Data Processing Agreement
Last updated: March 12, 2026
This Data Processing Agreement ("DPA") is an addendum to the Terms of Service ("Terms") between you ("Customer", "Data Controller") and Omexa LLC, a Wyoming limited liability company operating as Privatrak ("Privatrak", "Data Processor").
This DPA governs the processing of personal data by Privatrak on behalf of the Customer in connection with the provision of the Privatrak product analytics service ("Service").
By using the Service, you accept this DPA. If you have a separate written DPA with Privatrak, that agreement takes precedence over this document.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR, or equivalent definitions under applicable data protection law.
- "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
- "Data Controller" means the Customer, who determines the purposes and means of Processing Personal Data.
- "Data Processor" means Privatrak, which Processes Personal Data on behalf of the Data Controller.
- "Data Subjects" means the identified or identifiable natural persons whose Personal Data is Processed.
- "Sub-processor" means a third party engaged by Privatrak to assist in the Processing of Personal Data.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
- "Applicable Data Protection Law" means the GDPR and any applicable national data protection legislation, including but not limited to the California Consumer Privacy Act (CCPA/CPRA).
2. Scope and Roles
2.1 Roles
- The Customer is the Data Controller. The Customer determines what data is collected from their website visitors and transmitted to Privatrak.
- Privatrak is the Data Processor. Privatrak processes data solely on the instructions of the Customer as configured through the Service.
2.2 Nature of Processing
Privatrak provides a privacy-first product analytics service. The Service is designed to collect no personal data by default:
- No cookies, localStorage, or persistent identifiers
- IP addresses processed transiently in memory for session derivation via HMAC — never stored or logged
- User-Agent strings processed transiently in memory for session derivation via HMAC — never stored or logged
- No browser fingerprinting
- Session identifiers are derived server-side from a daily-rotating HMAC of visitor metadata. They are consistent within a UTC day and deleted during daily aggregation.
- URLs are automatically sanitized to remove potentially identifying parameters
- Timestamps are rounded to the nearest second
2.3 Categories of Data
Default data collected (non-personal by design):
| Data Category | Description | Personal Data? |
|---|---|---|
| Page URLs | Sanitized page paths (IDs replaced with :id, PII params redacted) | No |
| Referrer URLs | Sanitized referral source | No |
| Event types | Pageview, click, form_submit, custom | No |
| Element metadata | Tag name, CSS selector (max 200 chars), text content (max 100 chars) | No |
| Timestamps | Rounded to nearest second by the server before storage | No |
| Session ID | Derived server-side via HMAC from visitor metadata (IP, User-Agent, project ID) using a daily-rotating key. The raw inputs are never stored. Session IDs are consistent within a UTC day and deleted during daily aggregation. | No |
Customer-controlled data (may contain Personal Data):
| Data Category | Description | Personal Data? |
|---|---|---|
| Custom event attributes | Arbitrary key-value pairs set by Customer | Potentially, depending on Customer's implementation |
| Session traits | Arbitrary strings attached to sessions by Customer | Potentially, depending on Customer's implementation |
| Custom tracking attributes | Key-value pairs from data-track-* HTML attributes set by Customer | Potentially, depending on Customer's implementation |
Important: If the Customer chooses to send Personal Data through custom events, traits, or custom tracking attributes (data-track / data-track-*), the Customer is solely responsible for ensuring a lawful basis for that collection and for informing their Data Subjects accordingly.
2.4 Data Subjects
Data Subjects are visitors to the Customer's websites where the Privatrak tracking script is installed.
2.5 Duration
Processing continues for the duration of the Customer's use of the Service. Upon termination, data is handled in accordance with Section 9 of this DPA.
3. Customer Obligations as Data Controller
The Customer shall:
- Determine the lawfulness of all data Processing and ensure a valid legal basis exists
- Provide appropriate privacy notices to Data Subjects regarding the use of Privatrak
- Conduct data protection impact assessments where required
- Respond to and fulfill Data Subject rights requests (with Privatrak's reasonable assistance as described in Section 7)
- Ensure that any Personal Data sent to Privatrak via custom events, traits, or custom tracking attributes is collected lawfully and with appropriate notice to Data Subjects
- Not instruct Privatrak to Process data in violation of Applicable Data Protection Law
- Report data protection incidents to supervisory authorities as required by law
- Implement appropriate technical and organizational measures for data protection within their own systems
4. Privatrak's Obligations as Data Processor
Privatrak shall:
- Process Personal Data only on the documented instructions of the Customer, as configured through the Service interface and API
- Notify the Customer if, in Privatrak's opinion, an instruction infringes Applicable Data Protection Law
- Ensure that all personnel authorized to Process Personal Data are bound by confidentiality obligations
- Implement and maintain appropriate technical and organizational security measures (see Section 6)
- Not engage additional Sub-processors without prior notice to the Customer (see Section 5)
- Assist the Customer in responding to Data Subject rights requests, to the extent technically feasible
- Assist the Customer with data protection impact assessments and prior consultations with supervisory authorities, where required
- Make available to the Customer all information necessary to demonstrate compliance with this DPA
- Not Process Personal Data for any purpose other than providing the Service as instructed by the Customer
5. Sub-processors
5.1 Current Sub-processors
Privatrak uses the following Sub-processors:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Hetzner | Application hosting and database | All analytics data, account data | EU |
| Paddle (Paddle.com Market Limited) | Payment processing | Customer billing information | UK/EU |
| Resend (Resend, Inc.) | Transactional email delivery | Customer email addresses | US |
| Google (Google LLC) | OAuth authentication (optional) | Google user ID, email, name | US |
Data location notes:
- All analytics data (events, sessions, aggregates) is stored exclusively in the EU.
- Resend (US-based) processes only Customer email addresses for the purpose of delivering transactional emails. No analytics data or end-user visitor data is shared with Resend.
- Google processes data only for Customers who choose to authenticate via Google OAuth.
- Paddle processes only Customer billing data. No analytics data is shared with Paddle.
5.2 Notification of changes
Privatrak will notify the Customer of any intended changes to Sub-processors (additions or replacements) at least 30 days before the change takes effect, via email or through the Service.
The Customer may object to a new Sub-processor by notifying Privatrak within 30 days of receiving notice. If the objection cannot be resolved, the Customer may terminate the Service.
5.3 Sub-processor obligations
Privatrak ensures that all Sub-processors are bound by data protection obligations no less protective than those in this DPA.
6. Security Measures
Privatrak implements the following technical and organizational measures to protect Personal Data:
Technical measures
- Encryption in transit: All data transmitted between the Customer's website, end-user browsers, and Privatrak's servers is encrypted using HTTPS/TLS.
- Password hashing: Customer passwords are hashed using bcrypt with a cost factor of 12.
- Token hashing: Session tokens and API keys are hashed using SHA-256 before storage.
- Database security: All database queries use parameterized statements to prevent SQL injection. Database access is restricted to application servers via private networking.
- Data minimization by design: The Service is architecturally designed to avoid collecting Personal Data. IP addresses and User-Agent strings are processed only in memory for HMAC session derivation and immediately discarded — they are never stored or logged. Session identifiers are derived from a daily-rotating key and deleted during aggregation.
- No PII in server logs: Application logs, reverse proxy logs, and monitoring systems record only request method, URL path, HTTP status code, and response time. Visitor IP addresses, User-Agent strings, and request headers are never written to any log, log aggregation system, or monitoring platform.
- Automatic data sanitization: By default, URL paths are sanitized to replace numeric IDs, UUIDs, and hex strings with placeholders. All sanitization settings are configurable per project by the Customer. Query parameters that may contain PII (email, token, key, password, secret) are automatically redacted.
- Sensitive field exclusion: Password inputs, credit card fields, and hidden form fields are always excluded from interaction tracking, regardless of Customer configuration.
Organizational measures
- Access to production systems is restricted to authorized personnel.
- All personnel with access to Personal Data are bound by confidentiality obligations.
- Security practices are reviewed and updated regularly.
7. Data Subject Rights
7.1 Assistance
If Privatrak receives a request directly from a Data Subject regarding data processed on behalf of the Customer, Privatrak will promptly notify the Customer and will not respond to the request directly unless instructed by the Customer or required by law.
7.2 Technical limitations
Due to the privacy-first design of the Service, Data Subject requests may be technically infeasible to fulfill for analytics data, because:
- Analytics events are not linked to identifiable individuals by default
- Session identifiers are derived from an irreversible HMAC with a daily-rotating key and cannot be traced back to a specific person
- No IP addresses are stored — they are used only transiently for session derivation
If the Customer has sent Personal Data via custom events, the Customer is responsible for maintaining the mapping necessary to identify and respond to Data Subject requests. Privatrak will assist with deletion or access requests to the extent technically feasible.
8. Data Breach Notification
8.1 Notification
In the event of a Personal Data breach (as defined in Article 4(12) of the GDPR), Privatrak will notify the Customer without undue delay and in any event no later than 48 hours after becoming aware of the breach.
8.2 Notification content
The notification will include, to the extent known:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and data records concerned
- The name and contact details of a point of contact at Privatrak
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach and mitigate its effects
8.3 Customer obligations
The Customer is responsible for notifying affected Data Subjects and supervisory authorities as required by Applicable Data Protection Law.
9. Data Retention and Deletion
9.1 Retention during service
Analytics data is retained in accordance with the Customer's subscription plan:
| Plan | Retention Period |
|---|---|
| Free | 30 days |
| Starter | 90 days |
| Pro | 365 days |
Data older than the retention period is automatically and permanently deleted through a scheduled cleanup process that runs hourly.
9.2 Deletion upon termination
Upon termination of the Service:
- If the Customer deletes their account, all data is permanently deleted immediately.
- If the Customer cancels their subscription, data is subject to the free tier's retention policy (30 days).
- Privatrak does not retain Customer analytics data after account deletion.
9.3 No recovery
Deleted data cannot be recovered. The Customer should ensure they have captured any data they wish to retain before account deletion or termination.
10. International Data Transfers
10.1 Data location
All analytics data processed by Privatrak is stored in the European Union. The primary data processing infrastructure is located within the EU.
10.2 Transfers outside the EU
The following Sub-processors may process limited categories of data outside the EU:
| Sub-processor | Location | Data | Transfer Mechanism |
|---|---|---|---|
| Resend | US | Customer email addresses only | Standard Contractual Clauses (SCCs) |
| US | OAuth user ID, email, name (optional) | Standard Contractual Clauses (SCCs) |
No analytics data or end-user visitor data is transferred outside the EU.
10.3 Standard Contractual Clauses
Where Personal Data is transferred to a country outside the EU/EEA that does not benefit from an adequacy decision, Privatrak ensures that appropriate safeguards are in place, including the European Commission's Standard Contractual Clauses (SCCs) as adopted under Commission Implementing Decision (EU) 2021/914.
11. Audits
The Customer may, upon reasonable notice and at the Customer's expense, request information necessary to verify Privatrak's compliance with this DPA. Privatrak will respond to reasonable audit requests in a timely manner.
If an on-site audit is required, the parties will mutually agree on the scope, timing, and duration of the audit, which shall not unreasonably disrupt Privatrak's operations.
12. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.
Each party shall indemnify the other against any costs, claims, damages, or expenses incurred as a result of the indemnifying party's breach of this DPA or Applicable Data Protection Law, subject to the limitations in the Terms.
13. Term and Termination
This DPA is effective from the date the Customer begins using the Service and remains in effect for the duration of the Customer's use of the Service.
Obligations related to confidentiality and data deletion survive termination of this DPA.
If Privatrak materially breaches this DPA and fails to cure the breach within 30 days of receiving written notice, the Customer may terminate the Service.
14. Miscellaneous
- This DPA is governed by the laws of the State of Wyoming, United States, without regard to its conflict of law provisions. For Customers in the EU/EEA, this does not affect the applicability of the GDPR or the jurisdiction of EU data protection authorities.
- In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
- This DPA may be updated by Privatrak with 30 days' notice. Continued use of the Service after the notice period constitutes acceptance of the updated DPA.
- The Customer may share this DPA with their own customers and data protection authorities.
15. Contact
For questions about this DPA or data protection matters:
Email: privacy@privatrak.com
Omexa LLC Wyoming, United States