Compliance FAQ
Common questions about GDPR compliance, cookies, data hosting, and VulpaSoft's privacy architecture.
Does VulpaSoft use cookies?
No. VulpaSoft uses zero cookies, zero localStorage, and zero device-side storage. We use a daily-rotating SHA-256 hash for session grouping.
Do I need a consent banner for VulpaSoft?
No. Because VulpaSoft stores nothing on the user's device, the ePrivacy Directive consent requirement does not apply to VulpaSoft analytics.
Is VulpaSoft GDPR compliant?
Yes. VulpaSoft is designed for GDPR compliance by architecture: EU-only hosting, no cookies, automatic PII masking, data minimization, and daily hash rotation.
Where is my data stored?
All data is stored in Frankfurt, Germany. Every sub-processor (Supabase, Tinybird, Upstash, Vercel) operates in EU data centers.
Does VulpaSoft transfer data to the US?
No. All processing and storage occurs within the EU. No behavioral analytics data leaves European infrastructure at any point.
Can VulpaSoft identify individual users?
No. The daily-rotating hash prevents cross-session tracking. We do not store IP addresses, and PII in form fields is masked before it reaches our servers.
Is VulpaSoft compliant with PECR (UK)?
Yes. PECR regulates cookie storage, and VulpaSoft uses no cookies. The behavioral analytics data VulpaSoft collects does not fall under PECR's consent requirement.
Does VulpaSoft comply with the ePrivacy Directive?
Yes. The ePrivacy Directive requires consent for storing information on a user's device. VulpaSoft stores nothing on the device, so the consent requirement does not apply.
What about CCPA compliance?
VulpaSoft's architecture supports CCPA compliance. We do not sell personal information, we do not create persistent identifiers, and we provide data export and deletion capabilities.
Do you provide a DPA?
Yes. Our Data Processing Agreement is available for download on the DPA page. It is pre-signed and covers all GDPR Article 28 requirements.
What personal data does VulpaSoft collect?
VulpaSoft collects behavioral data (clicks, scroll depth, mouse movements, page views) and technical data (viewport size, device type). PII in form fields is masked client-side. See our What We Collect page for the complete list.
How long is data retained?
Data retention depends on your plan: 7 days (Free), 30 days (Build, Grow, Expand, Scale). You can export or delete your data at any time.
Can I use VulpaSoft for healthcare or finance websites?
Yes. VulpaSoft's EU-only hosting, automatic PII masking, and cookie-free architecture make it suitable for regulated industries. However, you should verify with your compliance team that VulpaSoft meets your specific regulatory requirements.
Does VulpaSoft use fingerprinting?
No. We do not collect browser fingerprinting data (screen resolution, fonts, WebGL, etc.). Our daily-rotating hash is designed to prevent cross-session identification, which is the opposite of fingerprinting.
How do I respond to a data subject access request (DSAR)?
Because VulpaSoft does not store identifiable data (no cookies, no IPs, no persistent IDs), it is generally not possible to link stored behavioral data to a specific individual. This simplifies DSAR compliance.