What is Humblytics and how is it different from other A/B testing tools?

Humblytics is an all-in-one A/B testing software and CRO platform that combines split testing, heatmaps, funnel analytics, and AI-powered test hypothesis generation. Unlike tools like Optimizely or VWO that require developers, our visual editor lets marketers launch A/B tests without code.

How do I run A/B split tests without developers?

Our visual A/B testing editor lets you create and run split tests without any coding. Simply select elements on your page, create variations, set traffic allocation, and launch. The platform automatically splits traffic and calculates statistical significance in real-time.

Is Humblytics GDPR compliant?

Yes, Humblytics is fully GDPR compliant. Our cookie-free analytics stores no cookies or local storage identifiers. Visitors are anonymized via a one-way hash, eliminating the need for consent banners.

Will the A/B testing script slow down my website?

No. The Humblytics script is only 36 KB, loads asynchronously, and is served over a global CDN. It won't impact your Core Web Vitals scores.

Does Humblytics work with Webflow, Framer, and Shopify?

Yes! Our A/B testing software integrates with all major platforms including Webflow, Framer, Shopify, WordPress, Squarespace, and custom-built sites.

All Legal Documents

Data Processing Addendum

Effective date: January 2026

This Data Processing Addendum ("DPA") is entered into between Humblytics, 14985427 CANADA INC., (the "processor") and the customer (the "controller") as an addendum to the Humblytics Terms of Service ("Principal Agreement"). It reflects the parties' obligations regarding the processing of personal data under the EU General Data Protection Regulation (GDPR). In case of conflict between this DPA and the Principal Agreement, this DPA will prevail.

For the processing of personal data on the instructions of the controller by the processor in order to comply with the requirements of Art. 28 (3) and (4) GDPR, the current standard contractual clauses, based on the Implementing Decision of the EU Commission (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors pursuant to Art. 28 (7) GDPR, (EU-SCC).

The official EU SCC (EU-EEA) are available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0915 subject to the following conditions:

Clause 1 (a) applies OPTION 1 (Article 28 (3) and (4) GDPR).
Clause 5 will not apply.
In clause 7.7, OPTION 2 will apply, and the time period for prior notification of subprocessor changes is set at 14 days.
In clause 8 lit. c) no. 4), option 1 is applied.
In clause 9.1.b) and clause 9.1.c) and clause 9.2, OPTION 1 is applicable in each case.

In the event of a transfer of personal data to a third country, the current standard contractual clauses based on the Implementing Decision of the EU Commission (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council apply.

The official EU SCC (Third Country) are available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914 subject to the following conditions:

Module Two (Controller to Processor) or Module Three (Processor to Processor) will apply (as applicable):

in Clause 7, the optional docking clause will not apply;
in Clause 9, Option 2 will apply, and the time period for prior notification of subprocessor changes is set at 14 days;
in Clause 11, the optional passage will not apply;
in Clause 17, Option 1 will apply, and the EU SCCs will be governed by German law;
in Clause 18 (b), disputes shall be resolved before the courts of Germany;
Annexes I-IV are part of this Data Processing Agreement.

ANNEX I AND ANNEX II (SCC EU-EEA), ANNEX I (SCC THIRD COUNTRY)

List of Parties, Description of the Processing, Description of Transfer and Competent Supervisory Authority

A. List of Parties

The parties are determined by the main contract (Principal Agreement).

B. Description of the Processing and Description of Transfer

Categories of data subjects	Website visitors
Categories of personal data	IP-Address, user device characteristics
Nature of the processing	Technical processing of access data for statistical web analytics; data are pseudonymised or anonymised at the earliest possible stage
Purpose(s) of the processing	Analysis of website usage to improve functionality and user experience
Description of the transfer	Personal data are in principle processed within the European Union. Should any processing involve a transfer to a third country, such transfer will take place on the basis of these Standard Contractual Clauses (SCC Third country).

Competent Supervisory Authority

The competent supervisory authority pursuant to Clause 13 is the lead supervisory authority of the Data Exporter as determined under Art. 56 GDPR.

ANNEX III (SCC EU-EEA) Annex II (SCC THIRD COUNTRY)

Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data

1. Physical Access Control

Access control system, badge reader
Door locks
Security doors / windows
Alarm system
Video surveillance
Special protective measures for the storage of back-ups and/or other data carriers

2. Digital Access Control

Personal and individual user log-in when logging on to the system or company network
Authorization process for access permissions
Limitation of authorized users
Single sign-on
Password procedure (specification of password parameters in terms of complexity and update interval)
Electronic documentation of passwords and protection of this documentation against unauthorized access
Personalized smart cards, tokens, PIN/TAN, etc.
Logging the access
Additional system log-in for certain applications
Automatic locking of clients after a certain period of time without user activity (also password-protected screen saver or automatic pause)
Firewall

3. Data Access Control

Management and documentation of differentiated authorizations
Conclusion of contracts for commissioned data processing for the external care, maintenance and repair of data processing systems, insofar as the processing of personal data, i.e. the handling of personal data, is the subject of the service in the case of remote maintenance.
Evaluations/logging of data processing operations
Authorization process for permissions
Approval routines
Non-reversible erasure of data carriers
Privacy films for mobile data processing systems

4. Transfer Control

Encryption of email or email attachments
Secured file transfer
Secure data transport
Electronic signature
Secured WLAN
Data Loss Prevention (DLP) System
Regulation on handling mobile storage media
Logging of data transmission or data transport
Logging of read accesses
Logging the copying, modification, or removal of data

5. Input Control

Access rights
System-side logging
Document Management System (DMS) with change history
Security / logging software
Functional responsibilities, organizationally defined responsibilities
Multi-eye principle
Data Loss Prevention (DLP) System

6. Order Control

Agreement on commissioned processing with regulations on the rights and obligations of the contractor and client
Process for issuing and/or following instructions
Determination of contact persons and/or responsible employees
Control/verification of order execution according to instructions
Training/instruction of all employees with access rights at the contractor's premises
Obligation of employees to maintain data secrecy

7. Availability Control

Security concept for software and IT applications
Back-Up Procedure
Storage process for back-ups (fire-protected safe, separate fire compartment, etc.)
Ensuring data storage in the secured network
Fire and/or extinguishing water protection of the server room
Fire and/or extinguishing water protection of the archiving premises
Virus protection
Firewall

8. Separation Control

Storage of data records in physically separate databases
Processing on separate systems
Access permissions according to functional responsibility
Multi-client capability of IT systems
Use of test data, Separation of development and production environment

9. Pseudonymization

Personal data will be pseudonymized or anonymized at the earliest possible point in time.

10. Procedures for Regular Review, Assessment and Evaluation

Procedures for regular review, assessment and evaluation of the effectiveness of technical and organizational measures:

a) Data Protection Management

Appointment of a data protection officer
Obligation of employees to data secrecy
Sufficient training of employees in data protection matters
Keeping an overview of processing activities (Art. 30 GDPR)

b) Incident Response Management

Data Protection Breach Notification Process pursuant to Art. 4 No. 12 of the GDPR vis-à-vis the Supervisory Authorities (Art. 33 of the GDPR)
Data breach notification process pursuant to Art. 4 No. 12 DSGVO vis-à-vis data subjects (Art. 34 DSGVO)
Data Protection Breach Notification Process Pursuant to Art. 4 No. 12 of the GDPR vis-à-vis Contracting Authorities (Art. 28 (3) sentence 2 f) of the GDPR)

ANNEX IV (SCC EU-EEA) ANNEX III (SCC THIRD COUNTRY) - List of Sub-Processors

The controller has authorised the use of the following sub-processors:

Render Services Inc.

525 Brannan Street, Suite 300, San Francisco, CA 94107

Hosting application servers & PostgreSQL DB, User accounts, app config, session tokens. Location: EU. DPA, EU-SCC, Certified under data privacy framework.

Tinybird, Inc.

41 East 11th Street, 11th floor, New York, NY 10003, USA

Analytics metrics database, aggregated event data, anonymized IDs. Location: EU. DPA, EU-SCC.

Cloudflare Germany GmbH

Rosental 7, c/o Mindspace, 80331 München

DNS, CDN, screenshot storage for heatmaps, website screenshot data. Location: EU.