Founders weigh in on how to track users ethically.

As indie hackers, we need to know what visitors and customers are doing on our sites so that we can optimize our products and our marketing strategies accordingly. But we also have to balance that with our ethics and a little thing called the law.

It's a tightrope walk, made more difficult by the many gray areas involved. So I caught up with indie hackers to understand how they handle privacy. 👇

Where do indie hackers draw the line?

Marko Saric of Plausible:

Plausible wouldn’t be here if GDPR didn’t come into effect, and we stay as close as possible to the GDPR approach. So no long-term identifiers, no cross-site or cross-app or cross-device tracking, no behavioral profiling for advertising purposes, and no sharing of personal data with third parties in any way.

On our own website we don’t do anything other than to dogfood Plausible Analytics itself. We get all the regular web analytics such as referral sources and landing pages, but we also get data on different actions and events people can take on our site such as registrations for a trial account or conversions to paid subscriptions.

Siobhan Solberg of Raze Marketing:

Ethics are subjective so there is no clear line. I tend to ask "How comfortable would I be if this was done to me and my data?". That usually clears it up quick.

In general, any tracking that is done without consent or not anonymously [is unethical]. Tell the user and respect their choice. Or do it in a way that doesn't ID anyone.

Channing Allen of Indie Hackers:

We use basically every kind of tracking available. The only exception I can think of is heatmap tracking: software that essentially does a screen recording of each user's cursor movements and mouse clicks. We track email newsletter opens and clicks via ConvertKit, Postmark, and SparkPost. We track website engagements via Google Analytics, Amplitude, and our own custom algorithms.

On the spectrum of people who don't think it's a big deal vs people who lie awake contemplating the moral scourge of website tracking, you'll find me toward the former end. It truly just doesn't move me.

Might be a matter of personal taste: I'm big on science, measurement, quantified self, all that stuff. That said, I find heatmap tracking a bit creepy, and I really dislike the idea of governments covertly slipping through the back door of corporations to surveil citizens through products in the private sector. So that's probably where I'd draw the line.

Can a focus on privacy help businesses?

Siobhan Solberg of Raze Marketing:

In my experience, using [unethical] tools doesn't end up helping growth in the long-term. They are short-term, feel-good fixes to hit your KPIs quickly. In the end, the ethical route is better. It's slower but more consistent. Mostly because in the long-term, you develop more trust with your customer base and improve retention.

Channing Allen of Indie Hackers:

Supply should meet demand! Lots of people care about privacy — especially people in tech circles. That's a huge opportunity for founders. It's just about knowing your audience.

If you're serving a niche who cares about privacy, you should put this front-and-center in your marketing materials, landing page, mission statement, and so forth.

Marta Poprotska of PayProGlobal:

Non-compliance with the GDPR can cost a company as much as 4% of its annual turnover and reputational damage. Source

How to become privacy-friendly

Tash Postolovski of GoodTeams:

1. Practice data minimalism.

You should store as little data as possible about customers, and only what's required to provide your service to them. You should store this data securely and encrypt it where possible, and avoid storing it any longer than is needed. When collecting non-essential data (for example, data that allows you to provide a better service but isn't strictly essential), you need to give users the ability to opt-out.

2. Get explicit consent.

Get consent for any data collection/storage/cookies via a checkbox that explains how you'll use the data, and links to your Privacy policy which goes into more detail.

3. Lean on your Privacy Policy.

Your privacy policy should list all the data you collect and your legal basis for collecting that data. Explain how long data will be stored. Explain individuals’ rights over their data and how to go about exercising their rights. (And of course, make sure you actually have a publicly available Privacy Policy).

4. Give users power over their data.

Your users must at any time be able to:

• Review the data you've stored about them
• Fix errors or make updates to the data
• Erase the data unless this right is superseded by your need to retain certain data for legal reasons (this is rarely the case)
• Download their data

(None of these processes are required to be automated - it's totally fine to list these rights in your privacy policy and instruct users to reach out to you for assistance with any of these, then fulfill requests manually.)

5. Check GDPR (or other legal) compliance of the services you use to store and process user data.

When it comes to GDPR, every service/tool you use is seen as an extension of your business. At the moment, this is the most challenging aspect of GDPR compliance, because some companies like Google and AWS exist in a gray area.

6. If your user data is leaked or breached, communicate about it immediately.

If worst comes to worst and data is leaked, you need to let your users know as quickly as possible (usually within just a few days) and provide information about which data was accessed and how to mitigate risk as a result of the leak.

Disclaimer: I'm not a lawyer, so please do your own due diligence! Source

Jakob Gillich of Cloudplane:

GDPR is honestly a nightmare for small businesses. My strategy has been to collect as little personal data as possible and to not use third-party services if I can avoid them. Staying away from cookies as well. And I trust Iubenda to generate sensible policies.

How to protect yourself

Marko Saric of Plausible:

I don’t really do that much to protect my own personal data these days. I feel that GDPR has come a long way and most major websites do comply with it. This makes it easier to protect my own data when surfing the web as a European. When I visit a new website for the first time, I can in most cases with one click “reject” any attempts to share my personal data with third parties, to build a personalized profile for advertising purposes etc.

In the past I often used an ad blocker and a VPN too (and I would still recommend those especially if you’re visiting sites you don’t trust) but I feel these days you can get a pretty good experience on the web if you’re in Europe just by making sure to engage with those GDPR consent forms.

I also use one of those services that gives me an email alias so I can get a brand new email alias for every new site I want to sign up for when I don’t want them to get my real email. Source

Siobhan Solberg of Raze Marketing:

Understand your options. Set browser-based defaults as to what you are comfortable with. And, once you've educated yourself, it's your decision as to what you are comfortable with or not - some want more privacy others less. Don't judge but get to the point where you can make an educated decision for yourself.

I personally use a browser that is more privacy-focused and do not consent to being tracked unless it is a company that I trust with my data. Additionally, I almost never use my real email or name if that can be avoided. This obviously is paired with best practices such as password managers, etc.

Nico Botha of Cure Privacy:

I'm using ProtonMail for my emails and calendar and Jumbo Privacy for privacy scans and recommendations on my phone. Source

Joseph Pastor:

[Here are] 4 FREE tools for your online privacy:

1. SearchEngine: DuckDuckGo
2. Web Browser: Brave
3. Messenger: Signal
4. Email: ProtonMail
   Source

Channing Allen of Indie Hackers:

Basically none at all. If anything, I go quite out of my way to be found on the internet!

---

Subscribe for more how-tos, roundtables, and interviews with people in the thick of it.