Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Trackboxx is a Dutch web analytics platform built as a privacy first alternative to Google Analytics. It is developed and operated by Trackboxx B.V. in Amsterdam, hosts all data inside the European Union and offers a cookieless tracking mode that does not require visitor consent. An optional first party cookie mode is also available for operators who want session and visitor identification, in which case the strict consent rules of the ePrivacy Directive and the GDPR apply.
Trackboxx is a Dutch web analytics platform built as a privacy first alternative to Google Analytics. It targets European SMEs, agencies and public sector websites that want simple traffic measurement without the legal complexity of a US based analytics suite. The platform is developed and operated by Trackboxx B.V. in Amsterdam and runs entirely on EU based infrastructure. The default tracking mode is cookieless: the script counts visitors and page views using truncated IP addresses, User Agent fingerprints and basic page metadata.
In the default cookieless mode Trackboxx does not set any cookie and does not store any persistent identifier on the visitor device. The script captures the truncated IP address, the User Agent string, the page URL, the referrer and the timestamp, and computes a daily hash so that returning visitors can be approximated without persistent identifiers. In the optional cookie mode, a first party cookie is set with a Trackboxx visitor identifier and a session identifier, which improves accuracy at the cost of triggering the ePrivacy consent requirement.
Because the default cookieless mode does not store or read information on the visitor device, the ePrivacy Article 5(3) consent requirement does not apply. The processing of the truncated IP and page metadata is justified by the legitimate interest of the operator in measuring traffic, with very limited impact on the visitor. The optional cookie mode does set a first party cookie that goes beyond strictly necessary, so it triggers consent under TTDSG in Germany or its equivalents elsewhere in the EU. In either mode the GDPR transparency obligations of Articles 13 and 14 apply.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The default cookieless mode relies on legitimate interest under Article 6(1)(f) GDPR. The optional cookie mode relies on consent under Article 6(1)(a) GDPR for the cookie storage and on legitimate interest for the analytics processing of the collected data. A data processing agreement with Trackboxx B.V. under Article 28 GDPR is required in both modes because the operator is the controller and Trackboxx is the processor for hosting and processing the analytics data.
Trackboxx hosts the analytics backend on EU infrastructure (Amsterdam) and uses EU established sub processors. Personal data is not transferred outside the EEA, which removes the entire Schrems II problem and simplifies the privacy notice considerably. This is one of the main reasons European public sector and privacy sensitive operators choose Trackboxx over US based analytics suites.
Choose the cookieless mode whenever possible: it is the simplest path to compliance because no consent is required. Sign the Trackboxx DPA, list Trackboxx B.V. in your privacy notice as a processor and document the EU only hosting model. If you activate the optional cookie mode, integrate the Trackboxx cookie into your CMP under the analytics category and ensure it stays blocked until the visitor opts in.
Websites using Trackboxx must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for Trackboxx because it processes only minimal pseudonymous metadata (truncated IP, page path, User Agent fingerprint), keeps data inside the EEA and does not perform profiling or cross site tracking. A DPIA can become relevant in very high traffic sites that combine Trackboxx with extensive funnel analysis on sensitive product categories, but the threshold of Article 35 GDPR is rarely met in a standard deployment.
Sample consent text
We measure website usage with Trackboxx, a privacy first analytics tool by Trackboxx B.V. in the Netherlands. In its default cookieless mode Trackboxx only collects truncated IP addresses, page paths and aggregated session data, all stored on EU servers, and does not place cookies on your device. No consent is required for the default mode; if we activate the optional cookie mode we will ask for your consent first.
Third-party domains contacted
trackboxx.comtrackboxx.infoapp.trackboxx.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| tb_session | first_party | Session | Optional session identifier set by Trackboxx in cookie mode to track a single visit accurately. Not set in the default cookieless mode. |
| tb_visitor | first_party | 12 months | Optional visitor identifier set by Trackboxx in cookie mode to recognise returning visitors. Not set in the default cookieless mode. |
Trackboxx collects user analytics data — you legally need a consent banner. Try FlowConsent free.
In the default cookieless mode Trackboxx does not set any cookie and does not store any persistent identifier on the visitor device. The script computes a daily hash to approximate returning visitors without persistent storage. In the optional cookie mode, a first party cookie with a Trackboxx visitor identifier and a session identifier is set, which provides higher accuracy at the cost of triggering the ePrivacy consent requirement.
In the default cookieless mode, consent is not required because no information is stored or read on the visitor device and the processing of truncated IP and page metadata rests on legitimate interest. In the optional cookie mode, the first party cookie goes beyond strictly necessary and requires prior consent under the ePrivacy Directive and its national implementations.
Cookieless mode relies on legitimate interest under Article 6(1)(f) GDPR, supported by the very limited impact on the visitor and the minimal data set processed. Cookie mode relies on consent under Article 6(1)(a) GDPR for the cookie itself and on legitimate interest for the analytics processing.
No. Trackboxx hosts the analytics backend on EU infrastructure in Amsterdam and only uses EU established sub processors. Personal data does not leave the EEA, which removes Schrems II concerns from the picture and simplifies the privacy notice considerably.
A DPIA is normally not required because Trackboxx processes minimal pseudonymous metadata, keeps data inside the EEA and does not perform profiling or cross site tracking. A DPIA can become relevant for very high traffic deployments combining Trackboxx with extensive funnel or behavioural analysis on sensitive product categories, but the threshold of Article 35 GDPR is rarely met.
Use the cookieless mode by default to avoid the consent requirement entirely, sign the Trackboxx DPA, list Trackboxx B.V. in your privacy notice as a processor and document the EU only hosting model. If you activate the optional cookie mode, integrate the cookie in your CMP under analytics and ensure it remains blocked until the visitor opts in.
Privacy first analytics alternatives include Matomo (self hosted or EU cloud), Plausible (Estonia), Fathom (Canada), Simple Analytics (Netherlands), Cabin and Pirsch. Most of them offer a cookieless mode and EU hosting; the choice typically depends on features, integrations and price.
In cookieless mode there is no cookie to list, but you should still describe Trackboxx in the privacy notice (operator, data categories, retention, EU hosting, no third country transfer). In cookie mode, add the Trackboxx cookies to the cookie inventory with name, duration, purpose and Trackboxx B.V. as recipient.