GDPR Compliance
Last updated: May 19, 2026
Digital Media Estonia OÜ
Registry code: 11697004
Registered in Estonia, European Union
Contact: hi@straycy.com
Straycy is built with privacy at its core. As a company registered in Estonia (EU), we are fully subject to the General Data Protection Regulation (GDPR). This page explains how Straycy complies with GDPR and how we help you stay compliant as well.
Our commitment
Built for compliance from day one
Straycy was designed with GDPR principles embedded into its architecture. We don’t retrofit privacy onto an existing product. Every feature, every data flow, and every storage decision was made with data protection in mind.
No third-party cookies or cross-site tracking
Straycy uses only first-party cookies set on your domain. We never use third-party tracking pixels, cross-site cookies, or browser fingerprinting. Your visitors’ data stays within your domain’s context.
Data stays in the European Union
All data processed by Straycy is stored on servers within the EU. No data is transferred outside the European Economic Area without appropriate safeguards.
Roles and responsibilities
| Role | Who | Responsibility |
|---|---|---|
| Data Controller | You (the Straycy customer) | You determine the purposes and means of processing your website visitors’ data. You are responsible for your privacy policy and obtaining consent. |
| Data Processor | Digital Media Estonia OÜ | We process End User data on your behalf, solely to provide the Straycy Service. We follow your instructions and applicable law. |
| Data Subjects | Your website visitors | Individuals whose data is collected through the Straycy plugin on your website. |
What data Straycy collects
| Data type | Examples | Purpose | Storage |
|---|---|---|---|
| Attribution data | UTM parameters, referrer URL, landing page | Lead source identification | Retained with lead record |
| Ad click IDs | gclid, fbclid, msclkid | Ad platform attribution | Retained with lead record |
| Device info | Device type, browser | Analytics context | Retained with lead record |
| IP address | Hashed (SHA-256), never raw | Fraud prevention, deduplication | Hashed only, never reversible |
| Visitor ID | Random identifier (first-party cookie) | Session stitching | Auto-deleted after 30 days if no lead |
| Lead data | Name, email, phone (from form submission) | Lead attribution | Retained until customer deletes |
Consent management
Straycy respects your visitors’ consent choices. Here’s how it works:
With a consent tool installed
If your website uses a consent management platform (CookieYes, Complianz, Cookiebot, or any tool supporting Google Consent Mode v2), Straycy automatically detects consent status. When consent is not granted, Straycy operates in cookieless mode: no cookies are set, no personal identifiers are stored, and only anonymous attribution data (referrer, UTM parameters) is captured.
When the visitor grants consent, full tracking activates automatically without requiring a page reload.
Without a consent tool
If no consent tool is detected, Straycy uses a first-party functional cookie (stry_visitor_id) to link page visits to form submissions. This cookie is classified as a functional/necessary cookie under most consent frameworks because it is essential for the form attribution service to work. No marketing or analytics cookies are set.
We recommend all customers install a consent management tool on their website to ensure full compliance with ePrivacy and GDPR requirements.
Data subject rights
Under GDPR, your website visitors have the right to access, rectify, delete, restrict, or port their personal data. As the data controller, you are responsible for responding to these requests.
Straycy provides tools to help you fulfill these obligations:
- Data deletion: Use the GDPR deletion endpoint in the Straycy plugin (wp-json/straycy/v1/delete-data) to remove all records associated with a specific email address.
- Data export: Export all lead data via CSV from the Straycy dashboard.
- Data access: View all stored data for any individual lead in the lead detail view.
Data retention
- Anonymous visitor sessions: Automatically deleted after 30 days if no form submission is recorded (configurable in plugin settings, up to 365 days).
- Lead records: Retained as long as your account is active. You can delete individual leads at any time.
- Account data: Deleted within 30 days of account closure.
- Backups: Removed from backup systems within 90 days of deletion.
Security measures
- All data transmitted over TLS (HTTPS) encryption
- IP addresses are hashed using SHA-256 with a per-site salt, never stored in raw form
- Database access restricted to authenticated, authorized requests only
- WordPress nonce verification on all REST API endpoints
- Regular security reviews of the plugin codebase
- No third-party JavaScript loaded on your visitors’ browsers
Data Processing Agreement (DPA)
As a data processor, we offer a Data Processing Agreement (DPA) that meets GDPR Article 28 requirements. The DPA covers the scope of processing, data categories, security obligations, sub-processor management, and data subject rights assistance.
To request a signed DPA, contact us at hi@straycy.com.
Sub-processors
We use the following sub-processors, all bound by data processing agreements:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and authentication | EU (Frankfurt) |
| Vercel | Dashboard hosting and edge functions | EU |
| Stripe | Payment processing | EU/US (SCCs in place) |
| Resend | Transactional email delivery | EU/US (SCCs in place) |
We will notify customers at least 30 days before adding new sub-processors. You may object to a new sub-processor by contacting us within that period.
Your compliance checklist
As a Straycy customer, here’s what you should do to stay GDPR compliant:
- Update your website’s privacy policy to mention Straycy and describe the data it collects
- Install a consent management tool (CookieYes, Complianz, or Cookiebot recommended)
- Ensure form submissions include a link to your privacy policy
- Respond to data subject access or deletion requests within 30 days
- Request a DPA from us if your compliance framework requires it
Supervisory authority
As a company registered in Estonia, our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon):
Website: www.aki.ee
Email: info@aki.ee
Phone: +372 627 4135
Contact us
For any GDPR-related questions, data subject requests, or to request a DPA:
Digital Media Estonia OÜ
Registry code: 11697004
Email: hi@straycy.com