BetterlyticsBetterlytics

Data Processing Agreement (DPA)

Last updated: November 12, 2025

This document is provided in multiple languages for convenience. In case of discrepancies, the English version shall prevail.

1.Scope of This DPA

1.1This Data Processing Agreement (“DPA”) forms part of the Betterlytics Terms of Service and governs the processing of data when you use the Betterlytics hosted cloud service available at betterlytics.io and our official domains. This DPA does not apply to self-hosted installations of our open source software; if you self-host Betterlytics, you are responsible for your own data processing agreements and compliance with applicable laws.

1.2This DPA applies to the processing of website visitor data collected via Betterlytics analytics scripts, including both:

  • 1.3Anonymous data (default, anonymized analytics), and
  • 1.4Personal or pseudo-anonymous data (optional features, or any accidental inclusion of personal or pseudo-anonymous data in URLs, query parameters, or event payloads), e.g., session replay, custom identifiers, or custom events.

2.Definitions

  • 2.1"Data Controller": You (the customer) who determines the purposes and means of processing data from your website visitors.
  • 2.2"Data Processor": Betterlytics, who processes data on your behalf according to your instructions and this DPA.
  • 2.3"Processing": Collection, storage, analysis, and reporting of website visitor data.
  • 2.4"Personal Data": Any information relating to an identified or identifiable natural person. In Betterlytics, this includes any data collected via optional features or accidentally included in default tracking (URLs, query parameters, or event payloads).
  • 2.5"Subprocessor": Any third-party service engaged by Betterlytics to assist with data processing.

3.Data Processing Details

3.1Nature and Purpose

  • 3.1.1Providing analytics on website traffic and visitor behavior.
  • 3.1.2Generating aggregated reports on website traffic and usage patterns
  • 3.1.3Detecting and filtering bot traffic for accurate statistics

3.2Categories of Data

3.2.1Anonymous data (default):

  • Anonymized IP addresses (last octet removed immediately)
  • Bucketed screen resolutions (small/medium/large categories)
  • Browser and operating system information
  • Country and City-level geographic data
  • Page URLs and referrer information
  • Daily-rotating visitor fingerprints (anonymous identification)

3.2.2Optional personal/pseudo-anonymous data:

  • Session replay data containing user interaction details
  • Custom event data containing user identifiers or PII
  • Visitor identifiers or custom identifiers
  • Potential personal/pseudo-anonymous data (via optional features or accidental inclusion in default tracking)

3.3Data Subjects

  • 3.3.1Website visitors whose data is captured by the Betterlytics scripts.
  • 3.3.2When only anonymous data is collected, data subjects cannot be identified.
  • 3.3.3For optional features or accidental inclusion of personal/pseudo-anonymous data, data subjects may be identifiable. The Data Controller is responsible for lawful processing.

3.4Processing Location

3.4.1All processing occurs on servers located within the European Union.

4.Obligations of the Data Controller

4.1The Data Controller must:

  • Ensure that its use of Betterlytics is lawful under GDPR, CCPA, and other applicable data protection laws.
  • Determine the lawful basis for processing personal/pseudo-anonymous data collected via optional features or accidentally in default tracking.
  • Update its website privacy policy to disclose the use of Betterlytics and any optional features that may collect personal or pseudo-anonymous data.
  • Mask or remove personal data from URLs, query parameters, or custom events to prevent accidental collection.
  • Ensure that end users are provided appropriate privacy notices and consent mechanisms where required.

5.Obligations of the Data Processor (Betterlytics)

Betterlytics will:

  • 5.1Process data only on documented instructions from the Data Controller.
  • 5.2Implement appropriate technical and organizational measures to ensure data security, including:
  • TLS 1.2/1.3 encryption for data in transit
  • Industry-standard encryption for data at rest
  • Access controls limiting data access to authorized personnel only
  • EU-based servers in secure data centers
  • Immediate IP anonymization at data collection point
  • 5.3Assist the Data Controller in responding to requests from data subjects when personal/pseudo-anonymous data is processed.
  • 5.4Delete all analytics data immediately upon account deletion.

6.Subprocessors

6.1Betterlytics may engage subprocessors to perform parts of the processing, including:

  • EU-based cloud hosting and infrastructure providers
  • Payment processors (for account billing)
  • Email delivery services

6.2Betterlytics will maintain a current list of subprocessors and notify the Data Controller of any additions or changes.

7.Data Subject Rights

  • 7.1For anonymous data: Data subject rights do not apply, as individuals cannot be identified.
  • 7.2When personal or pseudo-anonymous data is collected—whether through optional features (e.g., session replay, custom identifiers, custom events) or accidentally included in default tracking (URLs, query parameters, or event payloads)—Betterlytics will assist the Data Controller in fulfilling data subject rights under GDPR. This includes requests for access, correction, deletion, restriction of processing, or objection, as applicable.

8.Data Breach Notification

8.1In the unlikely event of a security incident affecting our service:

  • Betterlytics will notify the Data Controller within 72 hours of discovering any personal data breach affecting optional features that process personal/pseudo-anonymous data.
  • Notifications will include details of the breach, potential impact, and mitigation measures.

9.Data Deletion

9.1Account Deletion

All data, including optional personal/pseudo-anonymous data, is permanently deleted immediately.

9.2Subscription Cancellation

Data is retained for 1 month in case the account is reactivated, then permanently deleted.

10.Liability and Indemnification

  • 10.1Betterlytics is liable only for processing performed outside the instructions of the Data Controller or in breach of this DPA.
  • 10.2The Data Controller is responsible for ensuring lawful use of optional features that may process personal or pseudo-anonymous data.
  • 10.3Data Controller agrees to indemnify Betterlytics for any claims arising from unlawful use of any feature provided by Betterlytics.

11.Miscellaneous

  • 11.1This DPA forms part of the Terms of Service.
  • 11.2Any disputes regarding data processing will be governed by the laws of the European Union, with courts in Copenhagen, Denmark having exclusive jurisdiction.
  • 11.3This DPA is effective as of the last update date above and remains in effect while the customer uses Betterlytics services.

Contact for DPA Matters

For questions about this DPA or data processing practices:

Legal inquiries: legal@betterlytics.io

Technical questions: support@betterlytics.io

This DPA is automatically accepted when you use Betterlytics and forms part of our Terms of Service. 🇪🇺 Anonymous-by-design analytics - Made and hosted in the European Union