Data Processing Agreement

Poterna Ltd (124 City Road, London, EC1V 2NX) is the Data Processor; you (the website owner/customer) are the Data Controller. We follow UK GDPR and EU GDPR rules and are committed to protecting privacy. This DPA explains how we handle your website’s analytics data.

Data Processing Purpose

We collect only anonymized event data by default to deliver your website analytics, including smart signals and dashboards. We process this data solely to provide the analytics service on your behalf. We do not use the data for any other purposes – no advertising, no profiling, no resale.

By default, we never collect or store personal identifiers. We do not store IP addresses, do not use cookies or any persistent identifiers. We process only anonymized event-level data and never build individual visitor profiles from our default collection.

Customer-Provided Data (Optional)

Our service allows you (the Data Controller) to optionally pass additional user properties to our analytics script. We do not automatically collect any personal data – this only occurs if you explicitly choose to send it to us.

These optional properties may include personal data such as user identifiers, email addresses, names, or any other information you choose to share. When you pass such data to us:

• You remain the Data Controller for all personal data passed to us

• You are responsible for determining the lawful basis for processing this data

• We process this data solely as your Data Processor, according to your instructions

• We apply the same security and confidentiality measures to this data as to all other data

• This data is subject to the same retention and deletion policies

In-App Support Data

We provide a support widget within the Poterna dashboard for logged-in customers. When you use this feature to contact support, we transfer your account email address to our support platform provider to identify you and manage your support request. For this data: we act as Data Controller for customer support communications; our subprocessor processes this data under appropriate data protection agreements; we use this data solely to respond to and manage support inquiries; and we retain this data only as long as necessary.

Categories of Data Processed

1. Anonymized Analytics Data (default): Page URLs, referrers, browser/OS info, device type, approximate location, timestamps, anonymous click events

2. Customer-Provided User Properties (optional, only if you send it): Any additional data you choose to pass via our script

3. Customer Account & Support Data: Your account email and support correspondence

Data Ownership

You own all of your analytics data, and we obtain no rights to it. We don’t sell, share, or advertise with your data. Your data stays yours: Poterna only uses it to generate the stats and charts you see in your dashboard.

We may use trusted third-party subprocessors (e.g. hosting or infrastructure providers) to help run our service. Any sub-processor we use is bound by the same data protection obligations: they can only process your data to support the analytics service and may not use it for any other purpose. We maintain an up-to-date list of our sub-processors, available upon request. You will be notified in advance of any changes so you have the opportunity to review or object.

Your analytics data is retained only as long as needed for the service. You can delete your account or site stats by contacting us; this permanently erases all your analytics data. Once deleted, the data cannot be recovered. If you cancel your service, we will promptly delete all of your data, except any information we must keep by law (e.g. billing records).

Security and Confidentiality

Your analytics data is stored in secure data centers. If any data is transferred outside the UK/EU (for example, to cloud servers), we ensure an adequate legal safeguard is in place. We rely on EU-approved Standard Contractual Clauses (SCCs) or similar mechanisms for international transfers, which provide the same data protection guarantees required by GDPR.

We use industry-standard security measures (encryption in transit and at rest, firewalls, access controls, etc.) to protect your data. Only authorized personnel can access the systems that process analytics data, and all have confidentiality obligations. We regularly update and audit our systems to keep data safe.

In the unlikely event of a data breach (e.g. accidental loss, unauthorized access, etc.), we will notify you without undue delay, and no later than 48 hours after we become aware of it. We will describe the incident, its impact on your data, and the measures we are taking to contain and mitigate the breach.

Controller Assistance

We only process your data based on your instructions — for example, when you embed our script, configure settings, or request changes. These instructions can come through your use of the dashboard, written requests, or as described in our Terms and this DPA.

If any visitor exercises their privacy rights (such as deletion or access requests), we will promptly forward the request to you so you can respond. We will assist you with any enquiries or filings (e.g. Data Protection Impact Assessments) that you need to make. We will also cooperate with your auditors: upon request we can provide information or allow audits/inspections to verify that we comply with our obligations.

Your Responsibilities

As the Data Controller, you ensure that your collection of visitor data and use of our analytics is lawful. You are responsible for providing relevant privacy notices to data subjects.

If you choose to pass custom user properties containing personal data, you are additionally responsible for: determining a valid legal basis; providing privacy notices; obtaining consent where required; responding to data subject rights requests; and ensuring data accuracy.

This DPA is governed by the laws of England and Wales. Any disputes related to this agreement will be decided in the courts of England and Wales.