GDPR-compliant analytics
GDPR-compliant analytics, enforced where it counts
leadmaps is an analytics platform built for GDPR from the ground up: event data lives in the EU (Amsterdam), consent rules are enforced server-side at the ingest collector rather than trusted to the browser, personal data is isolated in a dedicated PII vault with working Article 17 erasure, and a data processing agreement is part of the product. No analytics vendor can make your site compliant by itself, but the tool should never be the reason you are not.
What "GDPR-compliant analytics" actually requires
Compliance is a property of your whole setup, not a badge on a vendor’s homepage. For the analytics slice, four things matter:
- A lawful basis for processing. Usually consent for full-featured tracking, or a data-minimizing mode that stays out of scope for device storage rules.
- Data that stays where you say it stays. EU residency, named sub-processors, and no quiet transfers.
- The ability to honor rights. If someone invokes Article 17, you must actually be able to erase them, not just anonymize a dashboard.
- A processor you can put on paper. A DPA, a sub-processor list, and honest documentation.
Here is how leadmaps handles each one.
Consent enforced at the collector, not in the browser
Most tools ask your website’s JavaScript to behave. leadmaps does not trust the browser: the consent state is evaluated at our ingest server, and events that violate it are rejected there. A misconfigured tag, a stale script, or a clever visitor cannot bypass the rules, because the rules do not live in the client.
You choose one of two privacy modes per site:
- Consent mode (default): full features including session replay and heatmaps, gated on the consent state your site passes to the SDK.
- Anonymous mode: nothing is stored on the visitor’s device and no fingerprint is computed. Visits are grouped with a server-side key that rotates daily, so a visitor cannot be recognized across days. Replay and heatmap capture are rejected by the collector in this mode. It is designed to work without a cookie banner; verify the call with your own counsel, because your full setup matters.
EU residency by default
Event data is stored in Amsterdam and authentication data in Paris (eu-west-3), on every plan, not as an enterprise add-on. EU residency is the default on every plan; a US region is planned. The current sub-processor list is public on our trust page, including the conditional ones (AWS S3 appears only if you configure an S3 export destination, in the bucket and region you choose).
A PII vault with real Article 17 erasure
Personal data (like identified email addresses) is tokenized into a separate vault database. Analytics tables hold tokens, not the values. When an erasure request comes in, the vault entry is destroyed and every event referencing it is permanently de-identified. This is live in production today, not a roadmap item.
The paperwork
A data processing agreement is available, the sub-processor list is published and kept honest (our internal rule: every claim on the marketing site must be true of the live product), and the privacy policy describes both privacy modes in plain language. Billing runs through Paddle as merchant of record.
Honest limitations
- leadmaps does not make you compliant. Your cookie banner copy, your other tools, and your legal basis are yours. We give you an analytics stack that holds up its end.
- We are not going to promise "no consent needed" in bold letters. Anonymous mode is engineered to stay off the device entirely, and we stand behind the engineering. The legal conclusion for your site belongs to you and your counsel.
- No certifications theater. Our security posture, encryption, access controls, and current certification status are documented on the trust page rather than implied with logos.
Frequently asked questions
- Is leadmaps GDPR compliant?
- leadmaps is built to be operated in a GDPR-compliant way: EU residency, server-side consent enforcement, a PII vault with Article 17 erasure, and a DPA. Compliance of your website as a whole also depends on how you configure and combine your tools.
- Where is the data stored?
- Event data in Amsterdam, authentication in Paris. EU residency is the default on every plan; a US region is planned.
- Do I need a cookie banner with leadmaps?
- In consent mode, yes, like any full-featured analytics. In anonymous mode nothing is stored on the device and no fingerprint is computed, which is designed to work without a banner; confirm with your own counsel.
- How does Article 17 erasure work?
- Identified personal data lives in a separate vault as tokens. An erasure request destroys the vault entry, which permanently de-identifies every event that referenced it.
- Is there a DPA and a sub-processor list?
- Yes. The DPA is available and the sub-processor list is public on leadmaps.nl/trust, including conditional processors.
- Can I self-host instead?
- Yes. A licensed self-host distribution (Docker Compose included) keeps everything on your own infrastructure.
See it for yourself
Keep reading

