Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below:

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Supervisory Authority" means an independent public authority established by an EU member state pursuant to Article 51 of the GDPR.
• "Services" means the web analytics services provided by Web-Tracking.eu as described in the Terms of Service.

2. Scope and Roles

The Customer acts as the Data Controller and determines the purposes and means of processing Personal Data collected through the analytics tracking script installed on the Customer's website(s).

Web-Tracking.eu acts as the Data Processor and processes Personal Data solely on behalf of the Controller and in accordance with the Controller's documented instructions, as set out in this DPA and the Terms of Service.

3. Categories of Data Subjects

The Personal Data processed under this DPA relates to the following categories of Data Subjects:

• Visitors to the Customer's website(s) where the tracking script is installed
• The Customer and any authorized users of the Customer's account

4. Types of Personal Data

The following types of data are processed in connection with the Services:

4.1 Analytics Data (website visitors)

• Page URLs visited and referrer URLs
• Browser type and version
• Operating system
• Device type and screen resolution
• Country of origin (derived at request time; IP addresses are not stored)
• Language preference
• UTM and campaign parameters
• Custom events as configured by the Controller

4.2 Account Data (customers)

• Email address
• Name (if provided)
• Website domains
• Billing information (processed by LemonSqueezy)

5. Purpose of Processing

The Processor shall process Personal Data solely for the following purposes:

• Providing aggregated web analytics and reporting to the Controller
• Operating, maintaining, and improving the Services
• Processing payments and managing the Controller's subscription
• Providing technical support to the Controller

6. Duration of Processing

Processing shall continue for the duration of the service agreement between the Controller and the Processor. Upon termination, the Processor shall delete all Personal Data within 30 days, unless retention is required by applicable law. The Controller may export data during this 30-day period.

7. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR.
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller.
• Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
• At the choice of the Controller, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless Union or Member State law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

8. Security Measures

The Processor implements and maintains the following technical and organizational security measures in accordance with Article 32 of the GDPR:

8.1 Technical Measures

• Encryption of data in transit using TLS 1.3
• Encryption of data at rest for all databases and backups
• Automated security patching and vulnerability management
• Firewall rules and network segmentation
• Intrusion detection and monitoring systems
• Regular automated backups with encrypted storage
• IP addresses are discarded after country derivation and never stored

8.2 Organizational Measures

• Access controls based on the principle of least privilege
• Multi-factor authentication for all administrative access
• Regular review of access permissions
• Incident response procedures and documentation
• Confidentiality obligations for all personnel

9. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 30 days.

The Processor currently uses the following sub-processors:

The Processor shall impose the same data protection obligations as set out in this DPA on each sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.

10. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

Given the privacy-by-design nature of the Services (no IP storage, no cookies, no personal identifiers), analytics data cannot typically be linked to individual Data Subjects. Where a Data Subject request is received that relates to analytics data, the Processor shall inform the Controller and cooperate in fulfilling the request.

11. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the Processor's data protection contact point
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

12. International Data Transfers

The Processor does not transfer Personal Data outside the European Economic Area (EEA). All data processing infrastructure is located in Germany. Should any transfer outside the EEA become necessary, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including Standard Contractual Clauses where applicable.

13. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the GDPR. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. Such audits shall:

• Be conducted with reasonable advance notice (at least 30 days)
• Be limited to once per 12-month period, unless required by a Supervisory Authority or in response to a data breach
• Be conducted during normal business hours
• Be subject to reasonable confidentiality obligations

14. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of the GDPR where such limitation is not permitted under applicable law.

15. Governing Law

This DPA is governed by and construed in accordance with the laws of Denmark. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Denmark, without prejudice to the rights of Data Subjects to lodge complaints with their local Supervisory Authority.

16. Amendments

This DPA may be amended by the Processor to reflect changes in data protection legislation or regulatory guidance. Material changes will be communicated to the Controller at least 30 days before taking effect. The Controller may terminate the Services if they do not agree to the amended DPA.

17. Contact

For questions regarding this Data Processing Agreement, contact us at: