageview events based on cookie IDs, or processing IP addresses before performing automated approximate geo-location lookup, or sending emails to Client´s registered user of Tinyvisits etc.). Furthermore, we do not see whole complexity of all processing operations and purposes of how Clients may use the Platform Data and/or our Platform. Nevertheless, some Platform Data are always considered personal data, for example login credentials or general user data about particular end users of the Platform that relate to our Client’s employees or representatives. To safeguard our Clients' data and maintain strong security standards, we treat all Platform Data as personal data, even if certain components might not technically qualify as such. This aligns with our commitment to the confidentiality provisions outlined in Terms of Use.

Each Client acting as a controller is free to determine its own purposes of processing with regards to any Platform Data that is personal data. These are defined in the Data Processing Agreement and should be generally aligned with Clients’ own privacy policy notices. From our observations, there are certain typical purposes and legal bases often pursued by our Clients, we have included these in the Data Processing Agreement. However, the below table provides only generalized information to our Clients (e.g., legitimate Interest for aggregate reach measurement in Minimalistic mode or Consent for advanced behavioral tracking in Full mode), the listed details are for information only and are not legal advice. Clients are solely responsible to rely on sufficient legal basis to the extent they believe personal data is included in the Platform Data. In any case, we will always process any personal data included in the Platform Data only to the extent required for provision of Services or to comply with our rights and obligations under the Terms of Use, to the extend allowed by the applicable law.

Typical Client purposes	Legal grounds typically relied upon by Clients
Using of marketing analytics tools	Clients’ legitimate interests on advanced analysis of its website traffic as per Art. 6(1)(f) GDPR
Targeting and personalization of Ads	Data subject´s consent pursuant to the Art. 6(1)(a) GDPR.
Fulfilling of the legal obligations (related to GDPR consent)	Fulfilling of legal obligation pursuant to the Art. 6 (1) (c) GDPR (in relation to consent management – revoking and keeping evidence about granting and withdrawal of the consent)
Statistical purposes	Legal ground of the original purpose within the regime of compatible purposes under Art. 6(4) GDPR and Art. 89 GDPR, as explained by recital 50 GDPR

We acknowledge confidentiality and value of the Platform Data and we are not exploiting the Platform Data in a not allowed way. In particular, we are not:

• selling your personal data to anyone;
• monetizing your personal data by other means;
• claiming ownership over your personal data;
• bartering your personal data for other services or products.

We do not knowingly process personal data relating to children less than 13 years of age (or 16 if the age of consent is higher in a particular country) or permit Clients to provide us with such data. If we become aware that a Client has provided us with any personal data of children, we delete such data from our databases.

We do not knowingly process sensitive or special categories of personal data, including the following:

• Special categories of personal data as defined in Article 9 of the GDPR, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data uniquely identifying a natural person, or data concerning a person’s sex life or sexual orientation;
• Sensitive data including Social Security Numbers or other Government-issued identity cards, CVC codes and other credit card details, information about an individual's health or medical conditions or treatments, including genetic, genomic, and family medical history.

The Data Processing Agreement explains that as an immanent feature of our Services, we collect pageview events and create certain aggregated statistical data for Clients. Providing rigorous non-identification and Client non-attribution warranties and conditions are met (such as replacement of page and domain URLs, referrers, cookie IDs and user agents in pageview events by fully random strings without remembering the replacement mappings), we are allowed to use this fully anonymized data for our own specific processing purposes (e.g. development, improvement, testing and load testing of the software applications). The resulting data is not related or linkable to any individual and not even to any specific Client, domain or webpage. Details are agreed in Data Processing Agreement incorporated as addendum in the Terms of Use.

We take confidentiality of Platform Data very seriously and share it with our recipients only on need-to-know basis maintaining the confidentiality of the data recipients. Depending on the purpose of processing and particular circumstances typical recipients of the Platform Data are:

• Providers of platforms for email communication with customers;
• Providers of cloud and hosting services (e.g. Worldstream, Hetzner) – as necessary technology vendors supporting running of the Platform;
• Providers of bot protection services – as necessary technology vendors to perform a risk analysis and to detect and, if necessary, block automated access.

We also use sub-contractors to support us in providing services who might process personal data for us. These sub-contractors mainly include developers, hosting, cloud and similar software service providers located or with servers located in the EU/EEA, mainly but not limited to Hetzner and WorldStream. We ensure that selection of our sub-contractors and any processing of personal data by them is compliant with the GDPR. We may release personal data and any other information we possess when necessary or appropriate to comply with the law; cooperate with law enforcement or national security requirements; respond to lawful requests; or to enforce our Terms of Use.

To ensure data privacy and security and with effort to easier compliance to our Clients, we prioritize EU/EEA data storage for all Platform Data. We exclusively partner with hosting and data center providers located within the EU/EEA. For providing our Services, we only use the following hosting / data centers / payment providers located in the EU/EEA:

Sub-processor	Privacy Policy	Provided services	Location of Platform Data
Hetzner GmbH	https://www.hetzner.com/legal/privacy-policy	Data hosting (Server provider)	Germany
Worldstream B.V.	https://www.worldstream.com/media/uploads/2025/05/Worldstream-Personal-Data-Processing-Policy-EN.pdf	Data hosting (Server provider)	The Netherlands
OVH Hosting Limited	https://www.ovhcloud.com/en-ie/terms-and-conditions/privacy-policy/	Data hosting (Server provider)	EU
Myra Security GmbH	https://www.myrasecurity.com/en/privacy-policy/	Bot protection (Captcha provider)	EU
Frisbii Germany GmbH	https://frisbii.com/data-protection-notice/	Payment processor	EU

Our sub-processors, as authorized by our Clients in Data Processing Agreements, are always listed in this sub-processor list:

Sub-processor	Provided services
Hetzner GmbH	Data hosting (Server provider)
Worldstream B.V.	Data hosting (Server provider)
OVH Hosting Limited	Data hosting (Server provider)
Myra Security GmbH	Bot protection
Frisbii Germany GmbH	Payment processor

Where we process personal data on behalf of the Clients, the retention periods are set-out by the them and we have no control over that. As soon as our contract with the Clients ends, we are under obligation to either return all personal data to the Clients or securely erase all personal data, at the choice of the Clients. The same applies to our own purposes of processing which are undertaken only on personal data currently processed by us for the Client. If our contract with the Client ends – by default – we do not keep your personal data for our own purposes. This way, we comply with basic principles relating to processing of personal data achieving data minimization, storage limitation and purpose limitation. Based on your individual instruction expressed in settings of Tinyvisits we can keep your Platform Data maximally 5 days after the end of sub-scription of Services pursuant to Terms of Use. Subject to our right to retain are (i) copies of transactions between the Clients and Tinyvisits, (ii) information relating to any dispute or potential fraud, (iii) any additional information we need to keep protecting our legal rights or the rights of others, and iv) website pageview data, dashboard login data or other Platform network data identified as malicious, nefarious or otherwise related to potential security attacks on the Platform.

We are committed to providing our Clients, as data controllers, with the necessary materials and information to conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the GDPR taking into account the nature of processing and the information available to us. Based on our internal DPIA Pre-assessment, the use of Tinyvisits in "Minimalistic Analytics Mode" is designed as a low-risk processing operation that typically does not trigger the mandatory obligation for a Controller to perform a DPIA, as it avoids invasive tracking and persistent profiling. However, we notify Clients that certain advanced features within the "Full Analytics Mode" may involve profiling pursuant to Art. 4(4) of the GDPR. Depending on the scope of implementation and the specific black list of risky processing operations issued by national supervisory authorities (e.g., the Slovak Office for Personal Data Protection), this mode may require the Controller to conduct a DPIA. For any further inquiries related to DPIAs or to request our detailed Pre-assessment summary for your compliance records, please do not hesitate to contact our Privacy team.

The security of your personal data is important to us. Tinyvists follows generally accepted industry standards and has appropriate measures in place to ensure that your data is protected against unauthorized access or use, alteration, unlawful, or accidental destruction and accidental loss. No method of transmission over the internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. We have adopted appropriate organizational and technical measures required under the GDPR to protect personal data and in general we can proudly declare to our Clients that:

• All data transfers through public networks (internet) are encrypted in transit with trustworthy, strong and modern cryptography;
• Identifiers are pseudonymized or masked at the earliest possible stage. In Minimalistic mode, identifiers are transformed into anonymous hashes directly in volatile memory (RAM) and are never stored in their raw form;
• Dashboard access is user and password protected, passwords are persisted using a hashing function with salt;
• All software components of Services are regularly updated, patched and scanned against known vulnerabilities;
• Analytics events and suspicious activities are recorded into logs and evaluated;
• Platform Data will be accessed only by our well trained personnel bound by non-disclosure agreements and instructions issued pursuant Art. 29 and Art. 34 (4) GDPR;
• Data backups are encrypted and stored at securely and geographically separated infrastructure within the EU to ensure business continuity;
• We exclusively partner only with reputable vendors that provide robust security attestations and relevant certifications.

For more information see Annex of our Data Processing Agreement involved into Terms of Use.

Tinyvisits uses cookies in order to function correctly within provision of Services for own Controller´s purposes. It means that we use cookies and similar technologies on Client´s website after integration of our snippet and consent management platform. This enables us to collecting statistics and creating metrics related to analytics of Client´s website as well as creating evidence about GDPR/e-Privacy compliance for our Client. Based on precision information obligations of the Controller provided in CJEU Case C-673/17 Planet49 we recommend to our Clients informing about these cookies as result of integration of Tinyvisits to Controller´s / Client´s website in their cookie policy with reference on this information:

Cookie/Browser Storage Name	Description of cookie purpose	Type of cookie	Expiry
"tivi-consent"	Consent respecting pageview analytics measurement / Page view tracking cookie	Analytics	30 days
„tinyvisits_opted-out“	Stores information that the user has rejected full analytics and chosen minimalist mode. It is used to prevent the option from being offered repeatedly.	Session	when using the app

Tinyvisits provides dashboard pages to Clients where Clients can access their website statistics. Dashboard pages use functional cookies to provide login and authentication mechanism:

Cookie Name	Description of cookie purpose	Type of cookie	Expiry
"JSESSIONID“	Login/authentication mechanism for accessing dashboard	Functional	8 hours

We may change this Platform Privacy Policy from time to time by posting the most current privacy policy and its effective date on our website. In case we change this privacy policy substantially, we may bring such changes to your attention by explicit notice, on our websites.