Matomo Website Privacy Policy

Effective Date: 13 August 2024

This Privacy Policy replaces the earlier version published on this website.

We believe in openness, privacy and 100% data ownership. Matomo’s mission is to liberate analytics and we are passionate about measuring for success. These core values are ingrained into everything we do here at Matomo and that will never change.

This Policy describes the personal information (or personal data) we collect from you, how we use that information and our legal basis for doing so. It also covers whether and how that information may be shared and your rights and choices regarding the information you provide to us.

This Privacy Policy does not apply to the collection and processing of information in the Matomo Cloud-hosted service provided by us, which is covered by the Matomo Cloud Privacy Policy and Matomo Data Processing Addendum.

This Privacy Policy applies to the information that we obtain from you through:
(a) your use of Matomo websites including their subdomains: demo.matomo.cloud, forum.matomo.org, developer.matomo.org, shop.matomo.org, plugins.matomo.org, ios.matomo.org, issues.matomo.org, glossary.matomo.org;
(b) any direct contact you make with our team via email, contact forms, newsletter subscriptions, surveys, or when you complete any on-line feedback forms;
(c) when you create, use and make purchases through your Matomo Marketplace account or download our software directly from our websites;
(d) when you interact with us via our social media accounts or
(e) when you apply for a role advertised on our websites.

This Privacy Policy also applies to instances where we may receive your personal data from third party service providers.

This Privacy Policy explains:

Who we are

We are InnoCraft Limited (InnoCraft, we), a New Zealand registered company (NZBN 6106769), established by the creators of Matomo analytics. Our offices are located at 7 Waterloo Quay, PO625, 6140 Wellington, New Zealand.

We are the data controller, or agency, in relation to the activities described in this privacy policy, unless stated otherwise.

If you have any questions about this privacy policy or you would like to access earlier versions of this Privacy Policy, please contact our privacy team at [email protected].

What personal data we collect, when we receive it and how we use it

We will never sell your personal data to anyone.

In order for us to provide you the best possible experience on our websites and deliver our services to you, we collect and process certain personal data as follows:

(a) When you contact us via our websites or directly via email — for example, when you ask for support, send us sales enquiries, questions, comments, feedback or when you complete a survey, customer satisfaction questionnaire or report a problem, we will collect your name, email address, your job title if provided, the content of the message, etc. We use this data to answer the queries we receive, to build business relationships, and to analyse the types of queries we receive and improve our customer management processes and to improve our products and services. If you do not provide your personal data, we will not be able to respond to you.

(b) When you sign up to receive Matomo content or offers – for example, when you sign up to receive our guidebooks or participate in our masterclasses, or when you subscribe to the newsletter, or consent to receiving marketing materials, we use your email address to deliver the resources you requested. You can always withdraw your consent to receive our marketing content by clicking ‘unsubscribe’ in the relevant emails or contacting [email protected].

(c) When you create an account — when you sign up for and open an account on Matomo forum, or create an account on the Matomo Marketplace, we may ask you to provide us with information such as your name, email address and details about your organisation. In addition, when you use your Matomo Marketplace account to purchase premium plugins, we collect and process your username, password, payment information, phone number and physical address. As otherwise detailed in this Privacy Policy, we will solely process this information to provide you with the service you signed up for. If you do not provide your personal data, we would not be able to create the accounts and you would not be able to purchase plugins on the Matomo Marketplace.

(d) When you download Matomo On-Premise – we collect and store the following information relating to your Matomo On-Premise software licence, which may in some cases include personal information: the IP address of the server where the instance is stored, URL of the customer, version of Matomo On-Premise downloaded and database version and programming language, time zone, number of websites tracked and number of licensed authorised users. We use this information to manage our licensing, billing and customer support.

(e) When you apply for a role advertised on our website, we will collect your name, email address, country if provided, the role you are applying for and your CV and cover letter or message. We use the personal data you provide to evaluate your application and communicate with you during the recruitment process. If you don’t provide your personal data, we would not be able to process your application.

(f) When you interact with us via social media, e.g., Meta (Facebook), GitHub, Hootsuite, LinkedIn, Mastodon, Reddit, YouTube or X (Twitter), or any other similar third party page, your personal data is processed by the social media platform providers under their privacy policies and processes. We process your personal data collected from social media, such as full name, business email address, job title, company, telephone number, any other personal data you provide us with to respond to your requests, develop a business relationship or send you direct marketing communications (subject to prior consent requirements where applicable). If we cannot use your personal data, we would not be able to respond to your requests, establish business relationships or send you marketing materials.

(g) We use data broker services to enrich our customer or prospective customer data - when you express interest in our product, sign up to our newsletter or other marketing materials, or are our customer, we use a data broker services provider identified in Who we share your personal data with (section (b)) to enable us to collate corporate and professional information about our customers and prospective customers. This allows us to understand our customers’ requirements better, customise sales and marketing efforts and develop our products. The data broker services process your email address as data processors for us, and provide us with the following information, if they hold it, from their database: Company (your employer company name and corporate details), your job title, industry, office location (including city), business telephone number, business email address, LinkedIn URL. In some cases, we may receive information about your previous employers and titles. We process this personal data on the basis of legitimate interest. Without the information we will not be able to customise our communications with you, to best meet your needs. You can opt-out of data enrichment processing, by completing this form.

(h) Usage data - when you visit our site, we will store: the website which you visited us from, the parts of our site you visit, the date and duration of your visit, your IP address which we store in full form in the server logs for 30 days for security reasons and which we anonymise on receipt for use in website analytics, information from the device (device type, operating system, screen resolution, language, country you are located in, and web browser type) you used during your visit, and more. We process this usage data using our own analytics tool, Matomo Analytics, and we process the information for statistical purposes, to improve our site and to recognise and stop any misuse.

You can opt out of being tracked by our Matomo Analytics instance below.

(i) Cookies- we use cookies (small data files transferred onto computers or devices by sites) for record-keeping purposes and to enhance functionality on our site. You may deactivate or restrict the transmission of cookies by changing the settings of your web browser. Cookies that are already stored may be deleted at any time.

Opt-out of website tracking


Please be aware that some browsers can delete the opt-out cookie if you have not visited our website in anywhere between 7 days (Safari), 45 days (Firefox) or 400 days (Chrome) as of the date of this policy. These timeframes may be subject to change. If you are not a regular visitor to our websites and wish to opt-out of analytics use, please check the setting when you visit, to make sure the opt-out is still recognised by your browser.

We process your Personal Data on the following legal bases:
Consent – We may process your Personal Data for one or more specific purposes if you give us your consent, for example we ask for your consent to receive marketing materials, surveys or general information about our products. Whenever we process your Personal Data on the basis of your consent, we will ask you for it and inform you about your right to withdraw it.
Contract performance and pre-contractual requests – We may process your Personal Data when it is necessary for the performance of a contract with you or for the performance of pre-contractual measures, which are carried out at your request. For example, when you send us a sales enquiry, when you download Matomo On-Premise, when you purchase a plugin or process a payment, when you send us a customer support request or a technical query.
Legal obligation – We may process your Personal Data when it is necessary for compliance with a legal obligation to which we are subject, for example, to comply with any applicable tax laws.
Legitimate interests – We may process your Personal Data when it is necessary for the purposes of our legitimate interests, unless these are overridden by your interests or fundamental rights and freedoms. For example, when we process your enquiries for customer relationship management purposes or when we enrich customer or prospective customer data with data from a third party provider, as explained in the Third Party Services We Use section.

Your Rights

Data subject rights vary depending on the applicable privacy laws. We are based in New Zealand and governed by the New Zealand Privacy Act and any privacy laws that apply to the processing because of their extra-territorial effect (e.g. EU GDPR, UK GDPR).

If the EU GDPR or UK GDPR is the law applicable to our processing of your data, you have the right of access to your Personal Data and to information regarding the processing of Personal Data by InnoCraft, the right to rectification/correction, erasure, restriction of processing and the right to object to the processing of your Personal Data. You also have the right to receive your Personal Data in a structured, common and machine-readable format and to transmit it or have it transmitted to another controller. If you have given us your consent for processing your Personal Data, you also have the right to withdraw your consent at any time with effect for the future.

To the extent any U.S. state privacy act applies to our processing of your personal information, your rights may include a right to access, correct, delete, opt-out of certain processing, right to portability, right to opt-in for sensitive data processing, right against automated decision making or other rights provided for under applicable laws.

We can only identify you via your email address and we can only adhere to your request and provide information if we have Personal Data about you through you having made contact with us directly and/or you using our site and/or service. We cannot provide, rectify or delete any data that we store on behalf of our users or customers. If you wish to exercise your rights in relation to personal data processed by a publisher or a website using Matomo Analytics, please contact the publisher first.

To exercise any of the rights mentioned in this Privacy Policy and/or in the event of questions or comments relating to the use of Personal Data you may contact our privacy team: [email protected]

In addition, you have the right to lodge a complaint with a data protection authority or a supervisory authority responsible for protecting your privacy rights, e.g.:
  • New Zealand: Office of the Privacy Commissioner: https://www.privacy.org.nz/about-us/contact/
  • UK: Information Commissioner’s Office: https://ico.org.uk/global/contact-us/
  • EU: select the appropriate authority from the list provided by European Data Protection Board https://edpb.europa.eu/about-edpb/board/members_en
  • Australia: Office of the Australian Information Commissioner: https://www.oaic.gov.au/about-us/contact-us/
  • Rest of the world: please contact us on [email protected] and we can provide you with the details of the appropriate authority.

Children’s Privacy

Our websites and products are not intended for children or minors. We do not knowingly collect children’s or minors’ personal data. Any accounts created by a child or a minor without parental consent and brought to our attention will be deleted as required by law.

Who We Share Your Personal Data With

A. Processors

We use a select number of trusted external service providers for certain technical data processing and/or service offerings. These service providers are carefully selected and meet high data protection and security standards. We only share information with them that is required for the services offered and we contractually bind them to treat any information we share with them as confidential and to process personal data only according to our instructions.

Recipient Purpose of processing Our legal basis for processing Data location and security Personal data collected by the third party Privacy Terms
AlwaysData S.à r.l., Secure infrastructure for website servers, databases and logs Contract (customers, potential customers)
Legitimate interest (other data subjects):
  • security
Europe, France IP address (stored for 30 days for security reasons), contact information provided via forms, subscriptions or queries Processing covered by DPA
Atlassian Pty Limited and Atlassian, Inc. Company work management Legitimate interest
  • workflow management
USA name, email address, role of customers Processing covered by DPA
Calendly LLC To book calls with customers, prospective customers or applicants Contract USA Name, email, time zone and date of appointment Processing covered by DPA
ChartMogul Ltd Customer relationship management analytics Legitimate interest
  • analysis of data from prospects, leads or customers to improve products, sales and marketing
Germany B2B customer/prospect: job title, name, phone number, email address. Processing covered by DPA
Dovetail Research Pty Ltd To transcribe, summarise, and process your feedback given in video interviews using AI tools Consent Australia and the EU Video recording of the interview, transcript, contact details, personal information given during the interview Processing covered by DPA (available on request) including AI terms
Employ, Inc. (previously Lever) To receive job applications and reply to applicants Contract USA All candidate information, resume, references, when staff come onboard after recruitment (successful candidates): Job application details (Email, name, CV/resume, IP address), etc. Processing covered by DPA
HappyScribe Ltd. Transcription of calls with customers and prospective customers Consent Ireland Name, email address, role of customers Link
Help Scout, PBC To receive and reply to your messages after you contact us Consent:
  • processing and responding to visitors
Contract:
  • providing customer support or
  • responding to sales enquiries
Legitimate Interest:
  • internal communication and management of customer support tasks workflow
USA Message sent, Name, Email, if included in the email: contact address, job title, company name, company contact details. Processing covered by DPA
HubSpot, Inc. To send marketing materials;
To receive webinar signup confirmation, reminder and follow-up emails
Consent EU Email Processing covered by DPA
HubSpot, Inc. CRM system Legitimate interest:
  • Processing data from prospects, leads or customers, analysing and improving marketing strategies
EU Name, email, job title, company name, company contact details, sale details, account type, number of authorised users, requirements, account activation, etc. Processing covered by DPA
Intuition Machines Authorisation Legitimate interest
  • ensuring security and authorisation
USA IP address numbers, device information. Processing covered by DPA
MadMimi (owned by GoDaddy Operating Company, LLC) To send you our newsletter emails after you sign up Consent USA Email Processing covered by DPA
Microsoft France SAS Use Microsoft 365 to manage workflows, files and documentation; email correspondence; meetings and scheduling Consent:
  • processing and responding to visitors
Contract:
  • managing and providing customer support or
  • responding to sales enquiries
Legitimate interest (in other cases):
  • workflow, file and documentation management;
  • correspondence;
  • meeting scheduling
France, EU Name, email address, mailing address, telephone number, department, role, company name; Correspondence; Associated Matomo account; Billing address, subscriptions and payment history Processing is covered by DPA (available on request)
Productboard, Inc To collate and process product and services feedback Legitimate interest:
  • processing product and services feedback
USA Work title and company name, any personal data included in the feedback. Processing is covered by DPA (available on request)
Slack Technologies Limited (Ireland) Used for internal company communications Legitimate interest:
  • internal chat tool to discuss projects, requests, workflow, operations
TBC Name, email address, mailing address, telephone number, department, role, company name;
Correspondence;
Associated Matomo account;
Billing address, subscriptions and payment history;
Processing covered by DPA
Userlike UG To be able to chat with you Consent Germany IP Address, Chat transcript, Email address, Browser, Operating system, Device, Number of page requests, Number of page visits, Referrer, URL (where the chat originated), Questionnaire before and after the chat (optional), Chat topic, Chat status (new, pending, closed), Chat evaluation after the chat, Duration of the chat, Date of the chat, Geo location (voluntary, optional), Media files shared by the contact with the operator during the chat Processing covered by DPA
UXtweak j.s.a. To collect user/customer feedback Consent Slovenia Name, email, job title, company, feedback Processing covered by DPA
Zoho Corporation Pvt. Ltd. To host customer feedback surveys Legitimate interest:
  • collect customer feedback;
  • improve product and services
EU Customer email and feedback link (DPA available on request)

B. Third party services we use

When you visit our websites, or purchase products or services, we use the following third party services providers who collect and process your data as data controllers or joint controllers with us. These providers may collect personal data beyond the data we collect about you. Please refer to the privacy policies of these third parties for full information about what personal data these third parties collect about you, how they process the data, on what legal basis and how to exercise your data subject rights against them.

Recipient Purpose of processing Our legal basis for processing Data location and security Examples of personal data collected by the third party Third party Privacy Policy
Cognism Limited To enable customer and prospective customer data enrichment in B2B (business to business) context. This is to enable us to tailor our communications with you to better fit your needs and to better understand our customer base. Legitimate interest
  • sales and marketing
  • customisation of communications
  • product development
UK, Croatia Company (employer company and company details), Job Title, Industry, Office location (including city), Business telephone number, Business email address, LinkedIn URL. In some cases we may receive from Cognism information about your previous employers and titles. You can opt out of Cognism Data processing or opt out from us enriching your data by completing this form. link
Communiteq Q B.V. (previously Discourse Hosting) To enable users to create an account on Matomo forum and participate in the forum. Contract Germany Email address, Username, Name, Password, Posts link
Quickchannel AB To sign up for live webinar, receive confirmation, reminder and follow-up emails and participate in live webinars; to control live webinar access Contract Sweden (EU) Name, Email, Company, Phone number, IP address, Browser information, Operating system, Type of device, Screen size, Internet connection link
PayPal Pte. Ltd. (PayPal Braintree) To receive payments Contract USA Singapore Username, password, names, e-mail, payment information, phone number, billing address link
Youtube (operated by Google LLC) Social media content provision and interactions

To embed video files on our websites. We use Privacy Enhanced Mode to prevent your viewing of the embedded content being used to personalise your YouTube browsing experience
Legitimate interest (content creation and user interaction)

or

Consent (if required for specific processing, e.g., embedding content on our website)
USA At minimum your IP address, data processing in local storage and possibly cookies. If you are logged into Google account, Google may merge this action with your account. link
Zoom Video Communications, Inc. To conduct meetings with customers and prospective customers Contract USA Profile info (unique user ID); profile picture; Diagnostic Data (event logs, session information, host and participant information);Telemetry data (data collected from devices, microphone, speaker, hard disk ID, MAC address); other service data; Customer authentication data; session content, chat messages, customer initiated cloud recordings; meeting and participant info, stored chat info, etc. link

C. When you instruct us to transfer data to third parties

Looker Studio Integration: We provide the Matomo Connector (the “Connector”), designed to facilitate the seamless integration of your Matomo On-Premise account data with Looker Studio. Should you choose to activate or utilise the Matomo Connector, please be aware of the following:

  • Data Export: Upon activation of the Matomo Connector, all data stored within your Matomo account will be exported to Looker Studio. This transfer is initiated by you and is under your control.
  • Data Privacy: Once your data is exported to Looker Studio, it will be governed by the applicable Looker Studio terms of service and policies provided by Google. We strongly advise you to review their terms and policies and understand the implications before initiating the data transfer.
  • Privacy Considerations: Transferring data, especially visitor data, to external platforms can have privacy implications. It's crucial to ensure that you have the necessary permissions and have considered the privacy ramifications of such a transfer.
  • Exclusive Connector Use: To ensure the security and privacy of your data, we recommend exclusively using the Matomo Connector for this integration. Avoid using third-party connectors or tools for Looker Studio that claim compatibility with Matomo, as we cannot vouch for their security or data handling practices.

International transfers

If the EU GDPR or UK GDPR applies to our processing of your personal data, we receive it in New Zealand on the basis of adequacy decision. For the above processors and third-party services, we transfer your personal data to a third country (i.e. outside the European Union (EU), the United Kingdom or the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, only in accordance with the applicable legal requirements.

Specifically, for the above processors and third-party services, we process or allow the data to be processed on the basis of adequacy or standard contractual clauses of the EU Commission, subject to data transfer impact assessments where required. More information on this is available from us upon request.

Retention of data

We will retain your information as long as your account is active, as necessary to provide you with the services or as otherwise set forth in this Policy. We will also retain and use this information as necessary for the purposes set out in this Policy and to the extent necessary to comply with our legal obligations, resolve disputes, enforce our agreements and protect our legal rights.

We also collect and maintain aggregated, anonymised information which we may retain indefinitely to protect the safety and security of our websites, improve our Services or comply with legal obligations.

How We Protect Your Personal Data

Data security is important to us. We process your personal data securely, using appropriate technical and organisation measures designed to protect your data from unauthorised access, disclosure, alteration or loss. Some of the measures applied by InnoCraft include: use of secure cloud infrastructure compliant with a number of information security standards, access controls, bug bounty, in-transit and at-rest encryption, response and tracking of security risks and availability controls.

If you have any concerns about the security of your personal data, please contact us immediately using the contact details provided below.

Automated decision-making including profiling

We do not perform automated decision making or profiling.

Privacy Policy changes

We may update this Policy from time to time. If we do, we’ll let you know about any material changes, either by notifying you on the website or by sending you an email. Once posted on this website, the amended Privacy Policy will be effective as of the Effective Date stated above.

Contact us

If you have any questions or concerns regarding this Privacy Policy or how your personal data is processed, please contact us by emailing [email protected] or via the contact form: matomo.org/contact.

If you are based in New Zealand, you can write to us at our registered address: InnoCraft Limited, 7 Waterloo Quay, PO625, 6140 Wellington, New Zealand, Attention: Privacy Officer.

We aim to respond to your inquiries as soon as reasonably possible. If you want to give us feedback on how we handled your request, please let us know. We are always trying to improve.

EU Representative
Because InnoCraft is located outside of the EU and UK, the InnoCraft team has named a representative of controllers or processors not established in the EU or the EEA and in the UK (Art. 27 GDPR):

  • If you are a resident of the EU or the EEA, you can contact:
    ePrivacy Holding GmbH
    Burchardstraße 14
    20095 Hamburg
    Germany
    www.eprivacy.eu/en/legal

  • If you are a resident of the UK, you can contact:
    UK Representative Service for GDPR Ltd.
    7 Savoy Court
    London WC2R 0EX
    United Kingdom
    www.eprivacy.eu/en/legal
External Data Protection Officer
If you wish to communicate directly with our Data Protection Officer (because you have a particularly sensitive matter for example), please contact them by post, as communication by e-mail could always have security gaps.
Please state in your request that your concern relates to the company InnoCraft.
External Data Protection Officer
ePrivacy GmbH
represented by Prof. Dr. Christoph Bauer
Burchardstraße 14, 20095 Hamburg
Germany