Data Processing Agreement
Last updated July 14, 2026
This Data Processing Agreement ("DPA") forms part of our Terms of Service between TrackTrendy ("we", "us", the "processor") and the customer using the Service ("you", the "controller"). It applies whenever we process personal data on your behalf under the GDPR - in particular, data about the visitors to the websites you track.
1. Roles and scope
You are the data controller for the data collected from visitors to the websites you connect to the Service. Our tracking script is cookieless and privacy-first: it records page views, referrers, device and browser information, and approximate location (country level). We process that data only to provide the Service to you.
For the personal data in your own TrackTrendy account (your name, email, billing details), we act as the controller - see our Privacy Policy.
2. Instructions
We process visitor data only on your documented instructions - which are, in the first place, our Terms and your configuration of the Service - unless EU or member-state law requires otherwise, in which case we inform you before processing.
3. Confidentiality
Anyone we authorise to process personal data is bound by a contractual or statutory duty of confidentiality.
4. Security
- Data is hosted on servers in the European Union.
- All traffic is encrypted in transit (TLS); credentials are stored hashed.
- Access to production systems is limited to authorised personnel and protected accounts.
- Automated backups are kept on separate storage.
5. Subprocessors
You authorise the following subprocessors:
- Hetzner Online GmbH (Germany) - hosting.
- Cloudflare, Inc. (USA) - CDN, DNS, and security.
- Stripe, Inc. (USA) - payment processing.
- Amazon Web Services (SES) (EU region) - email delivery (reports, notifications).
- Anthropic, PBC (USA) - AI assistant features.
Subprocessors outside the EU are engaged under appropriate safeguards (Standard Contractual Clauses or an adequacy decision such as the EU–US Data Privacy Framework). We give notice before adding or replacing a subprocessor; you may object on reasonable data-protection grounds.
6. Assistance
Taking into account the nature of the processing, we assist you in responding to data-subject requests (access, rectification, erasure, objection) and in meeting your security, breach, and impact-assessment obligations.
7. Personal data breaches
We notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information reasonably needed for your own notification obligations.
8. Deletion and return
On termination of your account we delete the visitor data we process on your behalf within 30 days, unless EU or member-state law requires longer storage. Deleting a site from your dashboard removes its analytics data in the same way.
9. Audit
We make available the information reasonably necessary to demonstrate compliance with this DPA and allow audits you reasonably request, at your cost and with reasonable notice.
10. Duration and contact
This DPA applies for as long as we process personal data on your behalf. If you have any questions, contact us at [email protected].