ROESSOLYTICS Logo ROESSOLYTICS
Privacy Policy

Privacy Policy

Last updated: May 2026

1. Controller

The controller responsible for data processing in connection with this website and the use of ROESSOLYTICS is:

ROESSOLUTIONS®
Benjamin Rößl
Ziegeleistr. 40c
84051 Essenbach
Germany

Email: info@roessolutions.de

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

2. Scope of this Privacy Policy

This Privacy Policy applies to:

  • the website roessolytics.de
  • the website roessolytics.com
  • the ROESSOLYTICS web analytics platform
  • the dashboard at dashboard.roessolytics.de
  • the tracking endpoints, in particular tracking.roessolytics.de
  • contact, support, checkout, payment, contract and onboarding processes in connection with ROESSOLYTICS

ROESSOLYTICS is a SaaS platform for privacy-friendly web analytics. Customers can use ROESSOLYTICS to statistically evaluate visits, page views, sessions, events and other usage data on their own websites.

3. Allocation of Roles When Using ROESSOLYTICS

When using ROESSOLYTICS, different processing situations must be distinguished.

If you visit our website, create a customer account, initiate an order, use our dashboard or contact us, ROESSOLUTIONS generally processes personal data as controller.

If a customer integrates ROESSOLYTICS on their own website, the customer determines the purposes and means of analyzing their website visitors. In this case, the customer is generally the controller within the meaning of the GDPR. ROESSOLUTIONS processes the resulting analytics data on behalf of the customer as processor.

For this processing on behalf of customers, we provide a data processing agreement. It should be possible to conclude and download this agreement in the customer area or dashboard. The specific integration of ROESSOLYTICS on the customer's website, informing website visitors and assessing any consent that may be required are the responsibility of the respective customer.

4. Hosting, Infrastructure and Security

Hetzner

Our websites, servers, databases and parts of the technical infrastructure are operated at Hetzner.

The provider is:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

When using the website and the platform, IP addresses, log data, technical access data, server requests, access times and communication data may be processed in particular.

Hetzner is used to provide our website and platform securely, stably and economically. The legal basis is Art. 6(1)(f) GDPR. Where processing is necessary for the performance of a contract with customers, it is additionally based on Art. 6(1)(b) GDPR.

We have concluded a data processing agreement with Hetzner.

Cloudflare

We use Cloudflare to secure, accelerate and reliably provide our websites and services. Cloudflare may be used as a DNS, proxy, CDN and security service.

The provider is:

Cloudflare, Inc.
101 Townsend St.
San Francisco, CA 94107
USA

When our websites or services are accessed, data traffic may technically be routed through Cloudflare. In particular, IP address, requested URL, browser information, header data, access times and security-relevant technical data may be processed.

Cloudflare is used to protect our services against attacks, misuse, automated malicious traffic and outages, and to improve technical delivery. The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, reliable and performant provision of our services.

Cloudflare may process data in third countries, in particular the United States. According to Cloudflare, such transfers are based on appropriate safeguards such as standard contractual clauses and additional data protection mechanisms.

We have concluded a data processing agreement with Cloudflare.

5. Access Data and Server Logs

When our websites and services are accessed, technically necessary access data is processed. This may include:

  • IP address
  • date and time of access
  • requested URL
  • referrer URL
  • browser type and browser version
  • operating system
  • device used
  • HTTP status codes
  • amount of data transferred
  • technical header data
  • security-relevant events

This data is processed to technically provide the website and platform, analyze errors, prevent misuse, defend against attacks and ensure system stability.

The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure and reliable provision of our website and platform.

6. Website Analytics with ROESSOLYTICS on Our Own Websites

We use ROESSOLYTICS on our own websites to statistically evaluate the use of our website and improve our offering.

The tracking script is loaded via tracking.roessolytics.de. According to the current technical status, the tracking script itself does not set analytics cookies and does not create a persistent browser identifier on the end device.

In particular, the following data may be processed:

  • requested URL
  • path and query parameters
  • referrer
  • page title
  • hostname
  • browser language setting
  • screen size
  • time of page view
  • website ID
  • events and event names
  • tags
  • UTM parameters
  • click IDs, where they are included in URLs
  • technical browser, device and operating system information
  • IP address and user agent for server-side determination of technical and geographic information

The IP address is processed for technical processing, geo determination, misuse detection and the creation of pseudonymous session information. According to the current technical status, a pseudonymous session identifier is generated from IP address, user agent and a rotating salt. The raw IP address is not used as a permanently visible analytics attribute.

The legal basis for analytics on our own website is Art. 6(1)(f) GDPR. Our legitimate interest lies in understanding the use of our website, identifying technical problems, improving content and developing our offering in an economically reasonable way.

Where analytics access information on the end device or store information on the end device, § 25 TDDDG must also be observed. Whether consent is required in an individual case depends on the specific technical implementation and legal assessment.

7. ROESSOLYTICS as a Web Analytics Platform for Customers

Customers can use ROESSOLYTICS to statistically evaluate the use of their own websites.

Depending on integration and configuration, in particular the following data may be processed:

  • page views
  • events and custom events
  • referrer
  • URL, path and query parameters
  • page title
  • hostname
  • browser language
  • screen size
  • browser, operating system and device type
  • country, region and city based on technical IP evaluation
  • UTM parameters
  • click IDs
  • tracking links
  • tracking pixels
  • custom properties
  • pseudonymous or personal IDs transmitted by the customer, for example via an identify function

According to the current technical status, ROESSOLYTICS does not create its own persistent analytics cookie in the website visitor's browser. However, pseudonymous session and visit identifiers may be created server-side in order to statistically evaluate visits.

If customers transmit their own IDs, email addresses, customer numbers, user identifiers or other personal attributes, the responsibility for the lawfulness of this transmission lies with the respective customer.

The retention period for analytics data depends on the booked plan, technical settings and contractual agreements. Customers are responsible for transparently informing their website visitors about the use of ROESSOLYTICS and ensuring any required legal basis or consent.

8. Dashboard, Customer Account and Login

For the use of the ROESSOLYTICS dashboard, we process data required to provide the customer account and the platform.

This may include:

  • name
  • email address
  • login and authentication data
  • password hash
  • role and permissions
  • workspace and account assignment
  • booked plan
  • subscription status
  • page view quota
  • use of the dashboard
  • technical access data
  • support and communication data

This data is processed to provide customer accounts, authenticate users, manage roles and permissions, enable booked services, prevent misuse and operate the platform securely.

The legal basis is Art. 6(1)(b) GDPR where processing is necessary for contract performance. Art. 6(1)(f) GDPR additionally applies to security, operational and misuse prevention measures.

9. Cookies and Local Storage in the Dashboard

The dashboard uses technically necessary or functional cookies and local storage mechanisms.

In particular, the following may be used:

  • cookie theme to store the theme selection
  • cookie locale to store the language setting
  • Local Storage for authentication data or login tokens
  • Local Storage for language settings
  • Local Storage for theme settings
  • Local Storage for time zone
  • Local Storage for date range
  • Local Storage for dashboard layout and UI states
  • Local Storage for the last workspace selection
  • Local Storage for tab and display preferences

These storage operations serve the functionality, security, usability and personalization of the dashboard. Without certain storage operations, the dashboard cannot be used or can only be used with limitations.

The legal basis is Art. 6(1)(b) GDPR where storage is necessary for contract performance and use of the dashboard. Otherwise, processing is based on Art. 6(1)(f) GDPR. For technically necessary storage on the end device, § 25(2) TDDDG may apply.

10. Local Storage on the Website

On the public website, localStorage.theme may be used to store the preferred display mode, in particular dark mode or light mode.

This storage serves exclusively to provide a user-friendly display of the website. The legal basis is Art. 6(1)(f) GDPR. The storage can be removed by deleting browser storage.

11. Checkout, Order and Contract Conclusion

If you order ROESSOLYTICS or start a checkout process, we process the data required for the order and contract conclusion.

This may include:

  • email address
  • selected plan
  • selected page view quota
  • payment interval
  • language and country
  • technical checkout data
  • Stripe Checkout Session ID
  • Stripe Customer ID
  • Stripe Subscription ID
  • payment status
  • invoice and contract data

Before checkout, an email address may be processed to check whether an existing customer account already exists. This check serves to avoid duplicates and correctly assign orders.

The legal basis is Art. 6(1)(b) GDPR where processing is necessary for pre-contractual measures or contract performance. The check for existing accounts is additionally based on Art. 6(1)(f) GDPR. Our legitimate interest lies in clean account, contract and subscription assignment.

12. Payment Processing with Stripe

We use Stripe for payment processing.

The provider for customers within the EU is:

Stripe Payments Europe, Ltd.
1 Grand Canal Street Lower
Grand Canal Dock
Dublin
Ireland

In the context of the checkout and payment process, in particular the following data may be transmitted to Stripe or processed by Stripe:

  • email address
  • name
  • billing address
  • payment data
  • credit card data
  • payment amount
  • currency
  • payment status
  • tax information
  • VAT ID, where provided
  • booked plan
  • subscription information
  • technical transaction data
  • fraud prevention data

Payment data is entered and processed directly via Stripe. We do not store complete credit card data on our own servers.

Stripe may also process data outside the European Union. Further information is available in Stripe's privacy information.

The legal basis is Art. 6(1)(b) GDPR for payment and contract processing. Where processing serves fraud prevention, security and stability, Art. 6(1)(f) GDPR additionally applies.

13. Invoicing and Accounting

For invoicing, accounting, tax documentation and commercial administration, we process contract, customer, payment and invoice data.

This may include:

  • name or company name
  • address
  • email address
  • VAT ID
  • invoice number
  • description of services
  • payment amount
  • payment status
  • contract and subscription data
  • tax-relevant information

We use accounting or invoicing software to create and manage invoices. The data listed above may be transferred to the respective provider where this is necessary for invoicing, accounting and statutory retention.

The legal basis is Art. 6(1)(b) GDPR for contract processing and Art. 6(1)(c) GDPR for statutory tax and commercial law obligations.

14. Onboarding, Password Setup and Email Communication

After successful contract conclusion, we may send you onboarding emails, invitations, password setup links, system notices and contract-related information.

In particular, we process:

  • email address
  • name
  • customer account
  • language
  • onboarding status
  • one-time onboarding or password tokens
  • time of dispatch
  • technical delivery information

Onboarding and password links are time-limited and serve the secure setup of the customer account.

The legal basis is Art. 6(1)(b) GDPR where communication is necessary for contract performance. Art. 6(1)(f) GDPR additionally applies for security and documentation purposes.

15. Support and Contact

If you contact us by email or via a support form, we process the data you transmit.

This may include:

  • name
  • email address
  • company
  • customer account
  • content of the request
  • technical information
  • contract or subscription reference
  • communication history

Processing is carried out to handle your request, support you in using ROESSOLYTICS and communicate with you.

The legal basis is Art. 6(1)(b) GDPR where your request is related to a contract or pre-contractual measures. In other cases, processing is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in the appropriate handling of requests.

16. Email Providers

We use technical email services or SMTP infrastructure to send system, onboarding, password and support emails.

In particular, the following data may be processed:

  • recipient email address
  • sender data
  • subject
  • content of the email
  • time of dispatch
  • delivery status
  • technical mail server data

Emails are sent for contract performance, secure account setup, communication with customers and technical provision of the platform.

The legal basis is Art. 6(1)(b) GDPR. Where delivery logs are processed for error analysis, security or misuse prevention, Art. 6(1)(f) GDPR additionally applies.

17. Tracking Links and Tracking Pixels

ROESSOLYTICS may provide customers with tracking link and tracking pixel features. These features are used for the statistical recording of link accesses, campaign accesses or pixel requests.

In particular, the following data may be processed:

  • requested tracking URL
  • link or pixel ID
  • referrer
  • time of access
  • IP address
  • user agent
  • browser, device and operating system information
  • geographic information based on technical IP evaluation
  • UTM parameters and click IDs
  • event data

If customers use tracking links or tracking pixels, they are responsible for informing affected persons accordingly and ensuring an appropriate legal basis.

18. Identify Function and Custom Data

ROESSOLYTICS may provide technical options that allow customers to transmit their own identifiers or custom properties.

This may include:

  • pseudonymous user identifiers
  • internal customer or user IDs
  • segment information
  • custom properties
  • event parameters

If customers transmit personal or personally relatable data to ROESSOLYTICS, the responsibility for the lawfulness of this processing lies with the respective customer. ROESSOLUTIONS processes this data within the scope of processing on behalf of the customer according to the customer's instructions.

We recommend that customers do not transmit directly identifying data such as plain-text email addresses, names or phone numbers as tracking or identify values unless there is an explicit legal basis for doing so.

19. Data Recipients and Processors

As part of operating ROESSOLYTICS, personal data may be transmitted to the following categories of recipients:

  • hosting and infrastructure providers
  • CDN, DNS and security providers
  • payment service providers
  • accounting and invoicing service providers
  • email and SMTP service providers
  • technical service providers for operation, maintenance and security
  • tax advisors, authorities or other bodies where legally required

Personal data is only disclosed if this is necessary for contract performance, if there is a legal obligation, if a legitimate interest exists or if consent has been given.

Where required, we conclude data processing agreements with processors.

20. Third-Country Transfers

Some service providers we use may process personal data outside the European Union or the European Economic Area, in particular in the United States.

In such cases, we ensure that an adequate level of data protection exists or that appropriate safeguards are used. This may be done in particular through EU standard contractual clauses, adequacy decisions, certifications or additional safeguards.

21. Retention Period

We store personal data only for as long as is necessary for the respective purposes.

Customer, contract, payment and invoice data is stored for the duration of the contractual relationship and subsequently within the scope of statutory retention obligations.

Support and communication data is stored for as long as this is necessary to process the request, perform the contract or ensure traceability.

Analytics data within ROESSOLYTICS is generally stored depending on the booked plan, technical settings and contractual agreements. After contract termination, customer and analytics data is generally retained for a period of up to 90 days to enable reactivation, clarification or data transfer. After that, data may be deleted or anonymized unless statutory retention obligations prevent this.

22. Security

We take technical and organizational measures to protect personal data against loss, misuse, unauthorized access, alteration or disclosure.

These measures include in particular:

  • encrypted transmission via TLS
  • access restrictions
  • role-based permissions
  • separation of systems and databases
  • protection of APIs and internal interfaces
  • logging of security-relevant events
  • regular technical reviews and updates
  • backups and recovery measures

Despite all security measures, data transmission over the internet can never be guaranteed to be completely risk-free.

23. Legal Bases of Processing

We process personal data on the basis of the following legal bases:

Art. 6(1)(a) GDPR if you have given consent.

Art. 6(1)(b) GDPR if processing is necessary for pre-contractual measures or contract performance.

Art. 6(1)(c) GDPR if we are legally obliged to process data.

Art. 6(1)(f) GDPR if we have a legitimate interest in processing and your interests or fundamental rights do not override it.

§ 25 TDDDG where information is stored on the end device or information on the end device is accessed.

24. Your Rights

Subject to the statutory requirements, you have the following rights:

  • right of access
  • right to rectification
  • right to erasure
  • right to restriction of processing
  • right to data portability
  • right to object to processing based on Art. 6(1)(f) GDPR
  • right to withdraw consent given
  • right to lodge a complaint with a data protection supervisory authority

To exercise your rights, you can contact us at support@roessolytics.de.

25. Objection to Direct Advertising

If personal data is processed for direct advertising purposes, you have the right to object to this processing at any time.

After an objection, your personal data will no longer be used for direct advertising purposes.

26. Right to Lodge a Complaint with the Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates data protection law.

In particular, the competent authority may be the data protection supervisory authority of your place of residence, place of work or the place of the alleged data protection violation.

27. Changes to this Privacy Policy

We may update this Privacy Policy if technical, legal or organizational changes occur.

The current version published on our website applies.