Initializing
Last updated: February 11, 2026
Pixli is designed to help website owners collect analytics data without the privacy headaches that come with traditional tools. This page explains how Pixli aligns with the General Data Protection Regulation (GDPR) and what it means for you and your website visitors.
Under GDPR and the ePrivacy Directive, cookie consent banners are required when you store or access information on a user's device (cookies, localStorage, etc.) for non-essential purposes.
Pixli does not set any cookies, does not use localStorage or sessionStorage, and does not store any information on the visitor's device. Sessions are resolved entirely server-side using a hash of the visitor's IP address and user agent.
Because Pixli does not access or store information on the visitor's device, a cookie consent banner is not required for Pixli analytics under current GDPR and ePrivacy guidance.
Note: You may still need a cookie banner if other tools on your website set cookies (advertising scripts, chat widgets, etc.). Pixli only removes the analytics-related consent requirement.
Pixli processes visitor data under Article 6(1)(f) — legitimate interest. Website analytics is a legitimate interest for website operators, and Pixli's privacy-by-design approach ensures the impact on visitors' rights is minimal:
This means you do not need to obtain visitor consent for Pixli analytics. However, you should still disclose the use of analytics in your privacy policy.
| GDPR principle | How Pixli implements it |
|---|---|
| Data minimization (Art. 5(1)(c)) | Only collects data necessary for analytics. No PII collected by default. |
| Purpose limitation (Art. 5(1)(b)) | Data used exclusively for analytics. Never shared with third parties or used for advertising. |
| Storage limitation (Art. 5(1)(e)) | Data retention is plan-dependent (3-5 years). Session recordings expire after 30-365 days. |
| Integrity & confidentiality (Art. 5(1)(f)) | Encryption in transit (TLS), IP hashing, PII masking in recordings, restricted database access. |
| Privacy by design (Art. 25) | No cookies, IP hashing, automatic PII masking — privacy is the default, not an option. |
IP addresses are considered personal data under GDPR. Here is how Pixli handles them:
Session recordings capture DOM interactions and may contain personal data visible on the page. Pixli mitigates this through automatic masking:
data-pixli-mask attribute are fully maskedAs the data controller, you should also review your pages for sensitive content and add the data-pixli-mask attribute where needed.
GDPR grants data subjects several rights (Articles 15-22). Due to Pixli's privacy-by-design approach, most of these rights are effectively self-fulfilling:
| Right | Pixli approach |
|---|---|
| Right of access (Art. 15) | Since no direct identifiers are stored, it is typically impossible to locate a specific individual's data in the dataset. |
| Right to erasure (Art. 17) | No identifiable personal data is retained. IP is hashed and the hash changes daily. |
| Right to portability (Art. 20) | Analytics data belongs to the website owner (Controller), who can export it at any time. |
| Right to object (Art. 21) | Visitors can use browser extensions or ad blockers to prevent the Pixli script from loading. |
| Right to restriction (Art. 18) | The Controller can pause or delete analytics collection at any time via the dashboard. |
If a data subject contacts you with a request related to Pixli analytics, contact us at [email protected] and we will assist you.
Under GDPR Article 28, a Data Processing Agreement (DPA) is required between the Controller (you) and the Processor (Pixli). Our DPA is incorporated into our Terms of Service and applies automatically when you use Pixli.
You can read the full DPA at pixli.io/dpa.
Pixli stores and processes data primarily within the European Union. Where sub-processors are located outside the EU, appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place.
| Aspect | Pixli | Google Analytics | Typical analytics |
|---|---|---|---|
| Cookies | None | 7+ cookies | 1-5 cookies |
| Cookie banner needed | No | Yes | Yes |
| IP handling | Hashed, never stored | Processed by Google | Usually logged |
| Data location | EU | US/Global | Varies |
| Cross-site tracking | No | Yes (Google ecosystem) | Varies |
| Consent required | No (legitimate interest) | Yes | Usually yes |
| DPA available | Yes (automatic) | Yes | Varies |
Even though Pixli does not require cookie consent, GDPR still requires transparency. We recommend adding a section like this to your website's privacy policy:
"We use Pixli for web analytics. Pixli does not use cookies and does not collect personal data. IP addresses are hashed and never stored in raw form. Analytics data is processed on EU-based infrastructure. For more information, see pixli.io/privacy."
For GDPR-related questions, data processing inquiries, or to request our DPA in a signed format, contact us at [email protected].