Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Clicky is a US, based real, time web analytics platform operated by Roxr Software Ltd. It uses a JavaScript tracker that writes first, party cookies to identify visitors and sessions, and offers heatmaps, uptime monitoring and on, site search analytics. Because data is stored in the United States and visitor IPs are processed without anonymisation by default, Clicky requires consent under EU rules.
Clicky is a real, time web analytics platform launched in 2006 and operated by Roxr Software Ltd from the United States. It is one of the longest, running independent alternatives to Google Analytics and is popular with bloggers, small businesses, and SaaS publishers who want a live activity feed, on, site search reports, heatmaps, and uptime monitoring in a single tool. The product offers a free tier limited to one site and 3,000 daily page views, plus paid plans (Pro, Pro Plus, Pro Premium) that unlock more sites, longer history, white labelling and an HTTPS, only mode. The tracker is a small JavaScript snippet loaded from in.getclicky.com.
Clicky writes several first, party cookies on the publisher''s domain. _jsuid is a unique visitor identifier set on the first visit and persisted for one year, used to recognise returning visitors. cluid is a complementary identifier used by the heatmap feature. no, tracking is set when a visitor opts out, and no, anti, flicker is used by the experiments feature. Clicky also collects the visitor''s IP address, user agent, referrer, page URL, on, site search terms and a session timeline. Customer information goals can capture email addresses or usernames if the publisher enables that feature, which then becomes personal data of the visitor.
Clicky stores analytics data including full IP addresses on US servers and uses persistent cookies, which puts it firmly in the consent, required category under the ePrivacy Directive. The CNIL consent exemption that applies to Matomo or some Piwik PRO setups does not extend to Clicky, because Clicky neither offers IP anonymisation as a default nor confines the data to the EU. Under GDPR, the publisher acts as controller and Roxr Software Ltd as processor, and a Data Processing Agreement should be signed. Visitor rights (access, deletion) require coordination with Roxr support since there is no self, service mechanism in the dashboard.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Prior, freely given, informed and specific consent is required before loading the Clicky tracker for visitors in the EU/EEA, the UK, and Switzerland. The CMP must list Clicky under Statistics or Marketing depending on whether you also use the segmentation features for advertising. Consent must be obtained before any cookie is written and before the JavaScript file is fetched from in.getclicky.com. If consent is refused, the tracker should not load at all, in particular not in a degraded mode that still pings the Clicky servers. Implement a strict CMP integration that uses tag, blocking or category, gated loading.
All Clicky data is hosted in the United States. Roxr Software Ltd is not certified under the EU, US Data Privacy Framework, so the legal basis for the transfer falls on Standard Contractual Clauses (Commission Decision 2021/914) plus a Transfer Impact Assessment. The TIA must consider US surveillance laws (FISA 702, EO 12333, EO 14086), the volume of personal data, and the lack of pseudonymisation at the source. For high, risk websites or for compliance, sensitive sectors (health, public services, banking), an EU, hosted alternative is generally easier to defend.
Sign a DPA with Roxr Software Ltd, list Clicky under the Statistics category in your CMP, and gate the script behind a consent event. Disable customer information goals unless they are essential to your business and you have a legal basis for processing the captured identifiers. Set realistic data retention in the Clicky settings (the default is multi, year, which is rarely necessary). Add Clicky to the record of processing activities, and document a Transfer Impact Assessment for the US transfer. Consider Matomo, Plausible, Fathom, or Pirsch as EU, hosted alternatives for sites with high European traffic.
Websites using Clicky must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Clicky is used at scale, when data is combined with CRM or marketing automation, or when sensitive websites (health, finance, news, government) are involved. The transfer of full visitor IPs to the United States and the persistent _jsuid cookie elevate the risk profile. Document the legal basis (consent), the retention period of analytics events, the role of Roxr Software Ltd as processor, and the absence of an EU data residency option. Consider Matomo, Plausible, or Fathom as lower, risk alternatives.
Sample consent text
We use Clicky Analytics to understand how visitors use our website. Clicky writes first, party cookies (_jsuid, cluid) to recognise returning visitors and stores analytics data on its servers in the United States. Do you accept the use of Clicky Analytics cookies for statistical purposes?
Third-party domains contacted
getclicky.comin.getclicky.comstatic.getclicky.comstatic.clicky.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _jsuid | first-party | 1 year | Unique visitor identifier set on the first visit. Used by Clicky to recognise returning visitors, build visitor profiles and produce session timelines. |
| cluid | first-party | 1 year | Identifier used by the Clicky heatmap feature to associate click and scroll events with a unique visitor. |
| no-tracking | first-party | 20 years | Set when the visitor activates the Clicky opt, out mechanism. Tells the tracker not to record any further events from this browser. |
| no-anti-flicker | first-party | 1 year | Used by the Clicky experiments / split testing feature to disable the anti, flicker snippet for visitors who have already been assigned to a variant. |
Clicky collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Clicky writes first, party cookies on the publisher's domain: _jsuid (unique visitor identifier, persisted around 1 year), cluid (heatmap identifier), no, tracking (set when a visitor opts out), and no, anti, flicker (used by the experiments feature). It also sends visitor IP, user agent, referrer, page URL and on, site search terms to in.getclicky.com.
Yes. Clicky writes persistent identifying cookies and stores full IP addresses on US servers, so it is not eligible for the CNIL or BfDI consent exemption available to anonymous EU, hosted analytics. Prior, freely given, informed and specific consent must be obtained before the tracker loads from in.getclicky.com.
Consent (GDPR Article 6(1)(a)) is the only realistic legal basis. The combination of persistent cookies, full IP storage, and a US data location makes legitimate interest hard to defend. Strictly necessary processing does not apply because Clicky is an analytics tool, not a service requested by the user.
Yes. All Clicky tracking traffic and stored data is processed in the US by Roxr Software Ltd. Roxr is not certified under the EU, US Data Privacy Framework, so transfers must rely on Standard Contractual Clauses plus a Transfer Impact Assessment that addresses FISA 702 and other US surveillance provisions.
A DPIA is recommended for high, traffic deployments, sites in regulated sectors, or when Customer Information Goals are enabled to capture identifiers. The combination of US transfers and persistent identifying cookies is enough to trigger the DPIA threshold under several DPA guidelines (CNIL, AEPD, BfDI).
Sign a DPA with Roxr Software Ltd, gate the script behind a CMP consent event under the Statistics category, set a sensible data retention period in your account settings, disable Customer Information Goals unless they have a clear legal basis, and document the US transfer with SCCs plus a Transfer Impact Assessment.
Yes. Matomo (self, hosted or EU cloud, CNIL approved for consent exemption when configured), Plausible (EU cloud, cookieless), Fathom Analytics (EU cloud, cookieless), Pirsch Analytics (Germany, cookieless), and Simple Analytics (Netherlands, cookieless) are common privacy, friendly EU, hosted alternatives.
List Clicky under Statistics with the cookies _jsuid (1 year), cluid, no, tracking and no, anti, flicker. Mention Roxr Software Ltd as processor, the United States as the data location, and the absence of EU data residency. Link to Clicky's privacy policy and explain how visitors can opt out via the no, tracking cookie or browser DNT signal.