DEV Community: Iron Brands

The most unambitious way to bulid a startup

Iron Brands — Fri, 31 Jan 2025 12:56:38 +0000

Hey guys, just wrote something for those of you unsure whether your idea has some potential to be a great business.

I founded two profitable SaaS companies without VC money (I won't tell you which one. because this post is not about that). In building those, I used a little framework to evaluate their potential to succeed.

Basically, I created a little framework with four rules to minimize the risk of failure.

The statistic that 90% of startups fail has been around for decades, but I don't think it's entirely true.

It may be true for VC-backed startups that must turn into a Billion dollar company or die. But fuck that!

The Silicon Valley way is not the only game in town.

The framework:

I called it "The most unambitious way to build a startup" because you will not change the world. The returns won't be as outlandish.

But if you're looking to build a business that changes your own world, this might be an interesting read.

Here are my four rules:
1) Is it B2B? This is where the money is
2) Is there a competitor making bank? Good! There is a market
3) Is there one angle to outcompete your competitor? This could be support, pricing, or features.
4) Are there SEO opportunities? People need to find out about you. For me, this is SEO, but it could be sales, partnerships, etc., or whatever your jam for growth is.

I wrote more in-depth about how I applied it to my businesses before I started in my newsletter today.

I'm not sure if I can link here, so we'll see how this plays out: https://1millionarr.substack.com/p/the-most-unambitious-way-to-build

Hope you get something out of it!
Cheers,
Iron

My boostrapped 35K MRR SaaS year in review

Iron Brands — Tue, 21 Jan 2025 10:21:58 +0000

👋 Hi, I’m Iron from Simple Analytics, a privacy-friendly and simple Google Analytics alternative.

Simple Analytics is a two-man company. Before writing this, I sat down with my co-founder to discuss the previous year.

It’s a super insightful conversation to have. We do this every year. It’s good to reflect on our feelings and what went well (and didn’t) to plan for next year.

This write-up is a distillation of what came out of that conversation.

Overview in Numbers
💰 35.5K MRR (+36%)
🧑‍🤝‍🧑 >10K users
🤝 1330 paying customers
📊 1.3 Million website visitors (+32%)
🐦 4250 Twitter/X followers (+100%)
🗞️ 1 Newsletter launched with almost 400 subs (Thank you!)
✊ 0 dollars in funding

Read the whole story here: https://1millionarr.substack.com/p/simple-analytics-2024-year-in-review

Sweden declares Google Analytics illegal

Iron Brands — Mon, 03 Jul 2023 16:42:55 +0000

On June 23, the Swedish Data Protection Authority (IMY) issued four decisions against companies that used Google Analytics. All the decisions found the use of Google Analytics to be incompatible with the GDPR. And two fines were issued this time, one for €1M.

The press release on IMY’s website gives a nice, high-level overview of the legal context of the decisions, but there is quite a bit more to dig into. So let’s take a closer look at the decision and what it means for the use of Google Analytics.

The legal issues

All four decisions stem from NGO noyb’s 101 complaints against Google Analytics and Facebook Connect. noyb has already successfully brought identical cases in other countries, and these decisions are more of the same- that is to say, their legal content is an application of the Schrems II decisions of the Court of Justice.

The Schrems II ruling requires companies that transfer data to the US to implement extra safeguards on top of the “standard” safeguards required by the GDPR for all data transfers (in most cases, the standard contractual clauses drafted by the EU Commission). These safeguards are needed because of the risk of State surveillance over foreign data, as highlighted in the Snowden files.

But these safeguards are very difficult to implement and entirely impossible to adopt for Google Analytics. This is because Google Analytics needs to precisely single out visitors in order to work!

In each of the four Swedish decisions:

a data subject, represented by noyb, complained that the company’s website illegally transferred their personal data to the US
the company listed the safeguards they took, as long as the safeguards taken by Google to secure the data transfer
the DPA found all these measures to be insufficient and ordered the companies to dismiss the use of Google Analytics

What is new in the decisions?

While the core legal issues are the same as all other decisions against Google Analytics, the decisions are interesting in certain aspects.

The first is that fines were issued. In fact, the largest of the four- Swedish telecom giant Tele2- was fined by €1M.

Other data protection authorities have preferred a softer approach so far and only ordered companies to dismiss the use of Google Analytics. It will be interesting to see if more authorities will follow the IMY’s example. If so, Google Analytics could become a costly violation in the future!

Another interesting aspect of the decision is that two of the companies were actually implementing technical safeguards. That is to say, they were actually doing something to try and keep the data safe instead of drafting some compliance fluff in their paperwork, which is something of a rarity.

Unfortunately, the authority found that neither the hashing of cookie identifiers nor the proxying of IP addresses through server-side tagging is enough to keep the data safe. Google collects and controls enormous amounts of data, which they can use to link pseudonymized data to a person. For instance, a hashed identifier can be connected to the browsing data collected through a visitor’s Google account.

Bottom line: Google is collecting so much data- via Google Analytics, Google Accounts, its APIs, its (illegal) advertising trackers on Android devices, and so on- that it is practically impossible to properly anonymize any personal data you provide them.

In other words, Google’s own data-hungry business model is coming back to bite it under the GDPR!

The context

Google Analytics already has a history of being practically banned in EU Member Countries. But the story with data transfers is even longer, and a little recap can clarify the background of the decisions.

From Snowden to Schrems

It all started in 2012 when the Snowden files revealed the existence of extensive and indiscriminate surveillance programs over foreign data in the US. One year later, Austrian citizen Max Schrems (now a well-known privacy activist) filed a complaint against Facebook Ireland. He argued that the transfer of his personal data to US parent company Facebook exposed them to US surveillance and was therefore illegal under EU data protection law. This was the start of a long legal battle: the case was referred twice to the EU Court of Justice, invalidating two data transfer agreements between the EU and the US in the landmark Schrems I and II rulings.

Schrems II was decided in 2020 and tremendously impacted data transfers for two reasons. First, the Court invalidated the Privacy Shield framework, which previously allowed for easy data transfers from the EU to the US. Second, the Court examined standard contractual clauses, a common compliance mechanism for companies wishing to transfer data.

SCCs are a set of standardized clauses drafted by the Commission and are meant to be incorporated into a binding agreement with a recipient. In other words, if you want to transfer data outside the EU, you can implement the SCCs in a contract, and the clauses will tell the other party what they can and cannot do with the data. This is a way to ensure that personal data are transferred safely and confidentially outside the Union. But there is a problem: these clauses only bind the contract parties and do nothing to prevent State surveillance.

With Schrems II, the Court did not invalidate SCCs as a data transfer mechanism but ruled that they must be supplemented by additional safeguards when needed- as is the case with the US. So you can’t just copy-paste them, have the contract signed, and call it a day. You need to make sure SCCs actually work for your data transfer, and if they don’t, you need to make up for this lack of protection in some way. The problem is that this is difficult and sometimes impossible when dealing with State surveillance.

Data transfers post-Schrems II

Right after the Schrems II ruling, privacy NGO noyb (chaired by Schrems) filed a set of 101 strategic complaints against Google Analytics and Facebook Connect, in an attempt to nudge European authorities towards rigorous enforcement of the Schrems II ruling.

Authorities coordinated their approach to the complaints at a European level. As a result, the Austrian, French, Italian, Finnish, Norway, and Swedish privacy watchdogs ruled against Google Analytics when deciding noyb’s complaints (although the Norwegian decision is only preliminary). Additionally and the Danish authority embraced a similar position in a press release.

These decisions say the same thing: Google Analytics cannot keep personal data safe. With coordination at a European level, and the influential French and Italian authorities leading the way, more authorities are likely to follow.

It is worth clarifying that while the decisions formally address a specific website, they are practically a general ban against Google Analytics- because there is little or nothing a company can do to protect personal data from surveillance when using the tool.

Authorities and professionals alike know very well what is at stake. This is why Google Analytics’ legal troubles have received much attention and why the European Data Protection Board ensured a uniform application of Schrems II rather than leaving things up to individual authorities.

More than Google Analytics

It is not just about Google Analytics. Months ago, the Irish authority issued a record €1.2 billion fine against Meta and ordered the company to suspend data transfers for the US (which creates the very real risk of a Facebook blackout for Europe).

And to be clear, web analytics and social networks are the least of the EU’s problems. A strict application of Schrems II could threaten countless US providers, including some currently essential for European businesses- think Oracle or AWS!

The EU and the United States are setting up a new data transfer framework to solve this situation. However, this framework must still be approved by the Member States and- most importantly- survive the announced legal challenge in the EU Court of Justice.

It is difficult to say how a “Schrems III” ruling will play out, but for the moment, the fate of EU-US data transfers remains uncertain.

Conclusion

Ever since the decisions of the French and Italian DPAs, we have been warning that more and more national authorities would take a stance against Google Analytics. Time proved us right. The fines are starting to come in, so this is a good time to ditch Google Analytics!

And let’s not forget that data transfers are the least of Google Analytics’ problems! Google Analytics is a giant surveillance machine that extracts enormous amounts of personal data, combines it with more personal data collected by other services in the Google ecosystem, and feeds it to the privacy dumpster fire that is the real-time bidding system.

If the GDPR was enforced better, Google Analytics would be illegal because of what it does with personal data, regardless of where it goes. We believe we can do better!

Simple Analytics provides you with all the insight you need to grow your business and monitor your campaign without collecting personal data at all! We believe that doing more with less is key to an independent, privacy-friendly web. If this resonates with you, feel feel to give us a try!

Google does not sell your personal data. Its worse

Iron Brands — Tue, 18 Apr 2023 14:44:03 +0000

Google does not sell your data. Not exactly…

In everyday language, selling is giving something away in exchange for something else of value. This is close enough to most legal definitions of sale. And in this sense, it is true enough that Google does not sell your data. Google is not a data broker: a company cannot pay Google to buy emails or IP addresses. But when it comes to privacy, not selling your data is not enough.

Google monetizes personal data in other ways, some of which involve disclosing personal data to third parties. One of those ways is real-time bidding system (RTB) that powers Google Adsense.

In a nutshell, a website makes advertising spaces available for advertisers through Google Adsense’s intermediation. Several advertisers bid for the same advertising spaces whenever a visitor loads a page in an automated real-time auction. This real-time bid involves disclosing personal data to advertisers to cater their ads better.

For instance, let’s say Google figures out that you like guitars- whether through Google Analytics, your Google Maps data, your Google searches, etc. When you visit a website using Google Adsense, a real-time bid for advertising spaces begins, and Google tells advertisers that you like guitars. This allows advertisers to figure out how much an advertising space is worth to them and decide what kind of ad to serve you (this visitor likes guitars, so let’s show them guitars instead of pianos or drums).

This sounds innocuous enough, but it really isn’t. Profiling is based on the collection of thousands of data points about you, including your web searches, the websites you visited, and your location data. This allows for accurate predictions about your personality, behavior, and much more. You may not see ads for medication or sex toys, but that does not mean Google cannot take an educated guess about your medical conditions or sexual inclinations based on the data they have.

If you surf the Internet, chances are your personal data are auctioned dozens, if not hundreds, of times a day. Your data are disclosed to all advertisers participating in each auction- not just the winner. In fact, some data brokers participate in the auctions just to gather as much data as possible. This allows them to profile you and sell the information to the highest bidder because Google has no control over what happens to your data after they are disclosed.

This happens to the data of millions of people every day, as explained in this document by the Irish Council of Civil Liberties.

But it is not a sale, because no one pays for the data. Advertisers buy advertising spaces, and Google gets its cut. Personal data are disclosed in the process, but they are not the goods for sale.

In a way, Google can truthfully claim that it doesn’t sell your data. But from a privacy perspective, it does not matter whether RTB is a sale or not.

To be clear: Google is not the only company doing this. RTB protocols are standard for all major players in the web advertising market. But Google is the dominant player in this market, so it holds a large share of the responsibility. And by insisting on the notion of sale in its disingenuous statements, the company is intentionally diverting the public’s attention

The privacy issues with Google’s products don’t end here- far from it. Android devices track users by default with advertising IDs (which is invasive and probably illegal under the GDPR). Android also tracks all calls and messages without providing any information about the tracking, asking for consent, or even offering an opt-out. And we recently explained how the company recently changed the url for Google Maps to extend location permission to the entire https://www.google.com domain on their browsers.

Google is constantly looking for ways to collect as much data as possible and turn it into as much money as possible.

So does Google sell your data? I will leave that open to interpretation.

Why do I care?

I believe in an independent web that is friendly to website visitors. This is the reason I built a privacy-friendly Google Analytics alternative that collect no personal data and does not use trackers or cookies. If this resonates with you, feel free to give it a try.