Data Processing Agreement

Poterna Ltd (124 City Road, London, EC1V 2NX) is the Data Processor; you (the website owner/customer) are the Data Controller. We follow UK GDPR and EU GDPR rules and are committed to protecting privacy. This DPA explains how we handle your website’s analytics data.

Data Processing Purpose

We collect only anonymized event data to deliver your website analytics. We process this data solely to provide the analytics service on your behalf (and only as you instruct us). We do not use the data for any other purposes – no advertising, no profiling, no resale.

We never collect or store personal identifiers. We do not store IP addresses, do not use cookies or any persistent identifiers. We process only anonymized event-level data and never store any personal identifiers. While some events are logged individually (e.g. pageviews or clicks), we only use them to generate aggregate statistics — we never build individual visitor profiles. In fact, our system hashes and discards IP/agent info immediately, so it’s impossible to identify any individual from your analytics data.

Data Ownership

You own all of your analytics data, and we obtain no rights to it. We don’t sell, share, or advertise with your data. Your data stays yours: Poterna only uses it to generate the stats and charts you see in your dashboard.

We may use trusted third-party subprocessors (e.g. hosting or infrastructure providers) to help run our service. Any sub-processor we use is bound by the same data protection obligations: they can only process your data to support the analytics service and may not use it for any other purpose. We maintain an up-to-date list of our sub-processors, available upon request. You will be notified in advance of any changes so you have the opportunity to review or object.

Your analytics data is retained only as long as needed for the service. You can delete your account or site stats by contacting us; this permanently erases all your analytics data. Once deleted, the data cannot be recovered. If you cancel your service, we will promptly delete all of your data, except any information we must keep by law (e.g. billing records).

Security and Confidentiality

Your analytics data is stored in secure data centers. If any data is transferred outside the UK/EU (for example, to cloud servers), we ensure an adequate legal safeguard is in place. We rely on EU-approved Standard Contractual Clauses (SCCs) or similar mechanisms for international transfers, which provide the same data protection guarantees required by GDPR.

We use industry-standard security measures (encryption in transit and at rest, firewalls, access controls, etc.) to protect your data. Only authorized personnel can access the systems that process analytics data, and all have confidentiality obligations. We regularly update and audit our systems to keep data safe.

In the unlikely event of a data breach (e.g. accidental loss, unauthorized access, etc.), we will notify you without undue delay, and no later than 48 hours after we become aware of it. We will describe the incident, its impact on your data, and the measures we are taking to contain and mitigate the breach.

Controller Assistance

We only process your data based on your instructions — for example, when you embed our script, configure settings, or request changes. These instructions can come through your use of the dashboard, written requests, or as described in our Terms and this DPA.

If any visitor exercises their privacy rights (such as deletion or access requests), we will promptly forward the request to you so you can respond. We will assist you with any enquiries or filings (e.g. Data Protection Impact Assessments) that you need to make. We will also cooperate with your auditors: upon request we can provide information or allow audits/inspections to verify that we comply with our obligations.

Your Responsibilities

As the Data Controller, you ensure that your collection of visitor data and use of our analytics is lawful. You responsible for providing relevant privacy notices to data subjects as may be required in your jurisdiction. You also make the necessary legal judgments (e.g. lawful basis for analytics) and notify any regulator if required. But for anything involving the data we process for you, just let us know your instructions and we will follow them.

This DPA is governed by the laws of England and Wales. Any disputes related to this agreement will be decided in the courts of England and Wales.