[sebsebsn]

It looks like this makes Fathom Analytics the only provider for website analytics that you can use if you don't want to maintain a locally hosted version if an open source product – which blows my mind. A small company is the only service that is able to comply with the rules while huge ones simply fail.

I assume that this regulation is also coming to other services soon and analytics isn't the only service that needs to be replaced when a business is in the EU and can't ignore these rules without risking fines. The team at Fathom wrote about alternatives for lots of services here: https://usefathom.com/blog/degoogle

[daenney]

> A small company is the only service that is able to comply with the rules while huge ones simply fail.

I think all the big ones can comply, but gambled they would be able to come up with creative constructs to get around the requirements. Wrong play it would seem.

Fathom did the right thing, isolate by region. Which is handy for a lot more than complying with the GDPR.

[donohoe]

Not the only provider, worth looking at Plausible.

https://plausible.io/

[sebsebsn]

Nope, they use US providers. The servers are in the EU but the providers are US companies and that means that they aren’t GDPR compliant at all. This is exactly what Schrems II targets.

[markosaric]

All site data plausible.io stores on behalf of the customers is hosted in Germany on servers owned by Hetzner, a European-owned company. Previously it was hosted by Digital Ocean in Germany but the move to Hetzner was made last year.

For our self-hosted version, you can install it with any cloud provider and in any country you wish. Even in the USA.

[zeusly]

Can someone tell me if this is even true? Plausible doesn't save any GDPR related data as far as I know?

https://plausible.io/privacy-focused-web-analytics#no-person...

And the backend is hosted @ Hetzner in Germany

[markosaric]

All site data plausible.io stores on behalf of the customers is hosted in Germany on servers owned by Hetzner, a European-owned company. Previously it was hosted by Digital Ocean in Germany but the move to Hetzner was made last year.

[sebsebsn]

That's written on their site, but isn't true:

https://imgur.com/a/9wEanqD

[markosaric]

All site data plausible.io stores on behalf of the customers is hosted in Germany on servers owned by Hetzner, a European-owned company. Previously it was hosted by Digital Ocean in Germany but the move to Hetzner was made last year.

[cdrx]

By its very nature, an analytics product must process personal data.

Personal data is "any information relating to an identifiable individual" (see GDPR art 4(1).

Your IP address, browser and OS (via user agent), the website you visited, the pages you visited, time of visit, the site you came from (via referrer) are all personal data.

If Plausible have put a US owned cloud provider in-front of their Hetzner infrastructure, even if for a legitimate purpose (CDN, DDoS prevention) then that is likely an unlawful transfer of personal data to the USA.

[donohoe]

>> Your IP address, browser and OS (via user agent), the website you visited, the pages you visited, time of visit, the site you came from (via referrer) are all personal data.

No. These are all not considered PII. Only the IP address in this list definitely is.

All other information with a wholly anonymized user would be considered by most interpretations to be ok. Often it depends on the context and presence of other meta-data on whether something is PII or not.

[cdrx]

“PII” is not a term the EU or UK GDPR recognises. It may have a specific meaning in American law; but the GDPR definition of personal data is significantly broader.

It certainly includes the items I listed; particularly when linked to an identifier like an IP address.