GDPR Compliance & Privacy

---

• Privacy-friendly analytics
• What data does Masslytics collect?
• Cookies and tracking
• GDPR compliance
• Legal basis
• Data storage and retention
• Masslytics’ role under GDPR
• Your privacy policy
• Data Processing Agreement
• Opt-out and DSAR

Below you will find an explanation of how Masslytics protects privacy and complies with the GDPR.

Privacy-friendly analytics

At Masslytics, we take data protection and privacy seriously.
Masslytics is designed to provide analytics for mass media campaign measurement in a privacy-friendly way, without collecting personal or identifiable data such as IP addresses or cookies.

What data does Masslytics collect?

When a visitor loads a page with the Masslytics script installed, we collect:

• Referrer URL (previous page)
• Current page URL
• Date and time of pageview
• A random, non-persistent session ID (valid only for the current session)

We do not collect:

• IP addresses
• Cookies or browser storage data
• Email addresses or any personally identifying information
• Persistent or cross-site identifiers

Cookies and tracking

Masslytics does not use cookies, browser storage, or device-level identifiers, and does not track users across websites or sessions.
This means you are not required to obtain cookie consent from visitors for using Masslytics.

GDPR compliance

Some metadata collected (like referrer and session ID) could be considered pseudonymous personal data under GDPR.
Masslytics therefore applies GDPR safeguards and fully complies with the principles of data minimization and transparency.

Legal basis

Masslytics processes data based on Legitimate Interest (Art. 6(1)(f) GDPR):

• Advertisers have a legitimate interest in measuring the performance of their mass media campaigns.
• Masslytics has a legitimate interest in maintaining and improving its platform.

Because the data is minimal, no opt-in consent is required.
However, we recommend mentioning Masslytics in your website privacy policy.

Data storage and retention

All data is stored securely on servers in Germany (EU).
We do not use sub-processors or third parties.
Data is retained for a maximum of 12 months before being automatically deleted.
We never share or sell data to third parties.

Masslytics’ role under GDPR

Masslytics acts as both:

• Data processor when collecting and processing data on behalf of customers (advertisers).
• Data controller when using aggregated, non-identifiable data to improve the platform and generate benchmarks.

This dual role is documented in our Data Processing Agreement (DPA).

Your privacy policy

You do not need to ask for cookie consent.
However, your website’s privacy policy should mention Masslytics, explaining:

• That you use Masslytics analytics
• That browser metadata is collected
• That it is used for radio campaign performance analysis
• That the legal basis is legitimate interest

We provide a ready-to-use privacy policy paragraph on request - contact our support team for this.

Data Processing Agreement

We provide a standard Data Processing Agreement (DPA) to all customers.
You can request a copy or sign it digitally through your account manager or onboarding flow.

Opt-out and DSAR

Masslytics does not identify individual visitors and does not offer individual opt-out links.
If a user submits a Data Subject Access Request (DSAR), we can remove any session-level data if you provide enough identifying information to locate it.
Contact our support team for instructions.