Does your website use third-party services? Get GDPR compliant in minutes.

ExtraWatch

What does ExtraWatch do?

ExtraWatch is a real time visitor analytics extension for Joomla and WordPress that logs visits, clicks, country, referrers and live activity directly into the host site database. Because everything is stored on the customer server, ExtraWatch can be operated without third country transfers, but it captures full IP addresses and click coordinates by default and therefore needs careful configuration to remain compatible with the GDPR and the ePrivacy Directive.

What ExtraWatch is

ExtraWatch is a server side analytics extension distributed as a Joomla and WordPress plugin. It logs every request hitting the site, builds a real time visitor view, computes country statistics from a local GeoIP database and renders click heatmaps. All data is stored in the host site database, no SaaS dashboard is involved.

What data ExtraWatch collects

By default ExtraWatch records the full IP address, user agent, language, referrer, screen resolution, country, page URL, time on page, click coordinates and form interactions. The optional JavaScript ping for the live view stores a short lived first party cookie so that returning visits can be linked across the same session. None of this data is anonymised at source.

GDPR and ePrivacy implications

Full IP addresses and click level data are personal data under Article 4(1) GDPR. Click heatmaps qualify as behavioural analytics and exceed the strict audience measurement scope tolerated by the CNIL exemption. The first party cookie used by the live view falls under Article 5(3) ePrivacy. Without anonymisation, ExtraWatch therefore requires a clear opt in cookie banner.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent and exemption pathway

To rely on legitimate interest without consent, configure ExtraWatch to truncate the last octet of the IP, disable click heatmaps, disable form recording, set a short retention period (13 months maximum) and limit the data to aggregated audience statistics. Any deviation, especially the heatmap module or detailed visitor profiles, switches the legal basis back to consent.

Data transfers and hosting

ExtraWatch does not transfer visitor data to a SaaS provider. Data stays in the customer database. License validation pings reach the publisher domain (Slovakia, EU). Customers must verify that the site host itself is located in the EU/EEA and document this in the record of processing.

Practical compliance steps

Enable IP truncation, disable click heatmaps and form tracking unless covered by consent, set retention to 13 months and document in your record of processing why ExtraWatch is used, where the database is hosted and which fields are anonymised. Add ExtraWatch to the privacy policy and cookie policy, with the legal basis (legitimate interest in anonymised mode, consent otherwise) and the contact details for data subject requests.

GDPR consent category

Analytics

Websites using ExtraWatch must obtain user consent under GDPR regulations.

Legal basisLegitimate interest (Art. 6(1)(f) GDPR) is admissible only if ExtraWatch is configured to anonymise the IP address, disable click heatmaps and avoid persistent identifiers. In any other configuration, prior consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy Directive) is required because ExtraWatch logs the full IP, click coordinates and detailed visitor profiles.

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive, French CNIL guidelines, German TTDSG, Spanish LSSI, Italian Garante guidelines

DPIA considerations

A DPIA is recommended when ExtraWatch is deployed in its default configuration on a high traffic site, because it logs full IP addresses, click coordinates, fingerprintable user agent strings and behavioural patterns at scale. A DPIA may not be necessary in a fully anonymised configuration with truncated IPs, no click heatmap and short retention.

Sample consent text

This site uses ExtraWatch to measure audience and improve the user experience. ExtraWatch collects your IP address, browser, country and click coordinates and stores them on our own servers. Click Accept to allow detailed analytics or Reject to keep only anonymous statistics.

Technical details

Tracking methodPHP based real time visitor analytics extension for Joomla and WordPress. Logs page views, IP address, user agent, referrer, country and click coordinates server side and writes them to the host site database. Optional first party JavaScript pings refresh the live visitor view.

Server locationSelf hosted on the customer web server. ExtraWatch does not operate a managed cloud, all visitor data stays in the host database.

Cookieless tracking availableYes

Third-party domains contacted

extrawatch.comweb357.eu

Cookies placed

Name	Type	Duration	Purpose
extrawatch_session	session	Session	First party session cookie used by the ExtraWatch live visitor view to link page views originating from the same browser within a single session.
extrawatch_visitor	persistent	30 days	Optional persistent identifier set when the configuration includes returning visitor recognition.

ExtraWatch collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

What cookies does ExtraWatch set?

ExtraWatch sets a short lived first party session cookie used by the live visitor view to link page views from the same browser. It does not set advertising cookies. Visitor logs are stored server side in the host database, not in cookies.

Do I need consent to use ExtraWatch?

In its default configuration with full IP logging, click heatmaps and detailed visitor profiles, prior consent is required under Article 5(3) ePrivacy and Article 6(1)(a) GDPR. With IP truncation, no heatmaps and short retention, ExtraWatch can be operated under legitimate interest and is closer to the CNIL exemption regime.

What is the legal basis for ExtraWatch?

Legitimate interest (Art. 6(1)(f) GDPR) when properly anonymised, with a documented Legitimate Interest Assessment. Consent (Art. 6(1)(a) GDPR) in any setup that records full IPs, click heatmaps or persistent visitor profiles.

Does ExtraWatch transfer data to the US?

No. ExtraWatch stores everything in the customer database. As long as the host server is located in the EU/EEA, no third country transfer occurs. License validation pings reach the publisher in Slovakia, an EU member state.

Do I need a DPIA for ExtraWatch?

A DPIA is recommended when the default configuration with click heatmaps, full IP logging and detailed profiles is used at scale. A DPIA can be avoided in a tightly anonymised configuration with truncated IPs, no heatmaps and short retention.

How do I implement ExtraWatch compliantly?

Enable IP truncation in the settings, disable click heatmaps and form tracking, set retention to 13 months maximum, restrict admin access to the dashboard, host the site in the EU/EEA and document the configuration in the record of processing.

What are the alternatives to ExtraWatch?

For privacy first analytics on Joomla and WordPress, the main alternatives are Matomo (self hosted in cookieless mode), Plausible (EU hosted, no cookies), Fathom (EU hosted, no cookies) and Umami (self hosted). These tools are designed to be deployed without consent banners under the CNIL guidelines.

How do I update the cookie policy for ExtraWatch?

List ExtraWatch with the publisher (Web357), the purpose (audience measurement), the legal basis (legitimate interest in anonymised mode, consent otherwise), the storage location (your own server), the cookies set (the live view session cookie) and the retention period applied to the visitor logs.

Get compliant — Try FlowConsent free

Free plan · 10-min setup