Legal/Data Processing Addendum

Data Processing Addendum

How Analyse processes personal data on behalf of its customers as a processor under Article 28 GDPR — scope, security, sub-processors, transfers, and deletion.

Last updated: July 6, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer", acting as the data controller) and Breukers Willem Albertus E.E., trading as "VertCode Development" and "Analyse", Valaoritou 1, TK 10671, Athens, Greece (GEMI 186520701000, VAT: 802973201) ("Analyse", "we", "us", acting as the data processor). It applies whenever we process personal data on your behalf while providing the service, and it reflects our obligations under Article 28 of the GDPR. Where this DPA conflicts with the Terms of Service on the processing of personal data, this DPA prevails.

1. Roles

For personal data processed through your use of the service (your website analytics, and data from integrations you connect), you are the data controller and Analyse is your data processor. You are responsible for having a lawful basis for the processing and for your own notices and disclosures to data subjects. We process this data only to provide the service to you.

2. Subject matter, nature and purpose

We process personal data to provide privacy-first website analytics and the related features you enable. This includes receiving analytics events from your websites. We do not sell personal data and do not use it for our own advertising.

3. Duration

We process personal data for as long as your subscription is active and you continue to use the relevant features, and until deletion in line with section 9.

4. Categories of data subjects and personal data

Data subjectsPersonal data
Visitors of your websitesAggregate, cookieless analytics events. Our tracking script sets no cookies, stores nothing on visitors' devices, and collects no cross-site identifiers.

You must not send us special categories of personal data (Article 9 GDPR) through the service.

5. Our obligations as processor

We will:

  • process personal data only on your documented instructions, including the instructions embodied in your configuration of the service, unless required to act otherwise by EU or member state law (in which case we will inform you, unless the law prohibits it);
  • ensure that people authorized to process the data are bound by confidentiality;
  • implement the technical and organizational security measures described in section 6, as required by Article 32 GDPR;
  • respect the conditions in section 7 for engaging sub-processors;
  • assist you, taking into account the nature of the processing, in responding to data subject requests to exercise their rights;
  • assist you in meeting your obligations under Articles 32 to 36 GDPR (security, breach notification, and data protection impact assessments), taking into account the information available to us;
  • delete or return the data as set out in section 9; and
  • make available the information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits as set out in section 8.

6. Security measures

We maintain measures appropriate to the risk, including: encryption of personal data in transit (TLS) and of sensitive credentials at rest; access controls limiting access to authorized personnel on a need-to-know basis; hosting of analytics data on infrastructure located in the EU; pseudonymisation and data minimisation by design (our tracking is cookieless and we avoid collecting directly identifying fields); and logging and monitoring for abuse and unauthorized access.

7. Sub-processors

You give general authorization for us to engage the sub-processors listed in the "Subprocessors" section of our Privacy Policy, which we keep current. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA. Where a sub-processor is outside the EEA, transfers are covered by EU Standard Contractual Clauses.

We will give you advance notice of any intended addition or replacement of a sub-processor by updating the list and, for material changes affecting account holders, by email or in-app notice. If you have a reasonable, data-protection-based objection, tell us within 30 days and we will work in good faith to address it; if we cannot, you may terminate the affected part of the service.

Note: a platform you connect yourself, such as your CMS or a social network, is your own service provider and the source of the data, not a sub-processor engaged by us.

8. Assistance and audits

We will respond to your reasonable requests for information needed to demonstrate our compliance with this DPA. You may audit that compliance no more than once a year (and after a personal data breach affecting your data), on reasonable notice, in a way that does not compromise the security or confidentiality of other customers. Our up-to-date documentation and answers to your questions will ordinarily satisfy an audit.

9. Deletion and return

On termination of the service, or on your earlier instruction, we will delete the personal data we process on your behalf, unless EU or member state law requires us to retain it. You control your analytics data throughout the term and can delete a site or your workspace, which removes the associated analytics records from our systems.

10. Personal data breaches

If we become aware of a personal data breach affecting personal data we process for you, we will notify you without undue delay and provide the information you reasonably need to meet your own notification obligations.

11. International transfers

Analytics data is hosted in the EU. Where a transfer of personal data outside the EEA is involved (for example, a sub-processor located outside the EEA), that transfer is protected by EU Standard Contractual Clauses or another valid transfer mechanism.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

13. Contact

For any matter under this DPA, including data subject requests you need our help with, email [email protected].