Our GDPR posture, in plain language.
A reference for Data Protection Officers and procurement teams. The formal DPA is provided on request and is authoritative.
Last reviewed: 2026-04-16
Roles
Visitorscheck acts as a processor on behalf of each customer, who is the controller of the data they collect through the script on their own website.
Data categories
Observed: IP address, User-Agent, Referrer, URL path, timestamp, UTM params.
Derived: company name, domain, sector, country, company size band.
Not collected: names, emails, phone numbers, device fingerprints, cookies.
Legal basis
Legitimate Interest (Art. 6(1)(f)). An LIA is available on request. Residential IPs are excluded before enrichment to keep the balancing test on the B2B side.
Data location
All infrastructure in the EU (Hetzner Nuremberg, AWS eu-west-1). No transfers to third countries.
Sub-processors
MaxMind (GeoIP), IPinfo (enrichment), Hetzner/AWS (hosting), Stripe (billing), Postmark (transactional email). 30-day notice on changes.
Rights requests
End-users' rights (access, rectification, erasure) are fulfilled via the customer as controller; we respond to customer-forwarded requests within 5 business days.
Breach notification
Customers notified within 24 hours of confirmed breach. We maintain an incident register and quarterly DPIA review.
This document is a plain-language summary maintained by Allround Web. The authoritative legal text is being finalised with counsel for launch — if anything here is material to your decision to use Visitorscheck, please reach out and we'll share the draft.