Corbacount
Join waitlist

Privacy Policy

Last updated: June 28, 2026

Corbacount is operated by Corbata, registered in the Netherlands. This document explains, in plain language, what data we collect, why we collect it, where it lives, and what rights you have over it under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Two kinds of users

Corbacount has two groups of users whose data we handle differently:

  • Customers - people who sign up for an account to track their own websites.
  • Visitors of customer websites - the people whose pageviews Corbacount counts on behalf of our customers.

For visitors of customer websites we act as a data processor on behalf of our customer (the data controller). For our own customers we are the data controller.

2. Customer data we collect

When you sign up for an account, we collect:

  • Email address.
  • Name (as you provide).
  • Password (stored as a salted bcrypt hash - we never see the plaintext).
  • IP address and user-agent string of the device that signed up, for abuse prevention.
  • Two-factor secret and passkey credentials, if you enable them.

3. Visitor data we collect for our customers

When you embed the Corbacount tracker on your site, for each pageview we receive:

  • Page URL and page title.
  • Referrer URL.
  • UTM tags (source, medium, campaign, term, content), when present in the URL.
  • IP address (used to derive country via MaxMind GeoLite2, then discarded - we do not store the raw IP).
  • User-agent string (used to derive browser, OS and device type).
  • Screen resolution and preferred language.
  • A first-party visitor identifier (_cc_vid cookie) and a light browser fingerprint (timezone + language + screen size + platform hashed together), used to recognise returning visitors and stitch sessions.
  • Core Web Vitals (LCP, INP, CLS) for the page, where the browser reports them.

We do not collect: precise location, email addresses, names, mouse movements, scroll heatmaps, form contents, cross-site identifiers, or any data tied to the visitor's real-world identity.

4. Why we use the data

  • Customer data: to provide the service - log you in, send important account emails, recover access if you forget your password.
  • Visitor data: to compute the analytics dashboards our customers see (traffic counts, source attribution, country distribution, performance metrics, goals).
  • Aggregated metrics: we may use anonymous aggregate counters (e.g. "X million pageviews processed today") for our own operations and marketing.

5. Where your data lives

All data - customer data, visitor data, backups - is stored on servers physically located in Germany, inside the European Union. Germany applies both the GDPR and the German Federal Data Protection Act (BDSG), which together form one of the strictest data protection regimes in the world. Your data never leaves the EU.

6. Sub-processors

To operate the service we share some data with the following sub-processors:

  • MaxMind (GeoLite2 database, used locally) - to translate IPs into country codes. The database is downloaded to our servers; no per-visitor lookup leaves the EU.
  • Pusher (channels service) - to push real-time visitor events to logged-in customer dashboards. Only the anonymised visitor identifier and minimal pageview metadata cross the wire.
  • DataForSEO - SEO data provider. When a customer enables SEO features, we send only the customer's own domain name (no visitor data) to retrieve backlinks, anchors and ranked keywords.
  • Google Search Console - when a customer connects their Search Console property, Google sends us aggregated query stats for that property. Visitor data is never sent to Google.

We will update this list before adding any new sub-processor that has access to personal data.

7. Cookies and similar storage

On websites that embed the Corbacount tracker, we set a single first-party cookie called _cc_vid. It contains a random UUID, expires after 365 days, is marked SameSite=Lax, and is only readable on the customer's own domain. It is used solely to recognise returning visitors and stitch the same visitor's pageviews into one session.

On the Corbacount website itself we use one session cookie required by the framework to keep you logged in and one cookie to remember your dark/light theme. We do not use third-party advertising or tracking cookies anywhere.

8. How long we keep your data

  • Raw pageviews: 90 days from the moment of capture, then automatically purged once they have been rolled into pre-aggregated daily and hourly counts.
  • Aggregated stats (daily, hourly, per-page, per-country, per-browser etc.): kept for as long as the customer's account is active.
  • Customer account data: kept while the account is active, plus up to 30 days after deletion to allow for accidental recovery.

9. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data deleted ("right to be forgotten").
  • Receive an export of your data in a portable format.
  • Restrict or object to processing.
  • Lodge a complaint with a supervisory authority - for example the Dutch Autoriteit Persoonsgegevens, or the German Bundesbeauftragte fur den Datenschutz und die Informationsfreiheit (BfDI) given where the data lives.

To exercise any of these rights, email info@corbata.nl. We will respond within 30 days.

10. Security

Customer passwords are stored as bcrypt hashes. The connection between your browser and Corbacount is encrypted with TLS. We support two-factor authentication and passkeys. Backups are encrypted at rest. Access to production data is limited to a small set of operators who are bound by confidentiality.

11. Children

Corbacount is not intended for use by children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy. The "Last updated" date at the top always reflects the most recent revision. Material changes are announced by email to active customers at least 14 days before they take effect.

13. Contact

For any privacy question, data request or complaint: info@corbata.nl.

Back to home