If you are evaluating us as a vendor, this page answers the questions your DPO will ask. No certifications we do not hold, no vague promises - just what we do, where the data sits, and who can touch it.
Per pageview we keep the page URL and title, the referrer, UTM tags, the derived country, browser, OS and device type, screen resolution, preferred language and Core Web Vitals. That is it - the full list is in our privacy policy.
The visitor's IP is used once, on our own servers, to derive a country code from a local MaxMind GeoLite2 database - then it is discarded. The raw IP is never written to disk and never leaves the EU.
A single _cc_vid cookie containing a random UUID, set on the customer's own domain, expiring after 365 days. It only stitches one visitor's pageviews into a session on that one site. No cross-site profiles, no ad networks, no data sold or shared for advertising - ever. More on what that means for consent on our cookie banner page.
Everything - customer data, visitor data, backups - lives on servers physically located in Germany, inside the European Union. Germany applies both the GDPR and the German Federal Data Protection Act (BDSG), one of the strictest data protection regimes in the world. Your data never leaves the EU. There is no US cloud region, no "EU-ish" CDN edge node, no exception.
Every connection - from the tracking beacon on your site to the dashboard in your browser - is encrypted with TLS 1.3. Plain HTTP is not served.
Passwords are stored as salted bcrypt hashes - we never see the plaintext. Two-factor authentication and passkeys are supported on every account.
Backups are encrypted at rest and stored in Germany alongside the primary data, under the same EU-only rule.
Access to production data is limited to a small set of operators bound by confidentiality. Corbacount is run by a small team - meet us on the about page - which means a short, auditable list of people who can touch your data.
This list mirrors our privacy policy and is updated before any new sub-processor with access to personal data is added.
GeoLite2 database, used locally to translate IPs into country codes. The database is downloaded to our servers; no per-visitor lookup leaves the EU.
Channels service that pushes real-time visitor events to logged-in customer dashboards. Only the anonymised visitor identifier and minimal pageview metadata cross the wire.
SEO data provider. When a customer enables SEO features, we send only the customer's own domain name - no visitor data - to retrieve backlinks, anchors and ranked keywords.
When a customer connects their own Search Console property, Google sends us aggregated query stats for that property. Visitor data is never sent to Google.
Raw pageviews are kept for 90 days, then automatically purged once they have been rolled into pre-aggregated daily and hourly counts. Aggregated stats are kept for as long as your account is active. Customer account data is deleted within 30 days of account deletion.
Yes. For visitors of your website you are the data controller and Corbacount acts as your data processor - that split is spelled out in the privacy policy. A data processing agreement covering this relationship, including the sub-processor list above, is available on request: ask via the contact page and we will send it over.
No, and we will not pretend otherwise. Corbacount is a small pre-launch product, and a certification audit at this stage would be theatre. What we offer instead is radical transparency: this page, the privacy policy and the small amount of data we collect are all verifiable from the outside. If your procurement process strictly requires a certification, we are honestly not the right vendor yet.
If you believe you have found a vulnerability in Corbacount, please tell us before telling anyone else. Send the details through the contact page - a real human reads it, and we will acknowledge your report within one business day. We ask that you give us reasonable time to fix the issue before public disclosure, and in return we will keep you informed, credit you if you want to be credited, and never threaten legal action over a good-faith report.
Send them over - security and privacy questions get the same one business day reply as everything else.
