After the IMY ruling
GA4 is no longer lawful.
We are.
After the 2023 ruling from the Swedish data protection authority (IMY), Google Analytics is no longer an option for companies that take GDPR seriously. Spårlös is built specifically for this gap. EU-hosted, no US transfers, a DPA in 30 seconds, sub-processors listed openly.
A DPA under GDPR Art. 28, pre-filled. Send it straight to your compliance team.
What IMY actually said
In the summer of 2023, the Swedish data protection authority (IMY) published its rulings against four companies that used Google Analytics. The conclusion: the transfer of personal data to the US via GA4 violates GDPR.
This is no longer a gray area. It is not a "keep an eye on this". It is a binding authority ruling that obliges companies not to use GA4 in its current form, with or without IP anonymization, with or without a consent banner.
For B2B companies with EU customers, mid-size firms and anyone with procurement officers who read the GDPR assessment, this is no longer a technical question. It is a legal position. The same logic applies across the EU after Schrems II, not only in Sweden.
We are built for this
Not a bolt-on consent banner. Not a "you can turn off Google Signals" trick. Spårlös is an analytics tool whose entire architecture is made to pass Schrems II.
EU-hosted, no US transfer
All data is stored within the EU. No US sub-processors in the data path. No CDN edge nodes that drop data in the US. Swedish data center during 2026.
No cookies, no banner
We set no cookies, read no localStorage, do no fingerprinting. No cookie banner is required under ePrivacy. The visitor hash rotates daily.
A DPA under Art. 28
An auto-generated data processing agreement at signup. References applicable law, names us as the processor, lists sub-processors. PDF, download whenever you want.
IP discarded after the country lookup
The IP is used in memory for a second to resolve the country. Then it is released. Never persisted, never logged, never shared.
What we collect. And what we do not.
This is the table your DPO needs. We have no hidden telemetry, no tucked-away advertising pixel, no "advanced signals" mode to turn off.
Sub-processors, listed openly
Nothing hidden. Here is everything that touches your data, who and where.
The list is updated if we change provider. You are notified by email 30 days before a change takes effect. The full list is also in our DPA.
What Schrems II means for you
Schrems II is the 2020 ruling from the EU Court of Justice that invalidated Privacy Shield, the agreement that previously made it possible to transfer personal data to the US. Since then, transfers to the US are essentially disallowed without extensive "supplementary measures" that in practice rarely hold up to scrutiny.
GA4 sends pageview data through Google infrastructure that includes US-based edge nodes and processing systems. The EU Data Boundary mode helps on paper but has not been tested legally, and IMY has already ruled that it is not enough.
Spårlös sends your visitor data to a server in the EU. Full stop. No edge nodes in the US, no "data flow safeguards" to rely on. The data path is geographically simple: the visitor browser to our EU server. Done.
Bring something concrete to legal
Our DPA is pre-filled, references applicable law, lists sub-processors and defines us as the processor under GDPR Art. 28. Download it, email it to your DPO or procurement team, start the conversation with a document in hand.
No account required. We email nothing. Just a straight downloadable document.
Once legal approves: get started in 90 seconds
No card required at signup. A 14-day Pro trial is included automatically. Sub-processors listed the moment your account is created.