Data Processing Agreement (DPA)
Last updated: 2026-06-03
1. Roles and subject matter
1.1. For data collected via the Stats script on the User's websites: the User is the controller and the Operator is the processor.
1.2. The Operator processes such data solely to provide the Service (collecting and analyzing traffic statistics) for the User.
1.3. The User's account data (email, billing data) is processed by the Operator as a separate controller — see the Privacy Policy; it is not subject to this DPA.
2. Nature, purpose, duration and data types
- Nature and purpose: collecting, storing and providing the User with traffic statistics in a privacy-friendly manner.
- Duration: for the term of the Service agreement and in line with the selected Plan's visible-retention period; physical cleanup of analytics stores, logs and technical backups follows TTL and backup policy.
- Categories of data subjects: visitors to the User's websites.
- Types of data: technical and event data (e.g. a hashed visit identifier rotating every 24h, URL, referrer, country/region, device and browser type, events). The Service is not intended to collect directly identifying data or special categories of data (Art. 9 GDPR).
3. Processing on instructions
The Operator processes data only on the User's documented instructions, which consist of using the Service in accordance with the Terms and account settings, unless required by EU or Member State law.
4. Confidentiality
The Operator ensures that persons authorized to process the data have committed to confidentiality or are under an appropriate statutory obligation.
5. Security (Art. 32 GDPR)
The Operator implements appropriate technical and organizational measures: encrypted connections (TLS), password hashing, access control and least-privilege, data minimization (e.g. no storage of a full, identifying IP address), environment separation and backups. Details in Annex B.
6. Sub-processors
6.1. The User grants the Operator general authorization to engage the sub-processors listed in Annex A.
6.2. The Operator imposes on each sub-processor data-protection obligations no less protective than those in this DPA and remains liable for their acts.
6.3. The Operator will notify intended changes to sub-processors (additions/replacements) by updating Annex A with a date; the User may object on reasonable data-protection grounds via the Contact page.
7. Assistance to the controller
The Operator assists the User, as far as possible, in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) and in meeting obligations under Arts. 32–36 GDPR. The Operator notifies the User without undue delay of any personal-data breach it becomes aware of.
8. Transfers outside the EEA
Where a sub-processor processes data outside the European Economic Area, it is based on an adequacy decision or appropriate safeguards (e.g. EU Standard Contractual Clauses). Location and basis are stated in Annex A.
9. Deletion or return of data
Upon termination of the Service, the Operator deletes, blocks access to or returns the data at the User's choice where technically possible, unless retention is required by law. The User may also delete their account from settings; access to the account, sites and stats is then blocked, while physical cleanup of analytics stores, logs and technical backups follows TTL, cleanup schedules and backup policy.
10. Audit and information
The Operator makes available information necessary to demonstrate compliance with Art. 28 GDPR and allows for audits (including inspections) to a reasonable extent, subject to prior arrangement and to protecting the confidentiality and security of other customers.
11. Term
This DPA applies for as long as the Operator processes data on behalf of the User. In case of conflict with the Terms, this DPA prevails with respect to the processing of personal data.
Annex A — Sub-processors
Parties processing, on our behalf, data collected via the script on the User's websites. Updated with a date upon each change.
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Hosting / server infrastructure provider | Storing and processing Service data (application and database servers) | European Union | N/A (EEA) |
Payment providers (Stripe, PayU, Paddle) process only the account holder's billing data — not visitors' data — and are described in the Privacy Policy (section 5). Outgoing email is handled by the Operator's own server, and geolocation is performed locally from a built-in database (visitor data is not shared with third parties for this purpose).
Annex B — Security measures
- encryption in transit (TLS/HTTPS),
- password hashing, protection of login credentials,
- role-based access control and least-privilege,
- data minimization (no storage of a full, identifying IP address; rotating visit identifier),
- backups and environment separation,
- security monitoring and event logging.
Contact
For matters regarding this DPA, use the Contact page.