The core principle: IP tracking tools identify companies based on their IP address, not individuals. This means the technology processes business data, not personal data. However, there are important differences between GDPR-proof tools and tools that pose risks. Start your free trial and see which companies visit your website today within 5 minutes.
What are IP tracking tools and how do they work?
IP tracking tools, also known as visitor identification tools, analyse the IP address of website visitors to determine which company is behind that address. These tools link the IP address to a company database and then display information such as company name, industry, company size and location.
The technology behind IP tracking works without cookies. No tracking cookies are placed and no device fingerprinting occurs. Instead, network metadata such as IP addresses and ASN ranges (Autonomous System Numbers) are used to identify a company. This happens at company level, not at individual level.
A tool like Leadinfo recognises, for example, that a visitor comes from the IP range of “Company X”, and then shows which pages that company has visited, how often they return and whether they show interest in specific topics. You therefore see which organisation shows interest, but not which specific employee.
Is IP tracking permitted under GDPR?
Yes, IP tracking is permitted under GDPR, provided you use the correct legal basis: Article 6(1)(f) GDPR – legitimate interest. This article allows companies to pursue legitimate business interests, such as identifying potential customers, provided this is proportionate and transparent.
It is crucial that IP tracking tools focus on business data, not personal data. A company’s IP address is used to identify that company, but does not provide insight into individual persons. This distinction makes IP tracking GDPR-compliant, as long as the tool:
- Does not use cookies
- Does not apply device fingerprinting
- Is transparent about data collection
- Offers an opt-out option for companies
Companies deploying IP tracking must mention this in their privacy policy and ensure that website visitors can see that their company is being identified. This creates the transparency that GDPR requires.
What is the difference between GDPR-compliant and non-compliant IP tracking?
The difference between compliant and non-compliant IP tracking lies in three core areas: technology, hosting and transparency.
GDPR-compliant IP tracking meets the following criteria:
- 100% cookieless – no tracking cookies
- No device fingerprinting or cross-site tracking
- EU-only hosting (for example Ireland and Frankfurt)
- ISO 27001 certification for information security
- Clear privacy policy and opt-out option
Non-compliant IP tracking often uses:
- Tracking cookies that require consent
- Device fingerprinting, which can be considered personal data
- Hosting outside the EU, which poses Schrems II risks
- Unclear privacy statements
A tool like Leadinfo meets all compliance requirements and is also ISO 27001 certified, which means that information security is audited annually by LRQA. This gives companies assurance that both the technology and data processing are secure and GDPR-proof.
What data does a GDPR-proof IP tracking tool collect exactly?
A GDPR-proof IP tracking tool collects exclusively business data. This means the tool displays information about the organisation visiting the website, but never records individual personal data.
Examples of collected business data:
- Company name and industry (for example “Technology company in the SaaS industry”)
- Company size and revenue (if available in public sources)
- Pages visited and session duration at company level
- Return frequency – how often does this company return to your website?
- Technology stack (optional, depending on the tool)
What a GDPR-proof tool does not collect:
- Names, email addresses or job titles of individual employees
- Personal behavioural data such as click patterns of one user
- Cross-device tracking or browser history
The difference with non-compliant tools is that the latter often do try to track individual users via cookies, fingerprinting or other methods. This falls under personal data and requires explicit consent. GDPR-proof IP tracking limits itself to business information and therefore falls under legitimate interest.
How do I ensure my IP tracking tool remains GDPR-compliant?
If you deploy an IP tracking tool, there are four steps you must take to remain compliant:
1. Choose a tool with EU-only hosting and ISO 27001 certification
Check whether the tool uses data centres within the European Union. Tools that store data in the US or other third countries run the risk of Schrems II-related problems. ISO 27001 certification also provides assurance that information security is in order.
2. Ensure the tool works cookieless
Cookieless IP tracking does not require a cookie banner or consent, because no tracking cookies are used. This makes implementation simpler and GDPR-compliant. Check whether the tool applies device fingerprinting – this is not permitted without explicit consent.
3. Be transparent in your privacy policy
State in your privacy policy that you use IP tracking to identify companies. Explain that you do not collect personal data and refer to the legal basis (Article 6(1)(f) GDPR).
4. Offer an opt-out option
Companies must have the option to unsubscribe from identification. Tools like Leadinfo offer an opt-out page where companies can unsubscribe within 48 hours.
By following these four steps, your IP tracking tool remains GDPR-compliant and you minimise legal risks.
Frequently Asked Questions
Does Leadinfo have ISO 27001 certification?
Yes, Leadinfo is ISO 27001:2022 certified by LRQA. This means our information security processes are audited annually and comply with international standards for data security and privacy.
Can I see which individuals visit my website?
No. IP tracking tools identify exclusively companies, not individual persons. You see which organisation visits your website, but not which specific employee. This distinction ensures the technology is GDPR-compliant.
Where is IP tracking data stored?
With GDPR-proof tools like Leadinfo, all data is stored exclusively in the EU. Leadinfo uses data centres in Ireland (eu-west-1) and Frankfurt (eu-central-1). No data transfer takes place to the US or other third countries.
Is IP tracking the same as fingerprinting?
No. IP tracking analyses network metadata (such as IP addresses) to identify companies. Fingerprinting collects device characteristics such as browser type, screen resolution and installed fonts to track individual users. Fingerprinting is considered personal data and is not GDPR-compliant without explicit consent.
