Privacy & Compliance
Rich Statistics is designed from the ground up to be compliant with GDPR, CCPA, and ePrivacy regulations without requiring a consent banner. This page explains exactly what data is collected, what is not, and how to verify our claims.
Data collected
| Data point | Example stored value | How it is derived |
|---|---|---|
| Page path | /blog/my-post/ | URL path only — no domain, no fragment. Query params >40 chars or resembling emails are stripped. |
| Session UUID | f47ac10b-58cc-… | Random UUID generated in sessionStorage. Dies when the tab is closed. Used only to deduplicate rapid repeat views within one session. |
| Referrer domain | google.com | Domain only — path and query stripped immediately on the server. (direct) if no referrer. |
| UTM parameters | utm_source=newsletter | Standard UTM values from the query string if present. |
| Browser name & version | Chrome 120 | Parsed from the User-Agent string server-side. The raw UA string is not stored. |
| Operating system | Windows | Parsed from UA string. |
| Screen resolution | 1920×1080 | Reported by screen.width/screen.height in JavaScript. |
| Scroll depth (Premium) | 72.4% | Maximum scroll percentage during the session. |
| Click coordinate (Premium) | x: 48.2%, y: 31.9% | Percentage of page width/height at click point. No absolute pixels, no element ID stored unless it is a stable semantic ID. |
| Timestamp | 2025-01-15 14:32:00 | Server time at ingest. |
Data NOT collected
| Data point | Why it is not collected |
|---|---|
| IP address | REMOTE_ADDR is never read or passed to any function. Verified by grep audit. |
| Cookies of any kind | Zero calls to setcookie(), wp_set_auth_cookie(), or any cookie API. Verified by grep audit. |
| Canvas or font fingerprint | The JavaScript layer measures browser capabilities via documented APIs only (webdriver flag, screen size, navigator.plugins). It does not render canvas elements or measure font metrics. |
| Email addresses | URL sanitization strips any query parameter whose value looks like an email address before storage. |
| Long query parameters | Query parameters longer than 40 characters (e.g., session tokens, JWT fragments) are stripped before storage. |
| Cross-session identity | Session UUIDs are in sessionStorage, not localStorage or cookies, so they cannot be used to track a visitor across sessions or devices. |
Third-party data sharing
Rich Statistics shares zero data with third parties. All data is stored in your own WordPress database. The plugin makes no outbound HTTP requests except:
- Freemius license verification — if you have a Premium license. This sends only: your site URL, WordPress version, PHP version, and license key. No analytics data.
- Scheduled email reports — sent to the address you configure, via your own site's server.
GDPR compliance notes
- Legal basis: Because no personal data is collected, processing falls under legitimate interest (website operation analytics) and does not require consent in most jurisdictions.
- Data subject rights: There is no user ID or persistent identifier, so there is no data tied to a specific person to retrieve, correct, or delete.
- Data Protection Officer: Because no personal data is processed, appointment of a DPO solely for analytics is not required under Article 37 GDPR.
- Data transfers: All data stays on your server. No international data transfers occur through this plugin.
This page provides technical information, not legal advice. Consult your own legal counsel to confirm compliance obligations in your jurisdiction.
Self-audit commands
Run these on your plugin installation to verify the privacy properties yourself:
# Verify: no IP address is ever read
grep -rn "REMOTE_ADDR\|HTTP_X_FORWARDED" includes/ assets/
# Verify: no cookies are ever set
grep -rn "setcookie\|_COOKIE\|wp_set_auth_cookie" includes/ assets/
# Verify: no external HTTP calls from the tracker
grep -rn "wp_remote_get\|wp_remote_post\|file_get_contents" includes/class-tracker.phpAll three commands should return zero matches.
Data deletion
To delete all collected analytics data:
- Selective pruning: Use
wp rsa prune --days=0to delete all rows immediately while keeping the plugin active. - Full removal: Enable Delete all data on uninstall in Data Settings and then deactivate and delete the plugin. All four database tables and all
rsa_*options will be removed.