Privacy & Compliance

OneSpot's Commitment to GDPR

A new data privacy law was recently introduced in Europe called the General Data Protection Regulation (GDPR), impacting how businesses collect and process data. This important piece of legislation was designed to strengthen and unify data protection laws for all individuals within the European Union (EU).

At OneSpot we’ve created a platform and service to deliver relevant content to users anonymously, without personally identifying users. We believe we have a responsibility to safeguard privacy and support anonymity in user behavior analysis, so that trust between website owners, prospects and customers can be assured and maintained.

We recently engaged with TrustArc, a reputable privacy risk management firm, to do a thorough GDPR assessment. TrustArc confirmed that OneSpot’s Inbox and OnSite products do not handle any personal data nor perform any high risk processing activities. For more detailed information on OneSpot’s commitment and compliance with GDPR, please review our compliance data sheets below.

OnSite & InBox - Anonymous Data Collection

Well before GDPR was adopted by the EU, OneSpot made the commitment to collect only non-personally identifiable information in our tracking and logging data. Through a combination of controls on people, process and tools, OneSpot ensures that none of the data that is automatically collected, stored or handled by OnSite or InBox can be used to identify a person either directly or indirectly. This is consistent with the guiding principle of privacy by design as stated under GDPR Article 25.

Too often we read online that any cookie tracking, IP address logging or web behavior analysis is personal data and subject to GDPR. To further clarify and further educate our customers we created the datasheet OnSite and Inbox data is Anonymous Data outlining our interpretation of the current GDPR definition of personal data as it applies to the data we handle in OnSite and InBox. In this datasheet, we review relevant GDPR articles, recitals and EU case law in order to show how TrustArc and OneSpot arrived at the conclusion that no personal data, as defined by GDPR, is processed by InBox or OnSite.

Insights - Personal Data We Collect

When OneSpot sets your employees up with user logins for our Insights dashboard, we require the users full name and email address. We collect data related to product usage, such as successful and failed logins, which features are used most often, as well as any error logs or crash reports. We also have live chat and email support features which allow users to submit questions and get real-time response. Finally we will email our users with product-related announcements, tips and tricks. We use this user data for customer service and product improvement, we do not use or share this data for any other purpose.
We retain this data for the duration of the customer agreement. Because all of this data relates to identifiable users, if any of your users are located in the EU then this data would be protected as personal data under GDPR, and you will want to sign our Data Protection Addendum (DPA) in order to maintain your own GDPR compliance. You can sign our DPA directly from this page in the section below.

Sign our DPA

In the course of providing our service, OneSpot may process personal data on your behalf. In order to outline specifics of how we will perform this processing and what our obligations are as well as the obligations of our users/customers we’ve developed a Data Processing Agreement (DPA) that we enter into free of charge with anyone that uses our service and requests it. This document forms part of a contract of service with OneSpot (as the Data Processor) and our users/customers (as the Controllers). The DPA reflects the parties’ agreement with regard to the processing of personal data performed using our service.
As a Controller, in order to sign this agreement, you must review and digitally sign copy of the Data Processing Agreement. We will countersign it and provide you with a fully executed downloadable copy via email within 5 business days. Upon OneSpot’s receipt of the validly completed and digitally signed Agreement, this Agreement shall be in full force and effect.

Do Not Track

OneSpot also honors the Do Not Track header. This means that if your website visitors have the Do Not Track header installed, OneSpot will not track them.

OneSpot Subprocessors List

OneSpot maintains a list of third party subprocessors in connection with the applicable OneSpot Products/Services.


When someone visits a site with our tracking script installed, we collect internet log information and details of visitor behavioral patterns. This allows us to identify the number of visitors to various parts of the website, as well as other general performance metrics. In theme with all of our privacy and compliance standards in place, we collect this information in a way that does not personally identify the individual. For more detailed information, please visit our Cookie List.

Privacy Policy

The OneSpot privacy policy describes your privacy rights in connection with information collected, used, stored, or shared by OneSpot. This policy applies to your use of the OneSpot website or through sites affiliated with OneSpot’s content marketing and online advertising platform. By using the OneSpot website or Platform, you consent to OneSpot’s collection, use, disclosure, and retention of your personal information as described in our privacy policy.

Contacting Us

If you have any questions about this Privacy Policy, please contact our Privacy Officer at: