# GDPR/DSGVO Website Audit

**Last Updated:** 2026-03-02  
**Owner:** Hady Elhady  
**Scope:** Ordio Website (ordio.com) – tracking, consent, privacy policy

**Related:** [GDPR_DSGVO_HUBSPOT_AUDIT.md](GDPR_DSGVO_HUBSPOT_AUDIT.md) – HubSpot integration audit

---

## Executive Summary

This audit assesses GDPR/DSGVO compliance of the Ordio website (ordio.com). The website primarily targets prospects and visitors (not employees), so consent requirements apply under TTDSG and DSGVO.

**Compliance Status:** Remediated.

**Compliant:**
- Google Tag Manager uses Consent Mode v2 with default denied.
- GA4, Meta Pixel, HubSpot, and server-side tracking fire only after consent.
- All tracking (HubSpot, GA4, Meta, server-side) consent-gated via `loadScripts()` / `hasAnalyticsConsent()`. Defaults OFF.
- Cookie-Einstellungen link, equal Reject prominence.
- Alternative footers (footer_free_trial, v2/html/blog/*.html, shiftops, static_hubspot) aligned with main footer.

**Implemented (2026-03-02):** Privacy policy updated with HubSpot, server-side tracking, Mouseflow removal, and Stand date. See section below for reference.

---

## Out of Scope

The following are explicitly **out of scope** for this audit (no access to configure):

- Ordio web app (core product)
- Ordio mobile app
- HubSpot scripts loaded inside the web product (per hotel customer concern – documented but not configurable from this codebase)

---

## Consent Flow

```mermaid
flowchart LR
    Banner[Cookie Banner] --> Consent{Consent?}
    Consent -->|Analytics ON| GA4[GA4]
    Consent -->|Analytics ON| Tracking[tracking.php]
    Consent -->|HubSpot ON| HS[HubSpot]
    Consent -->|Ads ON| Meta[Meta Pixel]
    Consent -->|Denied| None[No tracking]
```

---

## Tracking Tools

| Tool | Present? | Load Location | Consent-Gated? | Status |
|------|----------|---------------|----------------|--------|
| **Google Analytics (GA4)** | Yes | Via GTM | Yes – fires only after analytics consent | Compliant |
| **Google Tag Manager** | Yes | `v2/base/footer.php` (GTM-5DWSFND) | Yes – Consent Mode v2, default denied | Compliant |
| **HubSpot** | Yes | `loadScripts()` → `loadHubSpot()` | Yes – loads only when "HubSpot (Marketing & Chat)" accepted | Compliant |
| **Facebook Pixel** | Yes | Via GTM | Yes – per privacy policy "nach Bestätigung der Cookies" | Compliant |
| **LinkedIn Insight Tag** | No | Not found in codebase | N/A | Not present |
| **Server-side tracking** | Yes | `trackEvent()`, `sendPageView()` | Yes – checks `hasAnalyticsConsent()` before sending | Compliant |
| **Mouseflow** | No (inactive) | Commented out in footer | N/A | Removed from policy (2026-03-02) |

---

## Cookie/Consent Banner

| Aspect | Status | Details |
|--------|--------|---------|
| **Banner exists?** | Yes | `v2/base/footer.php` |
| **Blocks scripts until consent?** | Yes | All tracking (HubSpot, server-side, GA4, Meta) load only after consent |
| **Default toggles** | All OFF | Strict opt-in (analytics, ad storage, hubspot, etc. = false) |
| **Consent storage** | Yes | localStorage `cookieConsent` |
| **Revoke option** | Yes | "Zustimmung anpassen" / "Cookies ablehnen" (main footer); "Cookie-Einstellungen" link in footer (both footers) |
| **Alternative layouts** | Yes | footer_free_trial, shiftops, static_hubspot, v2/html/blog – same consent flow as main footer |

---

## Data Collected (per tool)

| Tool | Data Captured |
|------|---------------|
| **GA4** | Page views, events, CTA clicks, form submissions, UTM params |
| **HubSpot** | Page views, form submissions, hubspotutk cookie, session tracking, contact identification |
| **tracking.php** | IP, session_id, page, entry_page, event_type, event_name, referrer, UTM, form_data (company, first_name, last_name, email, phone, locations, employees, industry) |
| **Meta Pixel** | Page views, conversions (via GTM, consent-gated) |

---

## Legal Basis (per tool)

| Tool | Intended Basis | Actual | Gap |
|------|----------------|--------|-----|
| GA4 | Art. 6(1)(a) consent | Consent-gated | None |
| GTM | Art. 6(1)(a) consent | Consent Mode default denied | None |
| HubSpot | Art. 6(1)(a) consent | Consent-gated | None |
| tracking.php | Art. 6(1)(a) consent | Consent-gated | None |
| Meta Pixel | Art. 6(1)(a) consent | Consent-gated via GTM | None |

---

## Data Transfers

| Tool | EU-only or Third-country? | Safeguards |
|------|----------------------------|------------|
| **HubSpot** | EU (js-eu1.hs-scripts.com, Germany/AWS) | DPA, SCCs |
| **Google** | US (with EU adequacy / Data Privacy Framework) | DPA, SCCs |
| **tracking.php** | Self-hosted (Hetzner, EU) | N/A |

---

## Privacy Policy Accuracy

| Tool | In Privacy Policy? | Accurate? |
|------|-------------------|-----------|
| Google Analytics | Yes | Yes |
| Google Tag Manager | Yes | Yes |
| Facebook/Meta Pixel | Yes | Yes |
| HubSpot | Yes | Yes (added 2026-03-02) |
| Server-side tracking | Yes | Yes (added 2026-03-02) |
| Mouseflow | No | Removed (2026-03-02) – tool inactive |
| LinkedIn | Yes (profile only) | Yes |

---

## Privacy Policy Updates (Implemented 2026-03-02)

**Status:** All changes implemented in `v2/pages/static_privacy.php`. The following was applied per audit recommendations:

| Change | Action | Placement |
|--------|--------|-----------|
| HubSpot | Added | Drittanbieter, after Google Tag Manager – see [GDPR_DSGVO_HUBSPOT_AUDIT.md](GDPR_DSGVO_HUBSPOT_AUDIT.md) |
| Eigene Server-seitige Erfassung | Added | Datenverarbeitung auf unserer Website, after Informatorische Nutzung |
| Mouseflow | Removed; added intro note | Drittanbieter – deleted Mouseflow block; added intro paragraph |
| Stand | Updated | "Stand Februar 2024" → "Stand März 2026" |

**DSGVO Art. 13/14 checklist (covered):** Identity of controller, purposes of processing, legal basis (Art. 6(1)(a)), categories of personal data, recipients/storage location, retention period, right to withdraw consent, link to provider privacy policy (where applicable).

---

### Eigene Server-seitige Erfassung – Add New Section

**Placement:** Insert as new subsection under "Datenverarbeitung auf unserer Website", e.g. after "Informatorische Nutzung der Website" and before "Webhosting und Bereitstellung der Website".

**Draft copy (German):**

```markdown
#### Eigene Server-seitige Erfassung (Website-Analyse)

Wir erfassen auf unserer Website zusätzlich zu den Logfiles des Hosting-Anbieters eigene Nutzungsdaten über eine server-seitige Erfassung. Dabei werden folgende personenbezogene Daten verarbeitet: IP-Adresse, Session-ID, aufgerufene Seite, Einstiegsseite, Ereignistyp und -name, Referrer, UTM-Parameter sowie bei Formularinteraktionen angegebene Daten (z. B. Name, E-Mail-Adresse, Unternehmen, Telefonnummer). Die Verarbeitung erfolgt ausschließlich nach Ihrer Einwilligung über unser Cookie-Banner. Die Daten werden auf Servern unseres Hosting-Anbieters (Hetzner, EU) gespeichert und nach 14 Tagen gelöscht.

Rechtsgrundlage der Verarbeitung ist Art. 6 Abs. 1 S. 1 lit. a DSGVO. Die Verarbeitung erfolgt auf der Basis von Einwilligungen. Betroffene können ihre Einwilligung jederzeit widerrufen, z. B. über den Link „Cookie-Einstellungen“ im Footer unserer Website.
```

**Key elements covered:** Verantwortlicher (wir), Datenkategorien, Zweck, Einwilligungsabhängigkeit, Speicherort (Hetzner/EU), Speicherdauer (14 Tage), Rechtsgrundlage, Widerruf.

---

### Mouseflow – Remove or Replace

**Current state:** The policy lists Mouseflow as an active tool. Mouseflow is not in use (commented out in footer).

**Option A – Remove Mouseflow section entirely** and add a clarifying note in the "Drittanbieter" intro:

**Draft intro addition (insert at start of "Drittanbieter" section, before first heading):**

```markdown
Wir setzen die nachfolgend aufgeführten Drittanbieter zur Analyse und für Marketing ein. Derzeit verwenden wir keine Session-Recording-Tools (z. B. zur Aufzeichnung von Nutzerinteraktionen).
```

**Option B – Replace Mouseflow section** with the following:

**Draft replacement copy (German):**

```markdown
#### Session-Recording

Derzeit setzen wir kein Tool zur Session-Aufzeichnung (z. B. Mouseflow oder vergleichbare Dienste) auf unserer Website ein. Sollte sich dies ändern, werden wir diese Datenschutzerklärung entsprechend aktualisieren und die Einwilligung vor dem Einsatz einholen.
```

**Recommendation:** Option A (remove Mouseflow, add intro note) is cleaner and avoids listing a tool we do not use.

---

### Stand der Datenschutzerklärung

**Current:** "Stand Februar 2024" (line 191 of static_privacy.php)

**Suggested:** Update to current date when changes are implemented, e.g. "Stand Februar 2026" or the actual publication date. Legal should confirm the appropriate formulation (e.g. "Stand [Datum]" or "Letzte Aktualisierung: [Datum]").

---

## Key Files Reference

- `v2/base/head.php` – DNS prefetch (tracking.php consent-gated)
- `v2/base/footer.php` – GTM, consent banner, loadScripts(), loadHubSpot(), sendPageView(), trackEvent()
- `v2/base/tracking.php` – Server-side MySQL tracking (POST endpoint only)
- `v2/pages/static_privacy.php` – Privacy policy (unchanged; updates require legal review – see audit section above)