Matomo Cloud Privacy Policy - Matomo Analytics

Matomo Cloud Privacy Policy

Effective Date: 13 August 2024
This Privacy Policy replaces the earlier version published on this website.

This Policy describes the information (or personal data) we collect from you (the “Customer”), how we use that information and our legal basis for doing so. It also covers whether and how that information may be shared and your rights and choices regarding the information you provide to us.

This Privacy Policy applies to the processing of personal data within the Matomo Cloud service by InnoCraft only. This Privacy Policy does not cover personal data collected via your interactions with the Matomo.org  and related websites (including when you provide personal information for creation of Matomo Cloud trial account via the website) where the Matomo Website Privacy Policy applies. Please refer to the  Matomo Website Privacy Policy to understand how we process data collected in those interactions.

Table of Contents

Who we are

We are InnoCraft Limited (InnoCraft, we), a New Zealand registered company (NZBN 6106769), established by the creators of Matomo. Our offices are at: 7 Waterloo Quay PO625, 6140 Wellington, New Zealand. InnoCraft provides digital analytics products and services that help individuals and businesses keep full control over their data.

If you have any questions about this privacy policy, or would like to access earlier versions of this Privacy Policy, please contact our privacy team at privacy@innocraft.com.

What personal data we collect, when we receive it and how we use it

We will never sell your personal data to anyone.

We collect and process the following personal data as data controllers, or agency:

  • Account Data – when you create the Customer Account within the Matomo Cloud, we ask you to provide us with information such as name, email address, job title, contact details, details about your organisation and billing information. As otherwise detailed in this Privacy Policy, we will solely process this information to provide you with the service you signed up for and, for security, billing and account management purposes. If you do not provide this information, we would not be able to create the Customer account.
  • Communication Data – when you use the Matomo Cloud user interface to ask for Matomo Cloud support, send us questions, comments, feedback, or report a problem, we will collect your name, email address and the content of the message. We use this data solely in connection with answering the queries we receive and to analyse the types of queries we receive, to improve our customer management processes and to improve our products and services. If you do not provide your personal data, we will not be able to respond to you.
  • Customer Instance Usage Data - when you use the Matomo Cloud service, we monitor the instance activity relating to that Customer ID (e.g., time of first login into the app and first tracking requests, features visited, number of Users logged in; number of hits, goals, funnels, users, websites and segments configured and active (to manage quota allowances for each Customer account); number of events created or tracked per day (adding new User, website, or a plugin); conversion from trialist to full account; support request event trigger). We process this usage data for statistical purposes, to improve Matomo Cloud services and to recognise and stop any misuse of the Customer Account.

We process Personal Data on behalf of our Customers (as data processors) in accordance with the Data Processing Agreement: https://matomo.org/matomo-cloud-dpa/ and the Customer’s use of Matomo Cloud is governed by the Terms of Service: https://matomo.org/matomo-cloud-terms-of-service/.

Legal bases

We process your Personal Data on the following legal bases:

  • Consent – We may process your Personal Data for one or more specific purposes if you give us your consent, for example we ask for your consent to receive marketing materials, to take part in surveys or any form of individual tracking that requires consent (e.g., if a User consents to the Support Team viewing their use of Matomo Cloud to resolve a support issue). Whenever we process your Personal Data with your consent, we will ask you for it and inform you about your right to withdraw it.

  • Contract performance and pre-contractual requests – We may process your Personal Data when it is necessary for the performance of a contract with you or for the performance of pre-contractual measures, which are carried out at your request. For example, when you send us a sales query, when you create a Matomo Cloud account, when you purchase a plugin or process a payment, when you send us a customer support request or a technical query.

  • Legal obligation – We may process your Personal Data when it is necessary for compliance with a legal obligation to which we are subject, for example to comply with any applicable tax laws.

  • Legitimate interests – We may process your Personal Data when it is necessary for the purposes of our legitimate interests, unless these are overridden by your interests or fundamental rights and freedoms, for example when we process your queries, for customer relationship management purposes, to improve the performance of our website, to manage consent (where applicable).

Your rights

Data subject rights vary depending on the applicable privacy laws. We are based in New Zealand and governed by the New Zealand Privacy Act and any privacy laws that apply to the processing because of their extraterritorial effect (e.g., EU GDPR, UK GDPR).

If the EU GDPR or UK GDPR is the law applicable to our processing of your data, you have the right of access to your Personal Data and to information regarding the processing of Personal Data by InnoCraft, the right to rectification/correction, erasure, restriction of processing and the right to object to the processing of your Personal Data. You also have the right to receive your Personal Data in a structured, common and machine-readable format and to transmit it or have it transmitted to another controller. If you have given us your consent for processing your Personal Data, you also have the right to withdraw your consent at any time with effect for the future.

To the extent any U.S. state privacy act applies to our processing of your personal data your rights may include a right to access, correct, delete, opt out of certain processing, right to portability, right to opt-in for sensitive data processing, right against automated decision making or other rights provided for under applicable laws.

We can only identify you via your email address and we can only adhere to your request and provide information if we have Personal Data about you through you having contacted us directly and/or your use of our site and/or service. We cannot provide, rectify or delete any data that we store on behalf of our Customers.

To exercise any of the rights mentioned in this Privacy Policy and/or in the event of questions or comments relating to the use of Personal Data you may contact InnoCraft’s support team: privacy@innocraft.com.

In addition, you have the right to lodge a complaint with a data protection authority or supervisory authority responsible for protecting your privacy rights, e.g.:

  • New Zealand: Office of the Privacy Commissioner: https://www.privacy.org.nz/about-us/contact/
  • UK: Information Commissioner’s Office: https://ico.org.uk/global/contact-us/
  • EU: select the appropriate authority from the list provided by European Data Protection Board https://edpb.europa.eu/about-edpb/board/members_en
  • Australia: Office of the Australian Information Commissioner: https://www.oaic.gov.au/about-us/contact-us/
  • Rest of the world: please contact us on privacy@matomo.org and we can provide you with the details of the appropriate authority.

Children’s privacy

Our websites and products are not intended for children or minors. We do not knowingly collect children’s or minors’ personal data. Any accounts created by a child or a minor without parental consent and brought to our attention will be deleted as required by law.

Who we share your personal data with

   (A) Subprocessors (Matomo Cloud)

We use a select number of trusted external service providers for certain technical data processing and/or service offerings. These service providers are carefully selected and meet high data protection and security standards. We only share information with them that is required for the services offered and we contractually bind them to keep any information we share with them as confidential and to process Personal Data only according to our instructions.

InnoCraft uses the following subprocessors to process the data collected by Matomo Cloud Customers:

Notice on data transfer and GDPR compliance:

Personal data held in Customer’s Matomo Cloud instance and instance backups are securely stored in Europe.

InnoCraft is based in New Zealand, one of the few countries that the EU considers to have an adequate level of data protection.

This means that Matomo Cloud is safe to use in the EU and fully GDPR-compliant.

 

SubprocessorPurpose of processingLawful basisData location and securityPersonal dataPrivacy terms
Amazon Web Services EMEA SARL, LuxembourgSecure infrastructure for servers and databases and logs.ContractEurope:
–  Frankfurt, Germany;
– backups stored in Dublin, Ireland
Account and Customer Personal Data, Activity DataProcessing covered by DPA (Data
Processing Agreement)
Oblivion Cloud Control B.V (part of Xebia Group B.V)

AWS solution provider: secure infrastructure management

IT consulting services, support services

ContractThe NetherlandsAccount Data, Customer Personal Data, Activity DataProcessing covered by DPA (available on request)
Amazon Web Services EMEA SARL, LuxembourgSecure CDN (Content Delivery Network) to store and deliver JavaScript files. This service is provided by AWS Europe. The use of the CDN feature is optional and can be disabled.Legitimate interest (fraud prevention and information security)Worldwide;
Visitors are sent to a server closest to their region (traffic from the EU stays in the EU).
Request Data (IP address, browser type, operating system, the URL)Processing covered by DPA (Data
Processing Agreement)

Please refer to the Data Processing Agreement for more information: https://matomo.org/matomo-cloud-dpa/

Terms & Conditions: https://matomo.org/matomo-cloud-terms-of-service/

   (B) Billing and Support Services

When you purchase Matomo Cloud products or services or contact us via the Customer instance, we use the following third-party services, which collect and process personal data:

RecipientPurpose of processingLawful basisData location and securityPersonal data collected by the third partyPrivacy terms
Help Scout, PBCTo receive, and reply to your support request emails after you contact usContract (providing Customer/User support)USAMessage sent, name, email address, if included in the email: job title, company name, company contact
details
Processing covered by DPA
Microsoft France SASUse Microsoft 365 to manage workflows, files and documentation; email correspondence; meetings and
scheduling

Contract:

  • managing and providing customer support or
  • responding to sales enquiries

Legitimate interest (in other cases):

  • workflow, file and documentation management;
  • correspondence;
  • meeting scheduling
France, EUName, email address, mailing address, telephone number, department, role, company name;
Correspondence;
Associated Matomo account;
Billing address, subscriptions and payment history;
Processing covered by DPA (available on request)
Paddle Payments LimitedTo let you purchase Matomo Cloud software serviceContractUK and USAPayee details: name, location, contact details, and billing information.Processing covered by Privacy policy | Paddle and Data Sharing Addendum
Twilio, Inc.To send you Matomo Cloud related emails after you sign up, to help you get started with Matomo

Legitimate interests:

Supporting users in their initial setup of Matomo

USAName and email address of Customer Account ownerProcessing covered by DPA and BCR

   (C) When you instruct us to transfer data to third parties

     1. Google Analytics Connect

You can optionally import your historical data from Google Analytics into your Matomo Cloud account. This allows you to compare your data recorded by Matomo with your historical data from Google Analytics and make sure you do not lose your Google Analytics data. The use and transfer of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Data will only be imported if you connect your Google Analytics account with your Matomo Cloud account. This is entirely optional. Once connected, you can select which Google Analytics properties you would like to import into Matomo. After the historical data has been imported, we won’t import any further data unless you specifically schedule a new import or update the date range to be imported.

Accessed DataHow this data is usedHow this data is storedHow this data is shared
Access tokenWe use the access token to make API requests on behalf of you to import the reporting data.We store this data in your Matomo Cloud account. You can revoke the token at any time in your Google Account.This data is not shared.
List of properties in your Google Analytics account. We access the account ID, the view ID, the property ID and the property name (typically the name of your website or app).We get the list of properties to let you select which of your properties you want to import into Matomo Analytics and to manage the import of the aggregated reporting data.We store this data in your Matomo Cloud account to import the aggregated reporting data. You can delete this data by deleting the site yourself or by instructing us to delete this data.This data is not shared.
Aggregated, historical reporting data from your selected Google Analytics properties. For example, the list of browsers, devices, page urls, page titles, downloads, events, and more. Along with each report we access the related metrics for each report such as the number of visits, page views and more.You can view the imported data through the Matomo Analytics user interface by selecting the imported property, a date range, and the report you want to view.We store the aggregated reporting data in your Matomo Cloud account. You can delete this data by deleting the site yourself or by instructing us to delete this data.This data is not shared with anyone else unless you give someone else access to your Matomo Cloud account by adding team members and giving them permission to view this data.

     2. Google Search Console Connect

By default, all your search keywords appear as “Keyword not defined” in Matomo’s “Search Keywords” report and you won’t be able to find out which keywords people used to find your website on the Google search engine.

To get this data, you can optionally import your search keywords from Google Search Console into your Matomo Cloud account. This allows you to get deep insights about all the keywords that people are searching for when they find your website. All of the search keywords will be shown directly in your regular Matomo Analytics “Search Keywords” reports.

Accessed DataHow this data is usedHow this data is storedHow this data is shared
Access tokenWe use the access token to make API requests on behalf of you to regularly import the most recent search keywords data.We store this data in your Matomo Cloud account. You can revoke the token at any time in your Google Account.This data is not shared.
List of domains and URL prefixes in your search console.We use this data to let you assign a domain to a Matomo site. This way Matomo knows which search console site matches the site in Matomo.We store this data in your Matomo Cloud account to import the search keywords data. You can delete this data by deleting the site yourself or by instructing us to delete this data.This data is not shared.
Aggregated search keywords data. For example, the list of search keywords people used to find you, how many times the keyword was searched for, how often someone clicked on your site, and the average position within a search engine results page.You can view the imported search keywords through the Matomo Analytics user interface by selecting a Matomo site, a date range, and the “Search Keywords” report.We store the search keyword reports in your Matomo Cloud account. You can delete this data by deleting the site yourself or by instructing us to delete this data.This data is not shared with anyone else unless you give someone else  access to your Matomo Cloud account by adding team members and giving them permission to view this data.

     3. Google Tag Manager Connect

You can optionally simplify data tracking on your website by effortlessly adding the Matomo JavaScript tracking code via Google Tag Manager. With just a few clicks, you can seamlessly track data into Matomo, streamlining your analytics process. Rest assured that the use and transfer of information received from Google APIs comply with Google API Services User Data Policy, including the Limited Use requirements.

Once you connect your Google Tag Manager Account with a Matomo Cloud account, a new tag and trigger will be automatically generated within your chosen Google Tag Manager container. It’s important to note that this process is entirely optional and under your control. We are committed to respecting your preferences; thus, we will not create any new tag and trigger in your container unless you provide explicit authorisation.

Accessed DataHow this data is usedHow this data is storedHow this data is shared
Access tokenWe use this access token to make API requests to create Matomo Tracking Tag and corresponding trigger in your Google Tag Manager account.We store this data in your Matomo Cloud account.This data is not shared
List of workspace and containers in your Google Tag Manager account.We use this data to let you select the correct Google Tag Manager container and workspace. This way Matomo knows on which Google account it needs to create the Matomo Tracking code Tag and its corresponding trigger.We do not store this data.This data is not shared

     4. Looker Studio Integration

Looker Studio Integration: We provide the Matomo Connector (the “Connector”), designed to facilitate the seamless integration of your Matomo Cloud account data with Looker Studio. Should you choose to activate or utilise the Matomo Connector, please be aware of the following:

  • Data Export: Upon activation of the Matomo Connector, all data stored within your Matomo account will be exported to Looker Studio. This transfer is initiated by you and is under your control.
  • Data Privacy: Once your data is exported to Looker Studio, it will be governed by the applicable Looker Studio terms of service and policies provided by Google. We strongly advise you to review their terms and policies and understand the implications before initiating the data transfer.
  • Privacy Considerations: Transferring data, especially visitor data, to external platforms can have privacy implications. It’s crucial to ensure that you have the necessary permissions and have considered the privacy ramifications of such a transfer.
  • Exclusive Connector Use: To ensure the security and privacy of your data, we recommend exclusively using the Matomo Connector for this integration. Avoid using third-party connectors or tools for Looker Studio that claim compatibility with Matomo, as we cannot vouch for their security or data handling practices.

     5. BigQuery & Data Warehouse Export feature

We developed the BigQuery Configuration feature to enable you to format Matomo Cloud data for export into BigQuery. If you choose to export your Matomo Cloud data into BigQuery please be aware of the following:

  • Data Export: When you export data from Matomo Cloud to BigQuery, all raw data stored within your Matomo account (including personal data) will be exported to Google, where it will be governed by the applicable Google terms and policies. We strongly advise you to review their terms and policies before initiating the data export.
  • Privacy and Security: Transferring personal data to external platforms has data security risks and privacy compliance implications. Please consider them before you export the data.
  • You are in control: The use of this feature and data export is entirely optional and under your Super User’s control.

International transfers

If the EU GDPR or UK GDPR applies to our processing of your personal data, we receive it in New Zealand on the basis of adequacy decision. For the above subprocessors and third-party services, we transfer your personal data to a third country (i.e. outside the European Union (EU), the United Kingdom or the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, only in accordance with the applicable legal requirements under the GDPR.

Specifically, for the above subprocessors and third-party services, we process or allow the data to be processed on the basis of adequacy (e.g., transfers between the UK and EU) or standard contractual clauses of the EU Commission, subject to data transfer impact assessments where required. More information on this is available from us upon request.

Retention of data

We will retain your information as long as your account is active, as necessary to provide you with the services or as otherwise set forth in this Policy.

We will also retain and use this information as necessary for the purposes set out in this Policy and to the extent necessary to comply with our legal obligations, resolve disputes, enforce our agreements and protect InnoCraft’s legal rights.

We also collect and maintain aggregated, anonymised information which we may retain indefinitely to protect the safety and security of our site, improve our Services or comply with legal obligations.

How we protect your personal data

Data security is important to us. We process your personal data securely, using appropriate technical and organisation measures designed to protect your data from unathorised access, disclosure, alteration or loss.

Appendix 1 of our Data Processing Agreement sets out some of the technical and organisational measures currently observed by InnoCraft.

You are responsible for maintaining the security of your Matomo Cloud account credentials. Do not share your passwords and access keys.

If you have any concerns about the security of your personal data, please contact us immediately using the contact details provided below.

Automated decision making including profiling

We do not perform automated decision making or profiling.

Privacy Policy changes

We may update this Policy from time to time. If we do, we will let you know about any material changes, either by notifying you on the website or by sending you an email. Once posted on this website, the amended Privacy Policy will be effective as of the Effective Date stated above. If we make any material changes to the Policy, we will notify you on our website, or by sending you an email.

Contact us

If you have any questions or concerns regarding this Privacy Policy or how your personal data is processed, please contact us by emailing privacy@matomo.org or via the contact form: matomo.org/contact.

If you are based in New Zealand, you can write to us at our registered address:
InnoCraft Limited, 7 Waterloo Quay, PO625, 6140 Wellington, New Zealand, Attention: Privacy Officer.

We aim to respond to your inquiries as soon as reasonably possible. If you want to give us feedback on how we handled your request, please let us know. We are always trying to improve.

EU and UK Representatives

Because InnoCraft is located outside of the EU and UK, the InnoCraft team has named a representative of controllers or processors not established in the EU or the EEA and in the UK (Art. 27 GDPR):

  • If you are a resident of the EU or the EEA, you can contact:

    ePrivacy Holding GmbH
    Burchardstraße 14
    20095 Hamburg
    Germany
    www.eprivacy.eu/en/legal
    Mail address: eu.rep@eprivacy.eu

  • If you are a resident of the UK, you can contact:

    UK Representative Service for GDPR Ltd.
    7 Savoy Court
    London WC2R 0EX
    United Kingdom
    www.eprivacy.eu/en/legal
    Mail address: service@ukrepresentative.eu

External Data Protection Officer

If you wish to communicate directly with our Data Protection Officer (because you have a particularly sensitive matter for example), please contact them by post, as communication by e-mail could always have security gaps.

Please state in your request that your concern relates to the company InnoCraft.

     ePrivacy GmbH
     represented by Prof. Dr. Christoph Bauer
     Burchardstraße 14, 20095 Hamburg
     Germany