# GDPR/DSGVO Website & HubSpot Audit **Last Updated:** 2026-02-18 **Owner:** Hady Elhady **Deadline:** February 27, 2026 **Scope:** Ordio Website (ordio.com) – Sections 5 & 6 --- ## Remediation Applied (2026-02-18) | Area | Status | |------|--------| | **Consent flow** | All tracking (HubSpot, GA4, Meta, server-side) consent-gated via `loadScripts()` / `hasAnalyticsConsent()`. Defaults OFF. Cookie-Einstellungen link, equal Reject prominence. | | **Alternative footers** | footer_free_trial (kostenlos-testen), v2/html/blog/*.html, shiftops.php, shiftops-report.php, static_hubspot.php – all aligned with main footer or include base footer. | | **Privacy policy** | **Pending legal review** – see "Privacy Policy Updates Required" below. | --- ## Executive Summary This audit assesses GDPR/DSGVO compliance of the Ordio website (ordio.com) and HubSpot integration. The website primarily targets prospects and visitors (not employees), so consent requirements apply under TTDSG and DSGVO. **Compliance Status:** Remediated – critical issues addressed (2026-02-18). **Compliant:** - Google Tag Manager uses Consent Mode v2 with default denied. - GA4, Meta Pixel, HubSpot, and server-side tracking fire only after consent. - HubSpot uses EU region (js-eu1, Germany). **Pending:** Privacy policy updates (HubSpot, server-side tracking, Mouseflow) – see section below. --- ## Out of Scope The following are explicitly **out of scope** for this audit (no access to configure): - Ordio web app (core product) - Ordio mobile app - HubSpot scripts loaded inside the web product (per hotel customer concern – documented but not configurable from this codebase) --- ## 5. Ordio Website ([ordio.com](https://ordio.com)) ### Tracking Tools | Tool | Present? | Load Location | Consent-Gated? | Status | |------|----------|---------------|----------------|--------| | **Google Analytics (GA4)** | Yes | Via GTM | Yes – fires only after analytics consent | Compliant | | **Google Tag Manager** | Yes | `v2/base/footer.php` (GTM-5DWSFND) | Yes – Consent Mode v2, default denied | Compliant | | **HubSpot** | Yes | `loadScripts()` → `loadHubSpot()` | Yes – loads only when "HubSpot (Marketing & Chat)" accepted | Compliant | | **Facebook Pixel** | Yes | Via GTM | Yes – per privacy policy "nach Bestätigung der Cookies" | Compliant | | **LinkedIn Insight Tag** | No | Not found in codebase | N/A | Not present | | **Server-side tracking** | Yes | `trackEvent()`, `sendPageView()` | Yes – checks `hasAnalyticsConsent()` before sending | Compliant | | **Mouseflow** | No (inactive) | Commented out in footer | N/A | Still listed in policy (inaccurate – suggest removal per legal review) | ### Cookie/Consent Banner | Aspect | Status | Details | |--------|--------|---------| | **Banner exists?** | Yes | `v2/base/footer.php` | | **Blocks scripts until consent?** | Yes | All tracking (HubSpot, server-side, GA4, Meta) load only after consent | | **Default toggles** | All OFF | Strict opt-in (analytics, ad storage, hubspot, etc. = false) | | **Consent storage** | Yes | localStorage `cookieConsent` | | **Revoke option** | Yes | "Zustimmung anpassen" / "Cookies ablehnen" (main footer); "Cookie-Einstellungen" link in footer (both footers) | | **Alternative layouts** | Yes | footer_free_trial, shiftops, static_hubspot, v2/html/blog – same consent flow as main footer | ### Data Collected (per tool) | Tool | Data Captured | |------|---------------| | **GA4** | Page views, events, CTA clicks, form submissions, UTM params | | **HubSpot** | Page views, form submissions, hubspotutk cookie, session tracking, contact identification | | **tracking.php** | IP, session_id, page, entry_page, event_type, event_name, referrer, UTM, form_data (company, first_name, last_name, email, phone, locations, employees, industry) | | **Meta Pixel** | Page views, conversions (via GTM, consent-gated) | ### Legal Basis (per tool) | Tool | Intended Basis | Actual | Gap | |------|----------------|--------|-----| | GA4 | Art. 6(1)(a) consent | Consent-gated | None | | GTM | Art. 6(1)(a) consent | Consent Mode default denied | None | | HubSpot | Art. 6(1)(a) consent | Consent-gated | None | | tracking.php | Art. 6(1)(a) consent | Consent-gated | None | | Meta Pixel | Art. 6(1)(a) consent | Consent-gated via GTM | None | ### Data Transfers | Tool | EU-only or Third-country? | Safeguards | |------|----------------------------|------------| | **HubSpot** | EU (js-eu1.hs-scripts.com, Germany/AWS) | DPA, SCCs | | **Google** | US (with EU adequacy / Data Privacy Framework) | DPA, SCCs | | **tracking.php** | Self-hosted (Hetzner, EU) | N/A | ### Privacy Policy Accuracy | Tool | In Privacy Policy? | Accurate? | |------|-------------------|-----------| | Google Analytics | Yes | Yes | | Google Tag Manager | Yes | Yes | | Facebook/Meta Pixel | Yes | Yes | | HubSpot | **No** | – | | Server-side tracking | **No** | – | | Mouseflow | Yes | **Inaccurate** – tool is inactive; policy still lists it | | LinkedIn | Yes (profile only) | Yes | ### Privacy Policy Updates Required (Legal Review) **Note:** The Datenschutz (`v2/pages/static_privacy.php`) has not been edited. Changes require legal review before implementation. The following draft language is provided for the legal team to review, adapt as needed, and integrate into the policy. All drafts follow DSGVO Art. 13/14 requirements and match the structure of existing Drittanbieter sections. **Quick reference:** | Change | Action | Placement | |--------|--------|-----------| | HubSpot | Add new section | Drittanbieter, after Google Tag Manager | | Eigene Server-seitige Erfassung | Add new section | Datenverarbeitung auf unserer Website, after Informatorische Nutzung | | Mouseflow | Remove section; add intro note | Drittanbieter – delete Mouseflow block; add intro paragraph | | Stand | Update date | Line 191: "Stand Februar 2024" → current date | **DSGVO Art. 13/14 checklist (covered in drafts):** Identity of controller, purposes of processing, legal basis (Art. 6(1)(a)), categories of personal data, recipients/storage location, retention period, right to withdraw consent, link to provider privacy policy (where applicable). --- #### 1. HubSpot – Add New Section (in "Drittanbieter" after Google Tag Manager) **Placement:** Insert as new `

` under "Drittanbieter", e.g. after "Google Tag Manager" and before "heyData". **Draft copy (German):** ```markdown #### HubSpot Wir setzen HubSpot zur Analyse, für Marketing und zur Bereitstellung von Formularen und Chat-Funktionen ein. Anbieter ist HubSpot Ireland Limited, 1 Sir John Rogerson's Quay, Dublin 2, Irland. Der Anbieter verarbeitet Nutzungsdaten (z. B. besuchte Webseiten, Interesse an Inhalten, Zugriffszeiten), Kontaktdaten (z. B. E-Mail-Adressen, Telefonnummern, Namen, Unternehmensdaten aus Formulareingaben) und Meta-/Kommunikationsdaten (z. B. Geräte-Informationen, IP-Adressen, Cookies wie hubspotutk) in der EU. Die Verarbeitung erfolgt ausschließlich über die EU-Region (js-eu1.hs-scripts.com); Daten werden in Deutschland (AWS EU) gehostet. Die Rechtsgrundlage der Verarbeitung ist Art. 6 Abs. 1 S. 1 lit. a DSGVO. Die Verarbeitung erfolgt auf der Basis von Einwilligungen. HubSpot wird erst nach Ihrer Bestätigung im Cookie-Banner („HubSpot (Marketing & Chat)“) geladen. Betroffene können ihre Einwilligung jederzeit widerrufen, z. B. über den Link „Cookie-Einstellungen“ im Footer unserer Website. Weitere Informationen sind in der Datenschutzerklärung des Anbieters unter [https://legal.hubspot.com/privacy-policy](https://legal.hubspot.com/privacy-policy) abrufbar. ``` **Key elements covered:** Anbieter, Datenkategorien, Verarbeitungsort (EU/Deutschland), Rechtsgrundlage (Einwilligung), Einwilligungsmechanismus, Widerruf, Link zur Anbieter-Datenschutzerklärung. --- #### 2. Eigene Server-seitige Erfassung – Add New Section (in "Datenverarbeitung auf unserer Website") **Placement:** Insert as new subsection under "Datenverarbeitung auf unserer Website", e.g. after "Informatorische Nutzung der Website" and before "Webhosting und Bereitstellung der Website". **Draft copy (German):** ```markdown #### Eigene Server-seitige Erfassung (Website-Analyse) Wir erfassen auf unserer Website zusätzlich zu den Logfiles des Hosting-Anbieters eigene Nutzungsdaten über eine server-seitige Erfassung. Dabei werden folgende personenbezogene Daten verarbeitet: IP-Adresse, Session-ID, aufgerufene Seite, Einstiegsseite, Ereignistyp und -name, Referrer, UTM-Parameter sowie bei Formularinteraktionen angegebene Daten (z. B. Name, E-Mail-Adresse, Unternehmen, Telefonnummer). Die Verarbeitung erfolgt ausschließlich nach Ihrer Einwilligung über unser Cookie-Banner. Die Daten werden auf Servern unseres Hosting-Anbieters (Hetzner, EU) gespeichert und nach 14 Tagen gelöscht. Rechtsgrundlage der Verarbeitung ist Art. 6 Abs. 1 S. 1 lit. a DSGVO. Die Verarbeitung erfolgt auf der Basis von Einwilligungen. Betroffene können ihre Einwilligung jederzeit widerrufen, z. B. über den Link „Cookie-Einstellungen“ im Footer unserer Website. ``` **Key elements covered:** Verantwortlicher (wir), Datenkategorien, Zweck, Einwilligungsabhängigkeit, Speicherort (Hetzner/EU), Speicherdauer (14 Tage), Rechtsgrundlage, Widerruf. --- #### 3. Mouseflow – Remove or Replace **Current state:** The policy lists Mouseflow as an active tool. Mouseflow is not in use (commented out in footer). **Option A – Remove Mouseflow section entirely** and add a clarifying note in the "Drittanbieter" intro: **Draft intro addition (insert at start of "Drittanbieter" section, before first heading):** ```markdown Wir setzen die nachfolgend aufgeführten Drittanbieter zur Analyse und für Marketing ein. Derzeit verwenden wir keine Session-Recording-Tools (z. B. zur Aufzeichnung von Nutzerinteraktionen). ``` **Option B – Replace Mouseflow section** with the following: **Draft replacement copy (German):** ```markdown #### Session-Recording Derzeit setzen wir kein Tool zur Session-Aufzeichnung (z. B. Mouseflow oder vergleichbare Dienste) auf unserer Website ein. Sollte sich dies ändern, werden wir diese Datenschutzerklärung entsprechend aktualisieren und die Einwilligung vor dem Einsatz einholen. ``` **Recommendation:** Option A (remove Mouseflow, add intro note) is cleaner and avoids listing a tool we do not use. --- #### 4. Stand der Datenschutzerklärung **Current:** "Stand Februar 2024" (line 191 of static_privacy.php) **Suggested:** Update to current date when changes are implemented, e.g. "Stand Februar 2026" or the actual publication date. Legal should confirm the appropriate formulation (e.g. "Stand [Datum]" or "Letzte Aktualisierung: [Datum]"). --- ## 6. HubSpot ### Where HubSpot Scripts Are Loaded | Location | Consent-Gated? | |----------|----------------| | Website (base footer) | Yes | | footer_free_trial (kostenlos-testen) | Yes | | v2/html/blog/*.html | Yes | | shiftops.php, shiftops-report.php, static_hubspot.php | Yes | | include_form-hubspot-sdr.php, templates_template.php (hsforms.net) | Form embed only; main tracking gated | | **Web app / product** | Out of Scope | ### Purpose of Each hs-* Domain | Domain | Purpose | |--------|---------| | **js-eu1.hs-scripts.com** | Analytics, tracking, contact identification, forms, chat (if enabled) | | **js-eu1.hsforms.net** | Embedded form rendering | | **hs-analytics.net** | Analytics (loaded by HubSpot script when active) | | **hs-banner.com** | Chat/banner (loaded by HubSpot script when active) | | **hsadspixel.net** | Ads pixel (loaded by HubSpot script when active) | ### Data Collected - Page views, session tracking - Form submissions (demo, template download, tools export, etc.) - UTM parameters, hubspotutk cookie - Contact identification for marketing/CRM ### Legal Basis - **Required:** Consent (Art. 6(1)(a)) for marketing/analytics tracking. - **Current:** HubSpot loads only after user accepts "HubSpot (Marketing & Chat)" – consent-based. ### Can It Be Scoped? | Option | Feasible? | Notes | |--------|-----------|-------| | **Website-only** | N/A | HubSpot is already website-only in this codebase | | **Limit to admins** | No | Website has no admin vs. visitor distinction for prospects | | **Disable for paying customers** | Out of Scope | App/product not in scope | | **Gate behind consent** | **Done** | HubSpot loads via `loadHubSpot()` only when user accepts "HubSpot (Marketing & Chat)" | ### Data Transfers - **Region:** EU (`js-eu1` = EU region) - **Storage:** Germany (AWS EU), per HubSpot EU data centre - **Safeguards:** DPA, Standard Contractual Clauses ### User Identification - **hubspotutk** cookie links browser session to HubSpot contact - **Appropriate for:** Website prospects, form submitters - **Not appropriate for:** Logged-in app users (Out of Scope – app not configurable here) --- ## Recommendations ### Remaining (Requires Legal Review) **Privacy policy updates** – Add HubSpot, server-side tracking; remove or correct Mouseflow. See "Privacy Policy Updates Required" section above. **Do not edit until legal review.** ### Low Priority - **HubSpot API verification** – Use existing config to verify portal data hosting location in HubSpot settings. --- ## Key Files Reference - `v2/base/head.php` – DNS prefetch (tracking.php consent-gated) - `v2/base/footer.php` – GTM, consent banner, loadScripts(), loadHubSpot(), sendPageView(), trackEvent() - `v2/base/tracking.php` – Server-side MySQL tracking (POST endpoint only) - `v2/config/hubspot-config.php` – HubSpot Portal ID 145133546, form GUIDs - `v2/pages/static_privacy.php` – Privacy policy (unchanged; updates require legal review – see audit section above)