Aller au contenu
wheremyflow
Connexion Démarrer gratuitement
Fonctionnalités Tarifs Comparatif Manifeste Aide Audit Contact Démo Connexion

GDPR compliance (and EU national frameworks)

wheremyflow is designed to be exempt from cookie consent banners under the GDPR (EU Regulation 2016/679) and the ePrivacy Directive (2002/58/EC as amended). The framework applies uniformly across the 27 Member States + 3 EEA countries; each country has a data protection authority that enforces it locally (CNIL in France, BfDI/DSK in Germany, Garante in Italy, AEPD in Spain, AP in the Netherlands, etc.).

This isn't a marketing claim: it's a technical spec held end-to-end. This page lays out why, and what's left for you to handle as a publisher.

Why no banner?

Article 5(3) of the ePrivacy Directive requires prior consent to read or write on the user's terminal (cookie, localStorage, fingerprint, etc.). National authorities allow an exemption for strictly necessary audience measurement, subject to specific technical safeguards.

The main converging national frameworks are:

  • 🇫🇷 FranceCNIL framework "Cookies: solutions for audience measurement tools" of 4 July 2025 (15 criteria).
  • 🇩🇪 Germany — TDDDG §25 (ePrivacy transposition) + DSK 2023 guidelines.
  • 🇮🇹 Italy — Codice Privacy art. 122 + Garante guidelines "Cookie e altri strumenti di tracciamento" 10 June 2021.
  • 🇪🇸 Spain — LSSICE art. 22.2 + AEPD "Guía sobre el uso de las cookies" 2024.
  • 🇳🇱 Netherlands — Telecomwet art. 11.7a + AP guidelines 2023.

wheremyflow meets these shared conditions:

  1. No client-side storage — no cookie, no localStorage, no sessionStorage, no IndexedDB.
  2. No persisted personal data — no raw IP retained, no stable user ID, no fingerprint, no PII (email, name, etc.).
  3. Limited purpose — exclusively anonymous audience measurement for the publisher's site, no marketing, no cross-site, no unified reach.

What we collect (and how)

For each pageview, we compute an _anonymous visitor_ via an HMAC-SHA256 whose key combines:

visitor_id = HMAC(monthly_salt, site_id || IP || user-agent || language || day)
  • The salt rotates monthly and the old salt is atomically deleted at rotation (Plausible / Fathom doctrine): impossible to link a visitor across months, and no way to re-hash a historical identifier — not even by wheremyflow.
  • The "day" temporal component rotates every 24h: no chaining across days.
  • The site_id component strictly isolates each client-site: the same visitor on two wheremyflow sites produces two different non-linkable hashes.
  • The raw IP is never stored. It is used in memory for geolocation (country / region / city via DB-IP, France) then immediately discarded.

This approach is an alternative measure to the last-octet IP truncation recommended by several EU authorities — explicitly documented in our self-assessment. It is more protective: cryptographic non-reversibility, no persistence of the IP itself, controlled lifetime.

Result: we know that a visitor returned within the same day (useful for unique visits), but not the next day, nor on another site. Sufficient for honest KPIs; insufficient to track.

What we never collect

  • IP address (resolved then deleted from memory).
  • Emails, names, user identifiers.
  • Browser fingerprint (canvas, audio, fonts, WebGL).
  • Advertising IDs (IDFA, AAID).
  • GPS coordinates.
  • Form contents.
  • UTM parameters, campaign identifiers.
  • Unified reach, cohorts, cross-site funnels.

EU sovereignty

No transfer outside the EU. No US dependency. The solution is concerned neither by the Schrems II case-law nor by the Data Privacy Framework of 10 July 2023.

  • Hosting: Clever Cloud SAS (headquarters: Nantes, France) — datacenters in France (Paris and Roubaix regions). ISO/IEC 27001:2022 (certificate FR086307, 15 March 2024); Healthcare Data Hosting (HDS); ISO 9001.
  • Geolocation: DB-IP, Eris Networks SAS, Perros-Guirec, France — static embedded file (no network call; MaxMind not used).
  • AI: Mistral (France) for aggregated summaries and insights.
  • Transactional email: Brevo (France).
  • GDPR audit scans (public /audit page only, lead magnet): Scaleway SAS (headquarters Paris, France) — Serverless Jobs on FR (Paris DC2/DC3/DC5) and NL (Amsterdam) datacenters. ISO/IEC 27001 / 27017 / 27018, HDS, SecNumCloud (dedicated offers). NOT involved in the client audience measurement chain.

DB-IP sovereignty verification

The geolocation service used is operated by Eris Networks SAS, a French company registered with the National Business Register under SIREN 807 778 212 (SIRET 807 778 212 00025), VAT FR41 807 778 212, headquartered at 62 boulevard Jean Mermoz, 22700 Perros-Guirec, France (NAF code 63.11Z — Data processing, hosting and related activities). The footer of db-ip.com/about/ confirms this same address.

No US provider (MaxMind, Akamai) is involved in the IP → country / city resolution.

Your obligations as a publisher

Even without a banner, you remain responsible for:

  1. Privacy policy mention — state that you use wheremyflow for audience measurement, without cookie or tracker. Pre-filled template in the Compliance tab of the dashboard.
  2. Opt-out button or link — integrate into the privacy policy a clickable button or link "Refuse audience measurement" that runs the opt-out snippet provided by wheremyflow. Requirement common to every EU national framework; the technical implementation is your responsibility as the site publisher.
  3. Footer or legal mentions — a simple "Audience measurement by wheremyflow (cookie-free)" is sufficient.
  4. Right to erasure (GDPR art. 17) — if a visitor exercises their right to erasure, you can purge their data from the Compliance tab. Since we have no stable identifier, erasure works by deleting a time range.

Available documents

The Compliance tab of the dashboard provides:

  • Pre-filled privacy mention template (multilingual EU).
  • Self-assessment aligned with the CNIL framework of 4 July 2025 (transposable to the 4 other national frameworks since the criteria converge).
  • Records of processing activities (publisher version, GDPR art. 30).
  • DPA pre-filled with your site's domain, GDPR art. 28.
  • Export and erasure procedure.
  • Contact details of the DPO (dpo@wheremyflow.com) and the provider point of contact (contact@wheremyflow.com).
Consent exemption is claimed via self-assessment, as provided by every EU national framework in force. wheremyflow publishes this self-assessment and updates it on each regulatory change.