Plausible Analytics Data Processing Agreement

Thank you for using Plausible Analytics!

Plausible Analytics is a European company and our data infrastructure is based in Germany and subject to the EU’s strong data privacy laws. Processing and storing data in a secure, fair and transparent way is extremely important to us.

This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service between Plausible Analytics and the customer.

If you are accepting this DPA on behalf of your customer, you warrant that: (a) you have full legal authority to bind your customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of your customer, to this DPA.

This DPA applies to visitor data processed by Plausible Analytics on behalf of the customer in connection with the use of the service.

Definitions

  • “You” or “customer” refers to the company or organization that signs up to use Plausible Analytics to analyze website visitors.

  • In the course of providing the Plausible Analytics service to the customer pursuant to the agreement, Plausible Analytics may process visitor data on behalf of the customer.

  • In this Data Processing Agreement (“DPA”), “Data Protection Legislation” means the General Data Protection Regulation (Regulation (EU) 2016/679), and all other applicable laws relating to processing of visitor data and privacy that may exist in any relevant jurisdiction.

  • “data controller”, “data processor”, “data subject”, “personal data” and “processing” shall be interpreted in accordance with applicable Data Protection Legislation.

  • The parties agree that the customer is the data controller and that Plausible Analytics is its data processor in relation to visitor data that is processed in the course of providing the service.

Privacy and security of your visitor data

We take many measures to protect and secure your data through backups, redundancies and encryption. When you use our service to measure your website stats, Plausible Analytics will collect information about your visitors.

You entrust us with your site data and we take that trust to heart. You agree that Plausible Analytics may process your data as described in our data policy and only for that purpose.

You retain full ownership and control of your website data. We obtain no rights from you to your website data. We do not sell your data and only share it with trusted service providers where necessary to operate and provide the service.

Even though the purpose of Plausible Analytics is to measure website usage, this can be done without tracking, collecting or storing personal data that can be used to identify individuals, without using cookies and while respecting the privacy of your website visitors.

By using Plausible Analytics, all site measurement is carried out in an anonymous and privacy-friendly way. We minimize data collection in general. We measure only the most essential data points and nothing else.

We do not attempt to generate a device-persistent identifier. We do not use cookies, browser cache nor local storage. We do not store, retrieve nor extract anything from visitor devices.

Every HTTP request includes the IP address and User-Agent. We generate a daily changing identifier based on these inputs. To anonymize these datapoints and make them impossible to relate back to the user, we run them through a hash function with a rotating salt.

hash(daily_salt + website_domain + ip_address + user_agent)

This generates a random string used to calculate daily unique visitors. The raw IP address and User-Agent are never stored in logs, databases or on disk.

Old salts are deleted every 24 hours to prevent linking visitor information across days and to eliminate the possibility of reconstructing original data.

The group of data subjects affected includes end-users of the controller’s websites which use the service.

You can find more information in our publicly available data policy.

Organizational and technical security measures

All tracked data is secured, encrypted and hosted on renewable energy powered servers in Germany. Visitor data is processed and stored within the European Union on EU-owned infrastructure.

We use HTTPS in transit and strong hashing techniques. We apply strict firewall rules, private networking and secure backups. Passwords are hashed using bcrypt.

Plausible Analytics is open source software, allowing anyone to audit our code and understand how data is handled. This transparency increases trust and security.

More details are available on our security page.

Processor’s obligations with respect to the controller

  • Plausible Analytics processes visitor data only in accordance with documented instructions from the customer through the use of the service.

  • Plausible Analytics will notify the customer without undue delay if an instruction infringes applicable Data Protection Legislation.

  • Plausible Analytics ensures confidentiality of visitor data.

  • Authorized personnel may access visitor data where necessary to provide support, maintain the service and ensure security.

  • Plausible Analytics implements appropriate technical and organisational measures to protect visitor data.

  • Plausible Analytics uses subprocessors where necessary. These subprocessors are bound by data protection agreements and may process data only to provide the services Plausible Analytics has retained them for.

  • Plausible Analytics will notify the customer of changes to subprocessors via in-app notifications, email or blog. The customer may object and terminate the agreement if necessary.

  • Plausible Analytics will notify the customer of any data breach without undue delay (no later than 48 hours) and take appropriate mitigation steps.

  • Plausible Analytics processes data only on documented instructions and does not modify or delete data unless instructed or required by law.

  • Plausible Analytics assists the customer with data protection obligations and forwards data subject requests to the customer.

How we handle delete instructions

You can choose to delete your account and delete your site stats at any time.

All data will be permanently deleted without undue delay upon deletion. This action is irreversible.

Customer undertakings and Plausible Analytics assistance

  • Customer warrants that it has the necessary rights to provide visitor data for processing.

  • Customer is responsible for:

    1. determining lawfulness of processing
    2. providing privacy notices
    3. implementing safeguards
    4. notifying authorities where required

Liability and Indemnity

Each party indemnifies the other against claims arising from breaches of this DPA.

Duration and Termination

This DPA is effective as of October 21, 2020, replaces any previously agreed data processing agreement between you and Plausible Analytics, and may be updated from time to time.

Confidentiality obligations survive termination.

Acceptance

Use of the service constitutes acceptance of this DPA. No separate signature is required.

Contact Us

If you have questions about this DPA, contact us at privacy@plausible.io.

Last updated: March 2026
Clarifications only. No material changes to data processing.

Made and hosted in the EU 🇪🇺
Funded entirely by our subscribers.

Comparisons

Company