GDPR and Privacy-Friendly Auditing

How Clickweave is designed to support GDPR-conscious web performance auditing with data minimisation, no client-side tracking, and processor terms.

Clickweave is built to help teams understand their website performance without collecting more data than the product needs.

This page explains the privacy and GDPR-oriented design choices behind the hosted Clickweave audit service. It is product information, not legal advice. Your own GDPR obligations depend on your organisation, audience, jurisdiction, and the sites you audit.

Clickweave's role

When you use Clickweave to audit your website, you are typically the controller for any personal data reflected in the audit output. You decide which URLs to audit, what schedules to run, and what privacy notices or consent flows are needed for your sites.

For the hosted audit service at app.clickweave.co, Clickweave generally acts as a processor for audit data submitted on your behalf. Our Data Processing Addendum describes that processor relationship and is incorporated into our Terms of Service.

Data minimisation by design

Clickweave is fundamentally different from visitor-tracking analytics. We don't run a tracker on your visitors' browsers. Instead, we run Lighthouse audits against the URLs you configure. This means:

• No analytics cookies on your website.
• No client-side tracking script injected into your pages.
• No persistent visitor identifiers or cross-session visitor profiles.
• No raw IP addresses stored in the application database.
• No session recordings of your visitors' behaviour.
• No browser fingerprinting techniques.
• No data collected from your visitors beyond what Lighthouse captures during an audit run.

What data may be processed

Depending on your configuration, the hosted service may process the following data related to each audit:

• The URL being audited, with query strings and fragments removed by default.
• Lighthouse audit output: performance, accessibility, SEO, best-practice, and PWA scores; opportunities, diagnostics, and individual audit details.
• Timestamp of the audit event.
• Customer-defined custom properties that pass server-side validation (for organisation, tagging, or filtering).

Some of this information may be considered personal data under privacy laws depending on context — for example, a URL path containing a user identifier. Clickweave's goal is to minimise direct identifiers in audit data, but the responsibility for what URLs you submit rests with you.

Customer responsibilities

Clickweave is designed to support privacy-conscious auditing, but your implementation still matters. You should:

• Only submit URLs you own or are authorised to audit.
• Avoid transmitting personal data in URL paths, custom properties, or other fields.
• Describe your use of performance auditing in your privacy notice.
• Choose a lawful basis for auditing where required.
• Review optional features before enabling them.
• Keep your account, team access, and shared dashboard links limited to the people who need them.

Data processing terms

The Data Processing Addendum explains the subject matter, roles, categories of data, security measures, sub-processors, breach notification, deletion, and related processing terms for hosted Clickweave auditing.

Customers that need a PDF copy for internal records can use the DPA page to generate one with their organisation details.

Related pages

• Privacy Policy
• Data Processing Addendum
• Terms of Service