Privacy & GDPR
Analytics that respects your visitors by design — no cookies, no personal data, no consent banner required.
Why no cookie banner is needed
EU law (the ePrivacy Directive) requires consent for storing or reading information on a visitor’s device — that’s what triggers cookie banners. Nomada stores nothing on the device: no cookies, no localStorage, no device IDs. Because we never access the visitor’s device beyond serving the page, and we never process personal data, there is no legal basis that requires an interruptive consent prompt for our analytics.
That means faster pages, no annoying pop-ups, and full measurement of 100% of your traffic — not just the share that clicks “accept”.
What we collect
| Data point | How |
|---|---|
| Page URL & title | Sent by the page itself. |
| Referrer source | The referring domain only — never the full URL. |
| Country | Derived from the IP address in memory; only the 2-letter country is kept. |
| Device, browser, OS | Parsed from the User-Agent string, then discarded. |
| Screen size | Rounded bucket, e.g. “1920×1080”. |
What we never collect
- No cookies or any other persistent identifier on the device.
- No IP addresses in storage — they are used in memory to derive a country, then dropped.
- No names, emails, or any data that identifies an individual.
- No cross-site or cross-device tracking, and no data sold or shared with advertisers.
How visitors stay anonymous
To count unique visitors without identifying them, we generate a one-way hash from the IP address, User-Agent and the website domain, mixed with a secret salt that rotates every 24 hours. The salt is discarded on rotation, so yesterday’s hashes can never be reconnected to a person or linked across days. The result is a number that lets us count, but never re-identify.
Data retention
Raw event records can be automatically deleted after a configurable window, leaving only anonymous daily aggregates (counts by day, page, country, etc.). Aggregates contain no per-visitor rows — just totals — so your long-term trends are preserved while the granular data that could theoretically be analysed is purged. We store as little as possible, for as short as possible.
Lawful basis (GDPR)
Because the analytics data is anonymous and contains no personal data, the GDPR does not apply to it. Where a regulator nonetheless considers any field personal, the lawful basis is legitimate interest (Art. 6(1)(f)): understanding aggregate website usage with a minimal, privacy-preserving method that has no material impact on the individual.
Your rights
Under the GDPR and CCPA you have rights to access, correct, or delete your personal data. Because we hold no personal data and no identifier that could link analytics back to you, there is nothing on our side to retrieve or erase about an individual visitor. For any privacy question, reach out through our support page.
Data Processing Agreement (DPA)
When you use Nomada to measure your website, you are the data controller and we act as your processor. Our standard DPA reflects the reality of how the service works:
- Subject matter: anonymous website-usage analytics.
- Duration: for the term of your account; raw data is purged per your retention setting.
- Nature & purpose: counting and aggregating page requests to produce usage statistics.
- Categories of data: anonymous, aggregated usage metrics — no special categories, no identifiable individuals.
- Sub-processors: only the infrastructure required to host the service; no advertising or data-broker third parties.
- International transfers: we process only anonymous, aggregated analytics — there is no personal data to transfer.
Need a signed copy for your records? Request one through our support page.
Last updated June 2026. This statement is provided as a strong starting point and is not legal advice; please have it reviewed against your specific obligations.