Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ClustrMaps Widget is a free embedded visitor counter and world-map service that collects visitor IP addresses, geolocates them, and publicly displays aggregated visit data on your website.
ClustrMaps Widget is a free embeddable visitor counter and geographic map originally launched in 2005 and now owned by Pillar Health, a US company. Website owners paste a small snippet (a script and an image tag) into their HTML; each page view triggers a server-side call to clustrmaps.com which records the visitor IP address, performs a GeoIP lookup, and increments a public counter. The widget then renders a world map (or a numerical counter) showing aggregated visit origins. Unlike fully client-side analytics, ClustrMaps relies on the request itself to capture data, meaning the IP address is read on the ClustrMaps server even if no cookie is set.
On each page load the visitor''s browser issues a request to clustrmaps.com domains. The HTTP request transmits the IP address, User-Agent string, Referer header, and timestamp to ClustrMaps servers in the United States. ClustrMaps then geolocates the IP (typically to city level), stores an aggregated counter against your site''s widget ID, and may set first-party storage to recognise repeat visitors within a short window. The aggregated counter (city, country, total visits) is rendered publicly within the widget. Raw IP addresses are processed by ClustrMaps but, per their documentation, are not exposed publicly; however the aggregated city-level pins remain publicly visible and indexable by search engines.
The Court of Justice of the European Union held in Breyer v Bundesrepublik Deutschland (C-582/14, 19 October 2016) that dynamic IP addresses constitute personal data for an online media services provider where it has the legal means to identify the visitor with the help of additional information held by a third party (typically the ISP). The CJEU confirmed and broadened this in IAB Europe v Belgian Data Protection Authority (C-604/22, 7 March 2024). Because ClustrMaps actively logs IP addresses, geolocates them, and combines them with timestamps and user-agent strings, the processing falls squarely within Article 4(1) GDPR. Controllers cannot rely on the legitimate-interest exception of Recital 49 alone, because the data is shared with a third party in the US for analytics rather than security purposes.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Pillar Health is established in the United States, and ClustrMaps infrastructure is hosted there. Following the CJEU ruling in Schrems II (C-311/18, 16 July 2020) invalidating the Privacy Shield, controllers must rely on Standard Contractual Clauses supplemented by a Transfer Impact Assessment. The EU-US Data Privacy Framework adopted in July 2023 partially restores adequacy, but only for organisations self-certified under the Framework. As of writing, Pillar Health''s DPF certification status should be independently verified on the official DPF list at dataprivacyframework.gov before relying on it. If ClustrMaps is not DPF-certified, controllers must execute SCCs and assess US surveillance laws (FISA 702, Executive Order 12333) against the relatively low-volume IP processing involved.
A risk specific to ClustrMaps is the public display of aggregated visit data. On large public sites the city-level pins are harmless, but on small or specialised sites (a personal blog, a clinic page, a niche association) the map may pinpoint a single visitor''s city. Combined with the page''s topic (e.g. a medical condition, a political opinion, a confidential consultation) the public counter can amount to indirect disclosure of special-category data under Article 9 GDPR. The EDPB''s Guidelines 04/2019 on accountability stress that controllers must consider re-identification risk from publicly accessible aggregates. Operators of low-traffic or sensitive sites should disable the public map view or avoid ClustrMaps altogether.
Because ClustrMaps performs analytics processing that is not strictly necessary to deliver the service requested by the user, Article 5(3) of the ePrivacy Directive requires prior, informed, freely given, and specific consent before any script is loaded or any IP is captured. The French CNIL has consistently held (deliberations SAN-2022-009 and SAN-2023-024) that ''free'' analytics widgets do not benefit from any exemption analogous to the one CNIL grants to first-party CNIL-compliant measurement tools. CNIL further warns in its 2024 guidance on third-party services that free widgets often monetise visitor data and that controllers remain liable for downstream processing. Practically, deploy ClustrMaps only after a granular consent has been obtained through a Consent Management Platform, block the widget script until consent is given, and provide a clear refusal path of equal prominence.
Websites using ClustrMaps Widget must obtain user consent under GDPR regulations.
DPIA considerations
ClustrMaps Widget collects visitor IP addresses server-side, which under the CJEU Breyer ruling (C-582/14) constitute personal data when combined with other identifiers held by the operator. The widget transfers data to Pillar Health servers in the United States, triggering Schrems II considerations: controllers must verify that Standard Contractual Clauses are in place and conduct a Transfer Impact Assessment regarding FISA 702 and EO 12333 access. A specific risk is the 'public counter' feature: aggregated visitor data (city, country, count) is displayed publicly on the host site, which on low traffic pages can inadvertently re-identify individual visitors (e.g. a single unique city pin near a known recipient). CNIL has repeatedly warned that 'free' tracking widgets often shift costs onto users via monetisation of behavioural data; controllers must scrutinise the vendor's commercial model. A DPIA is recommended where the widget is embedded on pages with sensitive context (health, political, religious sites) or where traffic is low enough to permit indirect identification.
Sample consent text
We use the ClustrMaps Widget to display a public map of visitors to this site. This service collects your IP address and approximate geographic location and transfers them to Pillar Health servers in the United States. Do you consent to this processing?
Third-party domains contacted
clustrmaps.comwww.clustrmaps.comcdn.clustrmaps.comclustrmaps-cdn.complus.pillarhealth.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| clustrmaps_session | first_party | session | Server-side session identifier used by ClustrMaps to deduplicate repeat page views within a single browsing session and prevent counter inflation. Set in first-party context but linked to ClustrMaps processing in the US. |
| __cmuid | third_party | 1 year | Persistent visitor identifier set by clustrmaps.com to recognise returning visitors across sessions and to attribute repeat visits in the aggregated map. Considered non-essential analytics storage requiring prior consent under Article 5(3) of the ePrivacy Directive. |
| cm_geo | first_party | 30 days | Stores the cached geolocation result for the visitor's IP to reduce duplicate GeoIP lookups by ClustrMaps. The cached city or country value is processed alongside server-side IP collection and is subject to consent and to GDPR transfer rules when synchronised with the US backend. |
ClustrMaps Widget uses cookies for user preferences — inform visitors with a consent banner.
Yes. ClustrMaps performs analytics that are not strictly necessary to deliver the service requested by the user. Article 5(3) of the ePrivacy Directive, transposed into national law (e.g. Article 82 of the French Loi Informatique et Libertés or § 25 of the German TTDSG), requires prior, informed, freely given and specific consent before the widget script is loaded or any IP address is captured. The widget must be blocked by a Consent Management Platform until explicit opt-in is given, and refusal must be as easy as acceptance.
Yes. In Breyer v Germany (C-582/14) the CJEU ruled that dynamic IP addresses qualify as personal data when the controller has lawful means to obtain identifying information from a third party such as the ISP. The IAB Europe ruling (C-604/22, 2024) confirms a broad interpretation of identifiability. ClustrMaps logs the IP, geolocates it and combines it with timestamps and user agents, all of which falls within Article 4(1) GDPR.
ClustrMaps is operated by Pillar Health in the United States. Following Schrems II (C-311/18, 2020) controllers must rely on Standard Contractual Clauses plus a Transfer Impact Assessment, or on a valid certification under the EU-US Data Privacy Framework adopted in July 2023. Verify Pillar Health's active DPF status on dataprivacyframework.gov; if absent, you remain exposed to FISA 702 and EO 12333 access risks and must implement supplementary measures.
ClustrMaps publicly displays aggregated visitor data (city pins, country totals, visit counts). On low-traffic or niche pages this aggregation can pinpoint a single visitor's city, which combined with the page topic (e.g. health, religion, politics) can amount to indirect disclosure of special-category data under Article 9 GDPR. EDPB Guidelines 04/2019 require controllers to assess re-identification risk from publicly accessible aggregates.
ClustrMaps primarily relies on server-side IP collection, but can set first-party storage to deduplicate repeat visitors within a short window. Any such storage is subject to Article 5(3) ePrivacy Directive and requires prior consent regardless of duration or technical mechanism.
A Data Protection Impact Assessment is recommended (and may be mandatory under Article 35 GDPR) when ClustrMaps is deployed on pages with sensitive context, on low-traffic sites where re-identification is plausible, or when combined with other tracking. The DPIA must address US transfers, public-aggregation risk and the vendor's commercial model.
In its 2024 guidance on third-party services and in sanctions SAN-2022-009 and SAN-2023-024 the French CNIL has warned that "free" analytics and counter widgets typically monetise visitor data and that the publisher remains liable for downstream processing. Free pricing does not justify dispensing with consent or with a thorough vendor assessment.
EU-hosted privacy-friendly analytics such as Matomo (self-hosted or EU cloud), Plausible (EU), Fathom (EU option) or Piwik PRO provide visitor statistics without US transfers and, when properly configured, may benefit from the CNIL exemption from consent. None offers a public world-map widget by default; the public counter is the feature that creates most ClustrMaps-specific risk, so the simplest mitigation is to remove the public map view.