Data Privacy
Accelerate operates a standard data processor and controller arrangement under GDPR.
Data roles under GDPR#
| Role | Party | Explanation |
|---|---|---|
| Data Controller | You, the site owner | You determine why and how visitor data is collected on your site. You are responsible for obtaining consent, providing a privacy notice, and handling data subject requests from your visitors. |
| Data Processor | Human Made Ltd, through Accelerate | We process visitor analytics data on your behalf, under your instructions, solely to provide the Accelerate service. |
| Sub-processor | Amazon Web Services (AWS) | AWS provides the infrastructure, including Lambda, SQS, S3, and EC2, on which data is processed and stored under a Data Processing Agreement with Human Made. |
A Data Processing Agreement covering Human Made's role as processor is available on request at privacy@humanmade.com.
What data is collected?#
Accelerate collects behavioural analytics data from site visitors. No directly identifying information such as name, email, or phone number is collected unless a visitor explicitly opts in to broadcast notifications.
Visitor identifier#
A randomly generated UUID is created the first time a visitor loads your site and stored in their browser under the localStorage key accelerate.uuid.
This pseudonymous identifier persists across sessions and is used to count unique and returning visitors and build audience segments. It is never linked to a name or email address unless the visitor opts in to broadcast notifications.
Page and content data#
- Page URL, referrer URL, and initial referrer.
- Post type, post ID, author display name, and author ID.
- Archive type, such as category, tag, date, or search.
- Search query text.
- UTM campaign parameters.
Device and environment#
- Browser locale.
- Device make, model, OS, and browser platform, derived from the user agent. The raw user agent string is not stored.
- Accelerate plugin version.
Geographic data#
Country code and country region code are derived server-side from CloudFront geo-enrichment headers. The visitor's raw IP address is never stored.
Session data#
- Session UUID, start and stop timestamps, and duration.
- Cumulative page view and session counts per visitor.
Logged-in WordPress users#
When a visitor is logged in to WordPress and the statistics consent category is granted, the WordPress user ID, an integer rather than an email address, and user roles are recorded. This enables audience segmentation for logged-in users.
Broadcast opt-in#
An email address or push notification token is only stored when a visitor explicitly opts in to receive content broadcasts through Accelerate. This is the only field that may contain a direct personal identifier.
Where is data stored?#
All analytics data is processed and stored within the European Union, in AWS eu-central-1 in Frankfurt, Germany. No analytics data is transferred outside the EU.
| Storage | Purpose | Retention |
|---|---|---|
| AWS EU, Frankfurt | Analytics data storage | Up to 730 days |
Data subject rights#
Because analytics data is keyed by a pseudonymous UUID stored only in the visitor's own browser, it is generally not possible to re-identify a specific individual from the analytics database without access to their browser. However:
- Deletion requests: contact privacy@humanmade.com with the visitor's
accelerate.uuidvalue from their browser'slocalStorage, and Human Made will purge all associated records. - Broadcast opt-outs: visitors who opted in to broadcast notifications can unsubscribe at any time. Their contact details are removed from the active endpoint record.