Compliance

GDPR Compliance

TagDrishti is designed to help you stay compliant — and we hold ourselves to the same standard.

🇪🇺
This page explains: how TagDrishti complies with GDPR as a Data Processor, and how using TagDrishti helps you comply as a Data Controller monitoring your website visitors.

TagDrishti as Your Data Processor

Under GDPR Article 28, when you use TagDrishti to monitor your website's GTM tags, we act as your Data Processor. You remain the Data Controller for your website visitors' data.

This means:

  • We process monitoring data only on your documented instructions
  • We impose the same data protection obligations on all our sub-processors
  • We assist you in responding to Data Subject Access Requests
  • We delete or return all data on termination of service
  • We provide all information necessary to demonstrate compliance
  • We notify you of any data breach within 72 hours

A full Data Processing Agreement (DPA) is available and must be signed before using the service — this is done automatically at accounts.tagdrishti.com.

Legal Basis for Tag Monitoring

You may be wondering: do I need consent to monitor my own GTM tags? The answer depends on what data is collected.

TagDrishti's monitoring script operates on Legitimate Interest (Art. 6(1)(f)) for the following reasons:

  • Tag monitoring is a security and service integrity function — not advertising
  • Session IDs are pseudonymised via one-way hash — not linkable to individuals
  • PII parameters are stripped from all URLs before any storage
  • Monitoring data is used exclusively to detect failures and security threats — never for profiling

However, TagDrishti also fully respects your Consent Mode v2 signals. If a visitor has not consented to analytics, certain monitoring features adjust accordingly.

Data Minimisation

TagDrishti is built around the GDPR principle of data minimisation. We collect only what is necessary to provide the monitoring service:

  • ✅ Tag name, type, status, execution time — necessary for monitoring
  • ✅ Page path and domain — necessary for context
  • ✅ Device class, viewport — necessary for CWV attribution
  • ✅ Consent signals — necessary for compliance reporting
  • ❌ Full URLs with query strings — stripped of PII parameters
  • ❌ IP addresses — not stored beyond rate-limiting (seconds)
  • ❌ User identifiers — replaced with pseudonymous session hash
  • ❌ Email, phone, name, or any other PII — actively scrubbed

Session Pseudonymisation

For EU residents (detected by Cloudflare geo-IP), session IDs are generated using a djb2 one-way hash combining: a daily rotating salt + approximate client fingerprint. This means:

  • Sessions can be counted for statistical purposes
  • Sessions cannot be linked to an individual without the salt
  • The salt rotates daily — cross-day tracking is impossible
  • This satisfies the GDPR pseudonymisation requirement under Recital 26

Data Transfers Outside the EU

Monitoring data is stored in Google BigQuery in asia-south1 (Mumbai, India). India is not currently an EU adequacy country. We rely on Standard Contractual Clauses (SCCs) for any data originating from EU residents processed by our GCP infrastructure. These are included in our DPA.

Data Subject Rights — How We Help

As Data Controller, you are responsible for responding to your website visitors' GDPR rights requests. TagDrishti helps you do this:

  • Right of Access / DSAR: Dashboard → Settings → Data & Privacy → Export Data generates a GDPR-compliant data export for a specific pseudonymous session ID
  • Right to Erasure: API endpoint DELETE /api/consent/session/{hash} purges all data for a session hash from BigQuery
  • Right to Object: Monitoring is based on Legitimate Interest — visitors can object via your existing privacy controls

GDPR Compliance for Your Customers

TagDrishti's Consent page in the dashboard shows you real-time consent rates across your domains — so you can demonstrate to your own clients that their CMP is working correctly. This includes:

  • Analytics consent rate (analytics_storage signal)
  • Advertising consent rate (ad_storage signal)
  • GPC (Global Privacy Control) signal detection
  • Tags blocked by consent (visible in Tag Health table)
  • EU session percentage
  • Consent trend over time (7/30/90 day views)

Questions & DPA Requests

For GDPR enquiries, DPA requests, or to exercise your rights: contact@tagdrishti.com

To sign the DPA electronically: accounts.tagdrishti.com