Client Compliance Guide
Last updated: May 2026
This guide explains, in plain language, how data protection works when you use Erkmo and what you need to do on your end to stay compliant.
1. You Are the Data Controller
Under data-protection laws like the GDPR, there are two key roles: the controller and the processor. As the controller, you decide why and how personal data from your visitors is collected. Erkmo is your processor — we handle the data on your behalf, following your instructions, and we do not use it for our own purposes.
In practical terms, this means your visitors’ data rights (access, deletion, correction, and so on) are your responsibility. If a visitor asks “What data do you have about me?”, that request comes to you, not to Erkmo. We will, of course, help you fulfill those requests — that is part of our Data Processing Agreement.
2. What Erkmo Handles for You
We have designed Erkmo with privacy as the default, not an afterthought. Here is what the platform does out of the box, before you configure anything:
- No cookies by default. Erkmo’s analytics tracker does not set any cookies unless you explicitly enable consent-based features.
- No stored IP addresses. IP addresses are used transiently for geolocation and are never written to our analytics database.
- GPC / DNT signal detection. If a visitor’s browser sends a Global Privacy Control or Do Not Track signal, Erkmo detects it and can adjust behavior accordingly (for example, suppressing optional tracking).
- Consent auto-detection. If you already have a consent management platform (CMP) like Cookiebot, OneTrust, or Osano, Erkmo can detect the consent state and automatically switch between cookieless and consent-based modes.
- Server-side session hashing. Visitor sessions are grouped using a temporary, non-reversible hash derived from request metadata. The salt rotates every 90 days, making it impossible to track individuals beyond that window.
3. How Consent Levels Affect Data Collection
Erkmo automatically adjusts what it collects based on the visitor’s consent status. Understanding these levels helps you communicate clearly with your visitors about what happens on your site.
| Consent Level | What’s Collected | What’s Not Collected |
|---|---|---|
| Full consent (visitor opted in) | Page views, referrers, device/browser details, city-level geolocation, session identifiers for cross-session analysis, company identification | IP addresses (never stored) |
| Default (no signal received) | Page views, referrers, server-derived session identifier (rotates every 90 days, not stored on visitor’s device), region-level geolocation, device type, browser, OS | Client-stored identifiers, device fingerprinting, cookies, localStorage, IP addresses |
| Denied (GPC, DNT, or explicit opt-out) | Page views, referrers, country-level geolocation only | Session identifiers, device/browser details, company identification, IP addresses |
| Business interactions (purchases, form submissions) | The event itself (e.g., purchase amount, form data) as first-party business data | Tracking identifiers when consent is denied — the event is recorded, but not linked to browsing behavior |
If your site uses a consent management platform (CMP), Erkmo automatically detects the consent state and switches between these levels. You do not need to configure anything beyond your CMP.
4. Company Identification (B2B Analytics)
Erkmo can identify the company or organization visiting your site by looking up the network registration associated with the visitor’s IP address. This identifies the business, not the individual person.
Only the company name and domain are stored — the IP address is used transiently and discarded. Residential and consumer internet providers are filtered out. Company identification data is automatically deleted after 180 days.
What you need to do: If you use this feature, mention it in your privacy policy. See the updated sample paragraph in Section 8 below. Company identification is automatically disabled on child-directed sites and when a visitor has opted out of tracking.
5. COPPA and Child-Directed Sites
If your website or application is directed at children under 13, you can enable child-directed mode in your Erkmo site settings. This activates the strictest possible privacy protections:
- No session identifiers or visitor identification of any kind
- No company identification
- No visitor profiling, segmentation, or journey analysis
- Country-level geolocation only (no city or region)
- No device or browser details beyond general device type
These restrictions are enforced at the platform level and cannot be overridden by any other setting. We recommend enabling child-directed mode on any site where children under 13 may be present, even if the site is not exclusively for children.
6. Your Responsibilities
Even though Erkmo does the heavy lifting on the privacy-engineering side, there are a few things only you can do:
6.1 Mention Erkmo in Your Privacy Policy
Most data-protection laws require you to disclose the tools and processors you use. We have prepared a ready-to-use paragraph you can add to your privacy policy — see Section 5 below.
6.2 Handle Data Subject Requests
If one of your visitors exercises their rights (for example, requesting access to or deletion of their data), you are the point of contact. If you need our help to locate or delete data in Erkmo, reach out to privacy@erkmo.com and we will assist within 10 business days.
6.3 Choose Appropriate Data Retention Periods
Erkmo lets you configure how long analytics and CRM data is retained. Choose retention periods that match your business needs and legal obligations. A good starting point for analytics data is 24 months — long enough to compare year-over-year trends, short enough to respect the principle of data minimization.
6.4 Consent Banner (If Using Consent Mode)
If you enable Erkmo’s consent-based features (persistent identifiers, cross-session tracking), you will need a cookie consent banner. You can use any CMP — Erkmo integrates with the most popular ones. If you are only using Erkmo’s default cookieless mode, no consent banner is required for analytics.
7. BYOD / Direct Mode Advantages
Erkmo offers a “Bring Your Own Database” (BYOD) option where you connect your own Tinybird or ClickHouse instance. When combined with a custom CNAME (e.g., analytics.yourdomain.com), this creates a fully first-party data pipeline. Here is why that matters:
- Fully first-party data processing. Analytics data flows directly from your visitors to your own infrastructure. Erkmo’s servers are not in the data path.
- CNIL-exempt audience measurement. The French data protection authority (CNIL) exempts strictly necessary audience measurement tools from consent requirements when they meet certain criteria. BYOD mode, with its cookieless defaults and first-party infrastructure, is designed to qualify.
- No Erkmo sub-processor involvement. In direct mode, your analytics data never touches Tinybird, Cloudflare R2, or any other Erkmo sub-processor. This dramatically simplifies your compliance posture. See the sub-processor list for details.
- Maximum legal advantage for consent-free analytics. By combining cookieless tracking, first-party infrastructure, no cross-site identifiers, and rotating session hashes, BYOD mode gives you the strongest possible basis for operating analytics without a consent banner.
8. Sample Privacy Policy Paragraph
You are welcome to copy the following paragraph into your own privacy policy, adapting it as needed:
“We use Erkmo for website analytics and marketing intelligence. Erkmo operates in privacy-preserving mode by default: no cookies are set, no IP addresses are stored, and visitor sessions are grouped using a temporary, non-reversible hash that rotates every 90 days. If you have consented to analytics cookies, we may use persistent identifiers for cross-session analysis. Erkmo may identify the company or organization associated with your network connection for business-to-business analytics purposes; this identifies organizations, not individuals, and only when consent has not been denied. Advertising click identifiers from page URLs may be used to attribute conversions to advertising campaigns. You can opt out at any time via your browser’s Global Privacy Control setting. For more information, see Erkmo’s privacy policy at https://erkmo.com/privacy.”
Questions?
If you have questions about compliance, your obligations as a data controller, or how Erkmo handles data, reach out to us at privacy@erkmo.com. We are happy to help.
Erkmo Inc. · erkmo.com