Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is entered into between Humblytics (the “Processor”) and the customer (the “Controller”) as an addendum to the Humblytics Terms of Service (“Principal Agreement”). It reflects the parties’ obligations regarding the processing of personal data under the EU General Data Protection Regulation (GDPR). In case of conflict between this DPA and the Principal Agreement, this DPA will prevail. Both parties agree to the following terms in order to ensure compliance with GDPR and other applicable data protection laws:

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that is processed under this DPA, as defined in Article 4 of the GDPR. “Processing”, “Controller”, “Processor”, “Data Subject”, and “Personal Data Breach” shall have the meanings given in GDPR.

“Subprocessor” means any third party engaged by Processor to assist in processing Personal Data on behalf of the Controller. “Standard Contractual Clauses” (SCCs) means the standard data protection clauses adopted by the European Commission for transfers of personal data to third countries.

2. Role of the Parties

Controller and Processor. The Controller is the entity that determines the purposes and means of processing Personal Data. The Processor (Humblytics) provides a cookieless analytics, A/B testing, and conversion optimization platform (“the Service”) and will process Personal Data only on behalf of and in accordance with the Controller’s documented instructions and this DPA. The Controller appoints Humblytics as a Processor to process the Personal Data solely for the purpose of providing the Service and related technical support, as described in the Principal Agreement. Humblytics shall not process Personal Data for any purpose other than for performing the Services and as lawfully instructed by the Controller.

Controller Instructions. The Controller warrants that its instructions shall comply with Data Protection Laws. If the Processor believes any instruction violates GDPR or other applicable law, it will promptly inform the Controller. Processor will not materially modify the nature or purpose of the processing without Controller’s written authorization.

3. Scope of Processing

Subject Matter and Duration. The subject matter of the processing is the provision of web analytics, heatmaps, funnel analysis, and A/B testing services by the Processor to the Controller. The duration of processing shall be for the term of the Principal Agreement and until deletion of all Personal Data in accordance with this DPA. Processor shall discontinue processing of Personal Data upon termination or expiration of the Principal Agreement and either delete or return the data as described in Section 13.

Nature and Purpose of Processing. The Processor will process Personal Data to track and report on website user interactions, measure conversions, run split-tests, and provide aggregated insights to the Controller. This includes collecting website usage data and performing analysis in a privacy-centric manner (without using cookies) to help the Controller optimize its websites and marketing.

Categories of Data Subjects. The Personal Data processed relates to the following categories of Data Subjects: (a) Website Visitors – individuals who visit or interact with the Controller’s websites or applications that have integrated Humblytics analytics; and (b) Controller’s Personnel – individuals authorized by Controller to use the Humblytics platform (e.g. the Controller’s employees or contractors, whose contact details are processed for account creation, billing, or support).

Types of Personal Data. The Controller acknowledges and agrees that the Processor will process the following categories of Personal Data on behalf of the Controller:

• Website Usage Data: Online identifiers and analytics data about website visits, such as page views, clicks, scroll events, referrer URLs, timestamps, and device/browser information. This data is pseudonymized – Humblytics does not use any cookies or persistent client-side identifiers, but instead generates a one-way hashed identifier derived from the visitor’s IP address and device traits. Raw IP addresses are masked/discarded immediately after hashing, so precise location data is not retained. Only coarse geolocation or derived metrics may be used (e.g. city or country, if at all, and only in anonymized form). All analytics are tied to pseudonymous IDs, not directly identifiable individuals, in order to maintain user privacy.

• Website Domain and Configuration Data: The domains or URLs of websites monitored (e.g. “example.com”) and site configuration details necessary to provide the Service (this may include non-personal data such as site names or page titles for reporting).

• Contact and Account Data: Business contact information of the Controller’s authorized users, such as names, work email addresses, and billing details provided when creating a Humblytics account or subscribing to the Service. This is used for account management, authentication, service-related communications, and billing.

• Support and Communication Data: Any personal data contained in communications with Processor’s support channels (e.g. via email, chat, or dedicated Slack channel) or feedback the Controller provides. This may include names, emails, or other personal identifiers that a Controller’s representative or a website visitor (in case of support chat) voluntarily shares when seeking support.

The parties do not anticipate the processing of any special categories of personal data (as defined in Article 9 GDPR) via the Service. The Controller shall not use the Service to intentionally collect or transmit sensitive personal data. The Service is not intended for use by children under 16, and the Processor does not knowingly process data of children.

[The document continues with Sections 4 through 14, covering lawful basis, obligations, subprocessors, international transfers, data subject rights, security measures, breach notification, audits, return/deletion of data, and general provisions, as outlined in the original draft.