← Back to Agent Analytics

Data Processing Agreement

Last updated: February 11, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Controller") and Agent Analytics ("Processor", "we", "us") for the use of the Agent Analytics platform.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies when the Processor processes personal data on behalf of the Controller in connection with the service.

By using Agent Analytics, you accept and agree to be bound by this DPA. No separate signature is required.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
• "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Roles and Scope

Controller: You (the Customer) determine the purposes and means of processing analytics data collected from your website visitors.

Processor: Agent Analytics processes analytics data on your behalf solely to provide the service as described in the Terms of Service.

Scope of processing:

• Data subjects: Visitors to the Customer's websites and applications.
• Categories of data: Analytics event data (page URLs, referrers, screen resolution, browser/OS information, device type, language, UTM parameters, anonymous visitor IDs, session IDs, custom event names and properties).
• Purpose: Storing, aggregating, and serving analytics data back to the Customer via API and dashboard.
• Duration: For the duration of the Customer's use of the service, plus any retention period specified by the Customer's plan.

3. Processor Obligations

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by applicable law.
2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 5).
4. Not engage another processor (Subprocessor) without prior general authorization from the Controller (see Section 6).
5. Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).
6. Assist the Controller in ensuring compliance with obligations relating to security, breach notification, and data protection impact assessments.
7. At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
8. Make available to the Controller all information necessary to demonstrate compliance with this DPA.

4. Controller Obligations

The Controller shall:

1. Ensure there is a lawful basis for the processing of Personal Data.
2. Not send prohibited data categories as defined in the Terms of Service (Section 3).
3. Provide any necessary notices to and obtain any necessary consents from data subjects as required by applicable law.

5. Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data:

• Encryption in transit: All data transmitted to and from the service is encrypted using TLS 1.2 or higher.
• Encryption at rest: All data stored in Cloudflare D1 databases is encrypted at rest.
• Database isolation: Each Customer's analytics data is stored in a separate, isolated Cloudflare D1 database. No Customer can access another Customer's data.
• Authentication: Dashboard access is protected by OAuth (GitHub/Google). API access requires secret API keys. Session cookies are HttpOnly and Secure.
• Access control: Only the Customer and authorized Agent Analytics personnel can access Customer data. Personnel access is limited to what is necessary for service operation and support.
• No IP collection: The analytics tracker does not collect or store visitor IP addresses.
• No cookies: The analytics tracker does not use cookies, reducing the surface area for data exposure.

6. Subprocessors

The Controller provides general authorization for the Processor to engage the following Subprocessors. The Processor will notify the Controller of any intended changes to this list by updating this page. The Controller may object to a new Subprocessor by ceasing use of the service.

Subprocessor	Purpose	Location
Cloudflare, Inc.	Infrastructure, hosting, database (D1), KV storage, edge compute (Workers), CDN, DDoS protection	Global (edge network)
Lemonsqueezy Inc.	Payment processing, subscription management, billing	United States
GitHub (Microsoft Corp.)	OAuth authentication (email and profile scope only)	United States
Google LLC	OAuth authentication (email and profile scope only)	United States

7. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on behalf of the Controller, the Processor shall:

1. Notify the Controller without undue delay and in any case within 48 hours of becoming aware of the breach.
2. Provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform data subjects of the breach under applicable law.
3. Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

Notification will be sent to the email address associated with the Controller's account.

8. Data Subject Requests

If the Processor receives a request from a data subject to exercise their rights under GDPR (access, rectification, erasure, restriction, portability, or objection), the Processor shall promptly notify the Controller. The Processor shall assist the Controller in fulfilling such requests to the extent technically feasible.

Customers can delete their account and all associated analytics data through the account settings page at app.agentanalytics.sh, or by contacting us at [email protected].

9. Data Deletion

Upon termination of the service or upon the Controller's written request, the Processor shall delete all Personal Data processed on behalf of the Controller within 30 days, unless applicable law requires retention. This includes deleting the Customer's isolated D1 database and any associated records in the control plane.

10. Audit Rights

The Controller has the right to verify the Processor's compliance with this DPA. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance. The Controller may conduct an audit, or mandate an independent third-party auditor to conduct an audit, subject to reasonable notice and during normal business hours.

Audits shall be conducted no more than once per calendar year unless a Data Breach has occurred or a supervisory authority requests an audit.

11. International Data Transfers

Personal Data may be processed in countries outside the EEA as part of Cloudflare's global edge network. Cloudflare has implemented appropriate safeguards for international data transfers, including Standard Contractual Clauses (SCCs) where applicable. Details are available in Cloudflare's Data Processing Addendum.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws that govern the Terms of Service. For matters relating to GDPR, the supervisory authority of the Controller's establishment shall have jurisdiction.

14. Changes to This DPA

We may update this DPA from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by updating the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated DPA.

15. Contact

For questions about this DPA or to exercise any rights under it, contact us at [email protected].

---

Agent Analytics · Privacy Policy · Terms of Service