A standard website usually collects only a limited set of personal data, but that set can still become significant under GDPR if the site has a contact form, newsletter signup, login area, analytics, chat widget, or e-commerce checkout. For website owners in the EU, the key question is not only what data is collected, but also why it is collected, how long it is stored, and who can access it through the hosting platform, control panel, or third-party services.
In a managed hosting environment, this often means checking the website code, the control panel settings, email routing, logs, and installed extensions. If you use Plesk, Apache-based hosting, or a similar hosting platform, it is worth reviewing both application-level data collection and server-side data generated automatically by the hosting stack.
What counts as personal data on a standard website
Under GDPR, personal data is any information that can identify a person directly or indirectly. On a typical website, this may include data entered by the visitor, data generated by the system, and data collected by third parties such as analytics or payment providers.
Common examples include:
- Full name
- Email address
- Phone number
- Postal address
- IP address
- Login username
- Customer account ID
- Device identifiers and cookie IDs
- Order history and support requests
- Location data, if collected
Even if a website does not ask for a person’s name, it may still process personal data through server logs, cookies, or analytics tools. That is why privacy reviews should cover the whole website stack, not just visible forms.
The most common types of data collected by standard websites
1. Contact form submissions
Contact forms are among the most common sources of personal data. A standard contact form often collects:
- Name
- Email address
- Message content
- Company name
- Phone number, if included
In many cases, the message itself may contain sensitive personal information, even if the form does not explicitly ask for it. Website owners should therefore avoid requesting unnecessary details and should store submissions only for as long as needed to respond and keep records.
2. Newsletter and marketing signups
Newsletter forms usually collect:
- Email address
- Name, if optional or required
- Consent preferences
- Timestamp of signup
- Source page or campaign tag
If you run email marketing through a hosting platform, CRM, or integrated email service, make sure the signup process is clear and lawful. For EU websites, marketing consent often needs to be separate from service-related communications.
3. Account registration and login data
If your website has user accounts, it may collect:
- Username
- Email address
- Password hash
- Name and surname
- Billing address
- Saved preferences
- Profile photo or other uploaded content
Passwords should never be stored in plain text. On a managed hosting or Plesk setup, the website application should use secure password hashing and limit access to account databases. Authentication logs may also contain IP addresses and timestamps.
4. Checkout and payment data
E-commerce websites typically collect more personal data than brochure websites. This may include:
- Billing name and address
- Shipping address
- Email address
- Phone number
- Purchase history
- VAT number for business customers
- Payment confirmation details
In many cases, the hosting company does not process card details directly because a payment gateway handles them. Even so, the website may still store transaction IDs, invoices, and order records, all of which can be personal data.
5. Server logs and technical data
Server-side logs often contain personal data even when the website itself appears simple. Typical log data includes:
- IP address
- Date and time of access
- Requested URL
- User agent string
- Referrer URL
- Error messages linked to a session or account
On Apache hosting, access and error logs are usually generated automatically. In a Plesk control panel environment, these logs can often be reviewed or rotated from the panel. For GDPR purposes, log retention should be limited to what is necessary for security, troubleshooting, and abuse prevention.
6. Cookies and similar identifiers
Many websites collect data through cookies, local storage, and tracking pixels. These may store or reference:
- Session identifiers
- Language preferences
- Login state
- Cart contents
- Analytics IDs
- Advertising identifiers
Cookies can be personal data when they relate to an identifiable user or device. This is especially relevant for EU websites that use analytics, A/B testing, or embedded third-party services.
7. Support requests and chat messages
Support forms, ticket systems, live chat widgets, and helpdesk plugins often collect:
- Name
- Email address
- Account or customer ID
- Issue description
- Attachments
- Chat transcript
These records may contain personal data from both the customer and third parties mentioned in the message. If your hosting platform includes mailbox storage, ticketing integrations, or automatic email archiving, those systems should be included in the privacy review.
Data websites often collect automatically without a form
Many website owners focus on forms, but automatic collection is just as important. A standard website can gather technical and behavioural information even if the visitor never submits a contact form.
Typical automatically collected data includes:
- IP address and approximate location
- Browser type and version
- Operating system
- Device type
- Session duration
- Pages visited
- Clicks and navigation path
- Error events and performance data
This data is commonly generated by analytics tools, caching systems, security plugins, CDN services, or web server logs. In hosting environments, it may also be visible in the control panel, firewall logs, or intrusion prevention tools.
How hosting and control panels can store personal data
When a website runs on a managed hosting platform, personal data may be stored in several places outside the main website database. That is why it helps to map the data flow across the entire environment.
Website files and databases
Forms, user accounts, and order data are usually stored in the application database. For example, a CMS, webshop, or custom PHP application may save submissions, customer profiles, and consent logs there.
Email inboxes and mail queues
Contact form submissions are often forwarded to email. If messages remain in inboxes or mail logs, they continue to contain personal data. Outgoing SMTP queues may also record recipients and timestamps.
Backups
Backups can contain everything from the live site: databases, uploaded files, configuration files, and email content. Even if the live site deletes personal data, it may still exist in backup copies. For GDPR, backup retention should be documented and limited where possible.
Access and error logs
Control panels such as Plesk usually provide log access for domains, mail services, and system events. These logs are useful for security and troubleshooting, but they should not be kept indefinitely unless there is a clear operational need.
Third-party integrations
Plugins and external services may collect personal data on your behalf. Common examples include:
- Analytics platforms
- Embedded maps or video players
- Chat widgets
- Spam protection tools
- CRM and email marketing systems
- Payment gateways
For EU compliance, you should know which providers receive data, where they process it, and whether standard contractual safeguards or similar protections apply.
How to identify what your website actually collects
A practical privacy review should be based on evidence, not assumptions. The fastest way to identify personal data collection is to inspect the live site, the CMS, the hosting control panel, and the connected services.
Step 1: Review every form and field
Check contact forms, quote requests, registration pages, checkout forms, newsletter forms, and support widgets. Note every field and ask whether it is truly necessary. If a field is optional, document why it is collected.
Step 2: Check the CMS, plugins, and extensions
Many data collection points are hidden inside plugins. For example, a form plugin may store entries in the database, a security plugin may log IP addresses, and an analytics plugin may set cookies automatically.
Step 3: Inspect the control panel and server logs
In Plesk or a similar hosting control panel, review access logs, error logs, mail logs, and backup settings. Look for log retention policies and automatic rotation. Confirm whether logs include identifiable user data such as IP addresses or account names.
Step 4: Map third-party services
List all external services that receive visitor or customer data. This includes analytics, chat, embedded content, payment services, anti-spam systems, and font or CDN providers if they process personal data in a relevant way.
Step 5: Compare data collection with your privacy notice
Your privacy notice should match the actual data collection on the website. If you collect names, phone numbers, cookies, and logs, each of those should be reflected in the notice with a lawful basis, retention period, and recipient details where required.
Which data is usually necessary and which is not
GDPR encourages data minimisation. That means collecting only the data needed for the specific purpose. A website owner should challenge every field and every log entry that is not clearly useful.
Usually necessary
- Email address for reply or account access
- Name if needed to identify the person
- Delivery address for physical goods
- Payment and invoice details for sales records
- Technical logs for security and incident handling
Often unnecessary or excessive
- Full date of birth for a general contact form
- Home address for a basic inquiry form
- Phone number when email is enough
- Free-text fields asking for unrelated personal details
- Long-term storage of old support threads without a retention rule
On a hosting platform, the easiest privacy improvements are often small: remove a field, shorten log retention, disable an unnecessary plugin, or stop storing form entries in multiple places.
Practical checklist for website owners
- List all forms, cookies, plugins, and external services.
- Identify what personal data each one collects.
- Confirm whether collection is necessary for the service.
- Check where the data is stored in the application and in the hosting stack.
- Review access logs, mailboxes, and backup retention.
- Update the privacy notice and cookie notice to match reality.
- Set retention periods for form submissions, logs, and support tickets.
- Make sure access to data is limited to authorised staff only.
- Test deletion, export, and consent records if your site uses them.
Examples of common website setups
Simple brochure website
A basic company website may only collect contact form details and server logs. Even then, the email inbox, spam filters, and log files may contain personal data. This type of site is not “data free”; it just has a smaller data footprint.
WordPress site with forms and analytics
A WordPress website often collects form submissions, cookie IDs, analytics data, and plugin-generated logs. If the site runs on managed hosting with Plesk, privacy review should include plugin settings, database tables, mail routing, and backup storage.
Online shop
An e-commerce site usually collects account details, billing and shipping information, order history, and payment metadata. It may also store abandoned cart data, coupon usage, and customer support tickets. This requires stronger retention controls and clearer legal documentation.
FAQ
Do all websites collect personal data?
Not all websites intentionally ask for personal data, but most websites still collect some form of technical data such as IP addresses, cookies, or server logs. If a site has forms, analytics, or embedded third-party tools, personal data collection is very likely.
Is an IP address personal data?
In many EU contexts, yes. An IP address can be personal data if it can identify or single out a user directly or indirectly. That is why server logs and analytics tools should be reviewed carefully.
Are contact form messages personal data?
Yes, often they are. Even if the form only asks for an email address, the message content may reveal personal information. The storage of those messages should be limited and protected.
Do cookies always count as personal data?
Not every cookie is personal data, but many are, especially session cookies, analytics cookies, and advertising cookies. If a cookie can identify a device or user, it should be treated as personal data for privacy purposes.
Where can I see the data collected by my hosting stack?
Check the CMS, plugin settings, database tables, email inboxes, and the hosting control panel. In Plesk or a similar panel, review logs, backups, mail settings, and domain-level tools. Also inspect any security, firewall, or monitoring add-ons.
How long should a website keep personal data?
Only as long as necessary for the purpose. For example, a contact request may be deleted after the enquiry is resolved, while invoice data may need to be kept longer for legal or accounting reasons. Log retention should also be limited and documented.
Conclusion
A standard website usually collects more personal data than many owners expect. The most common items are names, email addresses, phone numbers, message content, IP addresses, cookies, and technical logs. In a hosting or control panel environment, this data may also appear in backups, mailboxes, server logs, and third-party integrations.
For EU websites, the safest approach is to map all collection points, remove anything unnecessary, and align your privacy notice, cookie banner, and retention rules with what the site actually does. That is especially important on managed hosting platforms where website code, email, logs, and backups are all part of the same compliance picture.
If you manage a site in Plesk, Apache, or another hosting control panel, a quick quarterly review of forms, plugins, logs, and backups can prevent many privacy issues before they become a problem.