Data Processing Agreement
Last updated: December 17, 2025
Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Supalytics ("Processor", "we", "us") and the customer ("Controller", "you") using our web analytics service.
Important Note: Because Supalytics does not collect personal data from website visitors, a traditional DPA may not be legally required. However, we provide this document for transparency and to address our handling of your account data.
Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data (collection, storage, use, etc.)
- Controller: The entity that determines the purposes and means of processing
- Processor: The entity that processes personal data on behalf of the controller
- Sub-processor: A third party engaged by the processor to process personal data
Scope of Processing
What We Process
Account Data (Personal Data):
- Email address
- Name (if provided)
- Profile picture (if using Google sign-in)
Analytics Data (Non-Personal Data):
- Anonymized visitor statistics
- Aggregated traffic metrics
- No individual visitor identification
Data We Do NOT Process
We do not collect or process:
- IP addresses (used only for hashing, never stored)
- Cookies or browser storage identifiers
- Personal data from website visitors
- Any data that could identify individual visitors
Roles and Responsibilities
Our Role
For account data: We act as a data controller for our own legitimate business purposes (providing the service, billing, support).
For analytics data: Because the data is anonymized and cannot identify individuals, it does not constitute personal data under GDPR. We process this data to provide you with analytics insights.
Your Role
You are the data controller for:
- Your own account information
- Decisions about which websites to track
- How you use and share analytics insights
Data Security
We implement appropriate technical and organizational measures:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all connections |
| Encryption at rest | AES-256 for stored data |
| Access controls | Role-based access, MFA for staff |
| Infrastructure | EU-based servers only |
| Monitoring | Security logging and alerting |
| Updates | Regular security patches |
Sub-processors
We use the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Database & backend hosting | Amsterdam, Netherlands |
| Vercel | Frontend hosting | Frankfurt, Germany |
| Tinybird | Analytics database | Frankfurt, Germany |
| Stripe | Payment processing | EU (with US parent) |
| OAuth authentication | Global (optional) | |
| Cloudflare | CDN & DDoS protection | Global edge network |
We will notify you of any changes to sub-processors via email or our changelog.
Data Transfers
All analytics data is processed and stored within the European Union. We do not transfer visitor data outside the EU.
For account data, limited transfers may occur:
- Stripe (payments): EU-US Data Privacy Framework certified
- Google (if using OAuth): Standard Contractual Clauses apply
Data Subject Rights
We will assist you in responding to data subject requests:
- Access requests: Export your data from the dashboard
- Deletion requests: Delete your account from Settings
- Other requests: Contact support@supalytics.co
For visitor data: Since we don't collect personal data from visitors, there is no personal data to access, correct, or delete.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion |
| Analytics data | Until account deletion |
| Backup data | 30 days after deletion |
| Logs | 90 days |
Security Incidents
In the event of a data breach affecting personal data:
- We will notify you within 72 hours of becoming aware
- We will provide details of the breach and affected data
- We will cooperate with your notification obligations
- We will take steps to mitigate the breach
Audit Rights
Upon reasonable request and subject to confidentiality obligations:
- We will provide documentation of our security measures
- We will answer questions about our data processing
- We will make available audit reports (SOC 2 when available)
Term and Termination
This DPA is effective as long as you use Supalytics. Upon termination:
- We will stop processing your data
- We will delete your data within 30 days
- We will provide data export upon request
Liability
Our liability under this DPA is subject to the limitations in our Terms of Service.
Contact
For DPA-related inquiries:
- Email: support@supalytics.co
- Subject: "DPA Inquiry"