Logo AnalyticsCLI.com

AnalyticsCLI Privacy Policy

Last updated: May 6, 2026

1. Controller and contact

The controller for the processing described in this Privacy Policy is Wotaso GmbH, Bostonring 5, 71686 Remseck am Neckar, Germany ("AnalyticsCLI", "we", "us").

Email: contact@wotaso.com
Privacy contact: contact@wotaso.com
Data Protection Officer: No data protection officer has been appointed or published.

2. Scope of this Privacy Policy

This Privacy Policy applies to visitors of our landing page, users who create or use an AnalyticsCLI account, and business contacts who communicate with us regarding our services. It does not replace our customers' own privacy notices for data they collect through their apps or websites.

3. Core hosting in Germany

AnalyticsCLI currently stores analytics event data and related backups in Germany (EU). This is an analytics-data residency commitment, not full-data residency for every supporting service. Depending on configuration, we may additionally use supporting providers for authentication, bot protection, billing, monitoring, and content delivery. Those providers are listed below to the extent they are enabled in the live environment.

4. Website access logs and infrastructure security

When you visit our website, our servers and infrastructure components process connection and request metadata such as IP address, date and time, requested URL, referrer, user agent, and status code. We process this data to deliver the website, maintain stability and security, detect abuse, and investigate incidents.

Legal basis: Article 6(1)(f) GDPR. Our legitimate interest is the secure and reliable provision of the website and our services.

5. Contact requests and business communications

If you contact us by email or through a business communication channel, we process your contact data, message content, and any related correspondence in order to answer your request, handle pre-contractual communication, and document business interactions.

Legal basis: Article 6(1)(b) GDPR where the request is pre-contractual or contractual, otherwise Article 6(1)(f) GDPR.

6. Account registration, sign-in, and tenant administration

If you create or use an AnalyticsCLI account, we process account and authentication data such as your email address, authentication identifiers, tenant membership, verification state, and account-related activity needed to provide access to the service.

Legal basis: Article 6(1)(b) GDPR for the provision of the requested service and Article 6(1)(f) GDPR for account security and fraud prevention.

7. CAPTCHA and abuse prevention

If bot protection is enabled on signup or checkout flows, we use Cloudflare Turnstile to distinguish legitimate user activity from abusive or automated access. In that context, technical request data may be processed by Cloudflare.

Legal basis: Article 6(1)(f) GDPR. Our legitimate interest is preventing fraud, spam, and attacks on our signup and checkout flows.

8. Billing and checkout

If paid plans are enabled and you start a checkout, billing-related data such as selected plan, transaction identifiers, subscription status, and payment-related metadata may be processed by us and by our billing provider Paddle. Payment card data is processed directly by the payment provider, not by us.

Legal basis: Article 6(1)(b) GDPR for contract performance and Article 6(1)(f) GDPR for fraud prevention, billing reconciliation, and enforcement of contractual claims.

9. Website analytics and attribution

We may use privacy-focused web analytics or our own analytics tooling to understand how visitors use the landing page and how signup flows perform. Optional website analytics are disabled until you consent in the privacy banner.

Where cookies, local storage, device identifiers, or similar technologies that are not strictly necessary are used, we activate them only after obtaining consent under Section 25 TDDDG and Article 6(1)(a) GDPR. Marketing attribution for landing UTM/referrer synchronization is kept in memory in the active browser runtime unless optional analytics consent is granted.

10. Local storage, cookies, and similar technologies

We use technically necessary browser storage for account continuation, login state handling, and similar functionality that you expressly request. Optional analytics or attribution storage is only intended to be activated if the relevant feature is enabled and any required consent has been obtained.

Legal basis for technically necessary storage: Section 25(2) TDDDG and, where personal data is processed, Article 6(1)(b) or Article 6(1)(f) GDPR.

11. Customer product data and processor role

For analytics data that our customers collect through their own apps, websites, SDK integrations, or APIs, our customers generally act as the controller and we generally act as a processor under Article 28 GDPR. The customer remains responsible for choosing an appropriate legal basis, providing end-user notices, obtaining consent where required, and concluding a data processing agreement with us where applicable.

For implementation guidance on SDK consent gating and identity settings, see our Tenant GDPR/DSGVO Guide.

12. Recipients and service providers

Depending on the live configuration, data may be processed by the following recipients:

  • Hetzner Online GmbH for core infrastructure hosting in Germany
  • Cloudflare, Inc. for DNS, reverse proxy, CDN, caching, edge network functions, and Turnstile bot protection where enabled in production
  • our self-hosted Better Auth service for account authentication and session management, running on our own infrastructure and using first-party cookies for the AnalyticsCLI account area
  • an external SMTP or transactional email provider for account verification and password reset emails, where such a provider is configured in the live environment
  • Paddle group entities, including Paddle.com Market Ltd., Paddle.com Inc., and Paddle Payments Ltd., for billing and checkout functions where paid plans are enabled
  • self-hosted GlitchTip/Sentry-compatible error monitoring where enabled

We currently self-host Plausible Analytics on our own infrastructure. Where Plausible is used in that self-hosted form, it does not add a separate external analytics recipient and is only loaded after optional analytics consent.

Our current production setup also uses Cloudflare for DNS and, in parts of the stack, proxy/CDN/caching functions. If personal data passes through those paths, Cloudflare is reflected in our vendor disclosures accordingly.

13. International data transfers

Our core hosting is in Germany. However, certain supporting vendors may process data outside the EU or EEA. Where that happens, we rely on an adequacy decision or other appropriate safeguards under Chapter V GDPR, such as the European Commission's Standard Contractual Clauses, together with any supplementary measures required by law.

14. Retention periods

We retain personal data only for as long as necessary for the purposes described above, to comply with legal retention obligations, to resolve disputes, and to enforce agreements. The current baseline retention periods are:

  • website server and security logs: 30 days
  • account and tenant administration data: for the contract term and then as legally required
  • billing and tax-relevant records: 10 years where statutory retention applies
  • customer analytics data: 400 days for raw events and 3 years for aggregates, unless a tenant-specific shorter retention policy applies
  • completed or failed export jobs: 7 days by default
  • backups containing deleted data expire according to the configured backup retention period, 90 days by default

15. Your rights

Subject to applicable law, you have the right to request access, rectification, erasure, restriction of processing, data portability, and to object to processing based on Article 6(1)(e) or (f) GDPR. Where processing is based on consent, you may withdraw your consent at any time with effect for the future.

16. Right to lodge a complaint

You also have the right to lodge a complaint with a competent supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. The competent authority for our main establishment is: The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI Baden-Wuerttemberg), Germany.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or business changes. We will publish the current version on this page and update the "Last updated" date accordingly.