GDPR Compliance

StatOn is designed with privacy by design and privacy by default principles. We provide tools that may support your GDPR and broader data-protection workflows. However, your compliance with GDPR depends on how you configure and use the Service. IMPORTANT DISCLAIMER: This page provides information about our approach to GDPR-related product controls. It does not constitute legal advice. Using StatOn does not automatically make you GDPR compliant. You are solely responsible for ensuring your own compliance with GDPR and all applicable data protection laws. We strongly recommend consulting with qualified legal counsel.

Under GDPR: • YOU (the StatOn user) are the DATA CONTROLLER for personal data collected from your website visitors through the Service. As the controller, you determine the purposes and means of processing and bear primary responsibility for GDPR compliance. • STATON is the DATA PROCESSOR. We process personal data solely on your behalf, according to your documented instructions, and for the purpose of providing the Service. This distinction is critical. As the data controller, you bear the primary legal obligations under GDPR, including: • Determining the legal basis for processing (Article 6); • Providing transparency and information to data subjects (Articles 13-14); • Responding to data subject rights requests (Articles 15-22); • Conducting data protection impact assessments (Article 35); • Reporting data breaches to supervisory authorities (Article 33); • Ensuring lawful international data transfers (Chapter V).

We describe three public privacy modes to help you configure data collection according to your needs: **Cookieless Mode:** • No personal data collected; • No cookies or tracking technologies; • No IP addresses stored; • Only anonymized, aggregated statistics; • May not require consent under GDPR/ePrivacy (consult your legal counsel). **Balanced Mode:** • Operates in Cookieless mode by default; • Collects additional data only after visitor provides explicit consent; • Provides consent banner integration; • Designed to align with consent-based analytics setups. **Strict EU Mode:** • No analytics collection before consent; • Consent-first analytics behavior; • Intended for stricter privacy setups. DISCLAIMER: Selecting any public privacy mode does not guarantee GDPR compliance. Compliance depends on many factors beyond the analytics tool, including your overall data processing activities, privacy policy, consent mechanisms, and organizational measures. You must independently assess and ensure your compliance.

As required by Article 28 of GDPR, we provide a Data Processing Agreement (DPA) that governs our processing of personal data on your behalf. The DPA is incorporated into our Terms of Service and covers: • Subject matter and duration of processing; • Nature and purpose of processing; • Types of personal data and categories of data subjects; • Obligations and rights of the controller; • Security measures (Article 32); • Sub-processor management; • Assistance with data subject rights; • Data breach notification; • Data deletion upon termination; • Audit rights.

In accordance with Article 32 of GDPR, we implement appropriate technical and organizational measures, including: • AES-256 encryption of sensitive data at rest; • AES-256 encryption of user email addresses at rest; • TLS encryption of data in transit; • Access controls for administrative and support operations; • Regular security assessments; • Employee confidentiality agreements; • Data minimization through privacy mode options. Additionally, the Service implements a restricted access policy by default as a key privacy measure: while sensitive visitor data may be encrypted using AES-256 on our servers, our internal policies strictly prohibit access to your analytics data without your explicit permission. Our personnel may access your data only with your direct authorization, expressed by activating the "Grant Support Access" function in the Service interface. By activating this function, you authorize our support team to view analytics data for troubleshooting purposes. We guarantee that such access is granted only to authorized personnel and is limited to the period during which you maintain the access authorization. These measures are designed to ensure a level of security appropriate to the risk. However, we cannot guarantee absolute security, and these measures are provided "as is" without warranty.

GDPR provides data subjects (your website visitors) with various rights. As the data controller, YOU are responsible for facilitating these rights. We will assist you to the extent technically feasible: • Right of access (Article 15); • Right to rectification (Article 16); • Right to erasure (Article 17); • Right to restriction of processing (Article 18); • Right to data portability (Article 20); • Right to object (Article 21); • Rights related to automated decision-making (Article 22). If we receive a data subject request directly, we will redirect it to you unless legally required to respond directly.

Data may be processed in one or more jurisdictions used by the Service operator and its infrastructure or support providers. Where transfers outside your jurisdiction are necessary, we apply appropriate contractual or organizational safeguards where required by applicable law. You acknowledge that certain aspects of internet infrastructure may involve data transiting through various jurisdictions, which is outside our control.

In accordance with Articles 33-34 of GDPR: • We will notify you of personal data breaches without undue delay; • We will provide information to assist your assessment of the breach; • YOU are responsible for determining whether to notify the supervisory authority (within 72 hours as required by Article 33) and affected data subjects (as required by Article 34); • YOU bear all costs and responsibilities associated with breach notifications and remediation, except where the incident was caused by gross negligence on our part. Our notification to you is for informational purposes and does not constitute an admission of fault, liability, or breach of our obligations.

In accordance with Article 30 of GDPR, we maintain records of processing activities carried out on behalf of controllers, including categories of processing, descriptions of security measures, and relevant sub-processors.

If required by applicable law, you may contact us regarding our data protection practices at support@staton.app.

TO THE MAXIMUM EXTENT PERMITTED BY LAW: • We are NOT liable for your failure to comply with GDPR or any other data protection law; • We are NOT liable for fines, penalties, or sanctions imposed on you by any supervisory authority; • We are NOT liable for claims brought against you by data subjects; • We are NOT liable for your failure to obtain proper consents, provide adequate notices, or respond to data subject requests; • We do NOT guarantee that use of the Service in any mode will result in GDPR compliance; • Our total liability is limited as set forth in our Terms of Service. You agree to indemnify us against any claims, fines, or costs arising from your failure to comply with GDPR or your misuse of the Service.

For GDPR-related inquiries, please contact us at support@staton.app.