Skip to main content

Snippet for privacy-notice

Privacy-First Tracking with Shoplytics® 

Why Privacy-First?

In e-commerce tracking, there is simply no benefit to identifying an individual visitor. Shoplytics thinks in traffic streams, not people. What drives decisions is understanding which channels, campaigns, and sources are delivering results — and for that, you need an anonymous mass of visitors, not personal profiles. There is no need to capture private information. So we don't.

 

How Privacy-First?

1. Shoplytics is invisible in your visitors' browser. Every script runs under your shop's own domain — not ours. Shoplytics never appears as a third party in your visitors' browser. As far as your visitors are concerned, they are interacting with you and only you. This means the data controller is unambiguously you — the shop operator. Not Shoplytics.

2. Only anonymized data. Always. No names, no emails, no personal details. Just anonymous signals — a visit, a click, a conversion — with nothing attached that could identify the person behind it.

3. Shoplytics is merely a moving company for data. We move data — from the browser, directly to your endpoints: Google Analytics, Google Ads, Meta, or whatever platforms you have connected. We pick it up, we deliver it, we leave no copy behind.

4. Shoplytics never saves, stores, or retains your data. Shoplytics manages anonymous data streams directly in the browser. No data is saved on Shoplytics servers. No data is retained. Nothing is written, logged, or preserved anywhere outside of the visitor's own browser session.

 

Who is the Data Controller?

You are. Always. Exclusively.

Because Shoplytics never appears in your visitors' browser, and all scripts run under your own domain, your shop is the data controller at every point in the process. Shoplytics is the infrastructure that makes data delivery reliable — nothing more. We are not a data controller. We do not appear as a third-party processor in the browser. The legal and compliance relationship is between your shop and your visitors, exactly as it should be.

 

What About Sensitive Data?

The only moment any transaction-related data briefly enters the picture is on the order confirmation page — where, with the customer's consent, a completed purchase is attributed to the correct marketing channel. Even here, Shoplytics captures, cleans, and forwards the data directly to your configured endpoints in real time. It is never written to a Shoplytics database, never logged, and never accessible to Shoplytics in any persistent form.

For businesses in sensitive sectors — including healthcare — this means no unnecessary data exposure, no compliance overhead beyond what your own platforms already require, and no additional risk surface introduced by a third party holding your customers' data.

 

Privacy Policy Template

The following template has been found helpful by customers in the past when documenting Shoplytics in their own privacy policies. Use it as a starting point — but make sure to review it with your legal counsel before publishing.

Use of the Shoplytics® Data Management Solution on this Website

IMPORTANT: This is not legal advice. This text must be reviewed by a data protection officer or legal adviser before publication.

 

Purpose and Functionality

This website uses Shoplytics®, a data management solution. Shoplytics® serves as the technical control layer for coordinating and managing various web-based functions — and, following explicit user consent, for activating analytics and marketing technologies such as Google Analytics, Google Ads, and Meta Pixel.

Shoplytics® is designed to ensure data-efficient, performance-optimised, and structured execution of these technologies. It supports in particular the privacy-compliant control of tracking and analytics scripts, load time optimisation through intelligent script management, a clear separation between technically necessary functions and those requiring consent, and the secure implementation of consent requirements.

 

Technical Operation and Data Handling

Shoplytics® operates as a technical control layer and does not store personal data on its own servers. Data is forwarded directly to your configured endpoints — Google Analytics, Google Ads, Meta, or any other connected platform — without being retained or saved at any point in the process. Network connections initiated by Shoplytics® serve primarily to load technical control resources such as configuration files and script logic. Tracking and marketing technologies are activated through Shoplytics® only following valid user consent.

Prior to consent, no analytics or marketing services are activated, no personal data is transmitted to external tracking providers, and no user profiling or behavioural analysis takes place. In particular, no IP address is transmitted to external tracking or marketing providers prior to consent. The Google Tag Manager is not loaded directly from Google servers, but exclusively through a technically controlled first-party proxy — for example via a subdomain such as stream.your-domain.com — enabling privacy-friendly integration within your own infrastructure.

 

Storage of Technical Information in the Browser

Shoplytics® stores technical state information in the visitor's browser localStorage — for example under the key "shoplytics_dsgvo_no_track". This information is used exclusively for managing consent status, technical control of script activation, bot detection, and load time optimisation. No personal data is stored in this process.

 

The initial loading of Shoplytics® takes place solely to perform technically necessary functions, in particular consent management, system stability, and the control of privacy-relevant processes. This is based on § 25 Para. 2 No. 2 TTDSG (strictly necessary for the provision of a telemedia service) and Art. 6 Para. 1 lit. f GDPR (legitimate interest in privacy-compliant, secure, and performance-optimised website operation). Activation of tracking, analytics, or marketing technologies takes place only following explicit consent under § 25 Para. 1 TTDSG and Art. 6 Para. 1 lit. a GDPR.

 

Clear Separation: Technical Functions vs. Tracking

Shoplytics® handles both core technical functions and — following consent — the management of optional tracking services. Technically necessary functions requiring no consent include consent management and GDPR compliance, technical control of script activation, performance optimisation, and security and stability measures. Functions requiring consent — and technically blocked until consent is given — include Google Analytics 4, Google Ads Conversion Tracking, Meta Pixel and Meta CAPI, and any other configured marketing and analytics services.

 

Summary

The initial integration of Shoplytics® serves exclusively to implement technically necessary and privacy-relevant control functions and is therefore permissible without prior consent. Actual processing of personal data by analytics or marketing systems takes place only following explicit user consent via the consent banner. Users may withdraw consent at any time without any disadvantage in using the website. The use of Shoplytics® is fully compliant with the requirements of the GDPR and TTDSG.

 

Frequently Asked Questions

Is Google Analytics 4 used in Advanced Consent Mode? This is possible and recommended for improved data quality. The consent mode configuration depends on your individual setup.

Are Google Signals active? This depends on your Google Analytics configuration and should be reviewed with your analytics provider.

Is Google Analytics 4 used with cookies? This depends on your setup. Meaningful use without cookies is significantly limited.

Is server-side tracking in use? Yes, as part of a first-party setup via your own infrastructure — for example via stream.your-domain.com.

Are Enhanced Conversions used in Google Ads? This depends on your individual Google Ads configuration.

Is Meta CAPI used in server-side tracking? This depends on your individual setup and connected platforms.

Back to top