1. Who we are
Spårlös is a privacy-first web analytics service. Spårlös.se is the data controller for data about you as a customer. For data about your website visitors we are the data processor and you are the data controller.
2. What we collect about your visitors
As a data processor we collect the following for every pageview on your website:
- Timestamp
- Page URL and referrer
- Country (derived from the IP address in memory, the IP is dropped immediately)
- Browser, OS and device type (from the User-Agent string)
- Screen size and language
- UTM parameters (utm_source, utm_medium, utm_campaign)
- A daily-rotating hash of (IP + User-Agent + site ID + daily salt). The hash cannot be linked across days or across websites.
3. What we do NOT collect
- No cookies, no localStorage, no sessionStorage, no IndexedDB
- No browser fingerprinting (no canvas, audio, WebGL, font enumeration)
- No IP address is stored (used only in memory for the country lookup)
- No personal identifiers (email, name, user ID from your app)
- No precise geographic location (only a country code, never a city or coordinates)
- No cross-site tracking of the same visitor
- No cross-day tracking of the same visitor
3.1 Cookies on Spårlös' own website
Spårlös sets no cookies on the visitors of your website (that is the entire point of the service). On our own website we use exactly one cookie:
sparlos_session: an authentication cookie set when you log in. HttpOnly, Secure, SameSite=Lax. Removed when you log out. Required to keep you logged in. Strictly necessary under ePrivacy.
Your preferences for currency and color theme are stored in the browser's localStorage on your device and are never sent to our servers. They are therefore not cookies in the ePrivacy sense and require no consent.
4. Where data is stored
All data is stored within the EU in an ISO 27001-certified EU data center. We use no US subprocessors in the data path. Our managed account-data provider is SOC 2 Type II-certified and based within the EU. During 2026 we are migrating all data to a Swedish EU data center.
5. Data retention period
Standard data retention per plan: Hobby has a 7-day dashboard window (the underlying data is stored for up to 90 days), Starter 90 days, Pro 12 months (365 days). Custom customers can choose a tailored retention period. The database deletes old events automatically and irreversibly at the row level.
Account data (email, billing details) is kept as long as your subscription is active, plus an additional 36 months for accounting under the Swedish Bookkeeping Act.
6. Your rights (GDPR)
As a data subject you have the right to:
- Be informed about which data we process (Art. 15)
- Have incorrect data corrected (Art. 16)
- Have your data erased (Art. 17, the "right to be forgotten")
- Have the processing restricted (Art. 18)
- Receive the data in a portable format (Art. 20)
- Object to the processing (Art. 21)
Requests are sent to [email protected]. We respond within 30 days.
7. Complaints to IMY
If you believe we handle your data incorrectly, you can file a complaint with the Swedish data protection authority (IMY) at imy.se.
8. Contact
Questions about this policy: [email protected]. Postal mail: Spårlös AB, Address line, Postcode City.