Data Processing Agreement
Last updated: March 23, 2026
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the agreement between Asuna Labs (“Data Processor”, “we”, “us”) and you (“Data Controller”, “Customer”) for the use of the EngageTrack analytics service (the “Service”).
This DPA is entered into in compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and supplements our Terms of Service and Privacy Policy.
2. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, aggregation, and erasure.
- “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates — in the context of the Service, typically a visitor to the Customer's website.
- “Sub-processor” means any third party engaged by the Data Processor to assist in the Processing of Personal Data on behalf of the Data Controller.
3. Roles & Responsibilities
3.1 The Customer as Data Controller
You determine the purposes and means of processing visitor data by choosing to install the EngageTrack tracking script on your website. You are responsible for:
- Ensuring you have a lawful basis for processing visitor data (legitimate interest for the default memory mode; consent required if you enable storage mode)
- Updating your own privacy policy to disclose the use of EngageTrack
- Responding to data subject access requests from your visitors
- Determining which optional data is sent via the
identify()API
3.2 Asuna Labs as Data Processor
We process Personal Data solely on your behalf and in accordance with your documented instructions (i.e., your use of the Service). We are responsible for:
- Processing data only as necessary to provide the Service
- Implementing appropriate technical and organizational security measures
- Assisting you in fulfilling your obligations to data subjects
- Notifying you of any personal data breach without undue delay
4. Subject Matter & Scope of Processing
4.1 Purpose
The purpose of data processing is to provide website analytics — aggregating visitor behavior into anonymized insights presented via the EngageTrack dashboard.
4.2 Categories of Data Subjects
- Visitors to websites that have installed the EngageTrack tracking script
- Optionally, identified users via the
identify()API
4.3 Types of Personal Data Processed
The following categories of data may constitute Personal Data under certain circumstances:
| Category | Data Points | Retention Basis |
|---|---|---|
| Visitor identifiers | Default (memory mode): server-side daily-rotating hash only — no client storage. Optional (storage mode): client-generated UUID in localStorage. | Duration of subscription |
| Geolocation | Country, region, city, approximate coordinates (derived from IP via MaxMind; IP discarded after lookup) | Duration of subscription |
| Technical metadata | Browser, OS, device type, screen size | Duration of subscription |
| Behavioral data | Page URLs, referrer, UTM parameters, event types, scroll depth, time on page | Duration of subscription |
| Revenue data (optional) | Purchase amount, currency, order ID | Duration of subscription |
| Identity data (optional) | User ID, email, name — only when Customer calls identify() | Duration of subscription |
| Interaction data (optional) | Email addresses (captured from mailto: link clicks) and phone numbers (captured from tel: link clicks) when phone/email tracking is enabled on the Customer's website | Duration of subscription |
4.4 Duration
Processing will continue for the duration of the Customer's active subscription. Upon termination, active and indexed data is retained for 30 days to allow export, after which it is permanently deleted from live systems. Backup copies are purged within 90 days of termination. See Section 11 for full deletion and return terms.
5. Technical & Organizational Security Measures
We implement the following measures to protect Personal Data in accordance with Article 32 of the GDPR:
- Encryption at rest: Sensitive fields encrypted with AES-256-GCM. Passwords hashed with bcrypt.
- Encryption in transit: All communications secured via TLS 1.2+ / HTTPS.
- Access control: JWT-based authentication with short-lived tokens. Role-based access control for team members.
- Infrastructure: Hosted exclusively in the EU (AWS eu-central-1, Frankfurt). PostgreSQL/TimescaleDB with automated backups.
- Audit logging: Critical account actions logged for security monitoring and incident response.
- IP address handling: IP addresses are processed in memory for geolocation only and never persisted to storage.
- Zero device storage by default: In memory mode (default), no cookies, no localStorage, no sessionStorage, no cross-site tracking, no fingerprinting. Minimizes Personal Data exposure by design.
6. Sub-Processors
The Customer authorizes the use of the following sub-processors. We will notify the Customer of any changes to this list at least 30 days before engaging a new sub-processor.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, compute, and storage | EU (Frankfurt, eu-central-1) |
| Stripe, Inc. | Payment processing and subscription management | USA (with EU data processing) |
| LemonSqueezy | Payment processing (alternative provider) | USA (with EU data processing) |
| Paddle | Payment processing (alternative provider) | UK/USA (with EU data processing) |
| Polar | Payment processing (alternative provider) | USA (with EU data processing) |
| MaxMind, Inc. | GeoIP database (offline, no API calls — no data leaves our servers) | N/A (local database) |
| SMTP Email Provider | Transactional emails (verification, password reset, invitations) | EU |
7. Data Subject Rights
The Processor shall assist the Controller in fulfilling requests from Data Subjects exercising their rights under GDPR Articles 15–22, including:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to restriction of processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object (Art. 21)
Upon receiving a data subject request, the Processor will notify the Controller within 5 business days and provide reasonable assistance in responding. The Processor will not respond directly to Data Subjects unless instructed by the Controller or required by law.
8. Data Breach Notification
In the event of a Personal Data breach (as defined in Article 4(12) GDPR), the Processor shall:
- Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
- Provide sufficient detail to enable the Controller to fulfill its own reporting obligations under Article 33 GDPR
- Describe the nature of the breach, affected data categories, approximate number of Data Subjects, likely consequences, and mitigation measures taken
- Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach
9. International Data Transfers
All primary data processing occurs within the European Union. Where Personal Data is transferred to sub-processors outside the EEA — including our US-based payment processors (Stripe, Inc., LemonSqueezy, Paddle, and Polar) as listed in Section 6 — we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) as approved by the European Commission
- The sub-processor's participation in recognized data protection frameworks (e.g., EU-US Data Privacy Framework)
- Supplementary technical measures such as encryption and pseudonymization as applicable
10. Audits & Compliance
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and GDPR Article 28 obligations. The Controller may conduct audits (or appoint an independent auditor) subject to:
- Reasonable advance written notice (at least 30 days)
- Audits being conducted during normal business hours
- The Controller bearing the costs of the audit unless the audit reveals material non-compliance
- The auditor executing a confidentiality agreement satisfactory to the Processor
11. Data Deletion & Return
Upon termination of the Service agreement or upon written request by the Controller:
- The Processor will provide the Controller with the ability to export their analytics data in CSV format within 30 days
- After the 30-day export window, the Processor will permanently delete all Customer Data from active systems
- Backup copies will be purged within 90 days of the deletion request, unless retention is required by law
12. Liability
Each party's liability arising under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law where such limitation is not permitted under applicable law.
13. General Provisions
- This DPA is governed by the same law as the Terms of Service.
- In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to data protection matters.
- Any amendments to this DPA must be in writing and agreed by both parties.
- If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
14. Contact
For questions regarding this DPA or to exercise any rights under it, please contact: