LiteStats iconLitestats

Data Processing Agreement

Last updated: 6 February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Use between LiteStats ("Processor", "we", "us") and you ("Controller", "you", "your") for the provision of the LiteStats analytics service.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent provisions under the UK GDPR.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
  • "Processing" means any operation performed on Personal Data as defined in Article 4(2) GDPR.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and purpose of processing

The Processor processes data on behalf of the Controller for the purpose of providing web analytics services. The categories of data processed include:

  • Page URLs and referrer URLs from website visitors
  • Browser, operating system, and device type information
  • Country of origin (derived from IP geolocation — IP addresses are not stored)
  • UTM campaign parameters
  • Session identifiers (random UUIDs, non-persistent)
  • Timestamps and session duration data

Note: LiteStats is designed so that the data listed above does not constitute Personal Data under normal circumstances. However, this DPA applies to the extent any processed data could be considered Personal Data.

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers outside the EU/EEA
  • Ensure that persons authorised to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organisational security measures in accordance with Article 32 GDPR
  • Not engage another processor without prior specific or general written authorisation of the Controller
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
  • Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, impact assessments)
  • Delete or return all Personal Data upon termination of the service, at the Controller's choice
  • Make available all information necessary to demonstrate compliance and allow for audits

4. Security measures

The Processor implements the following security measures:

  • Encryption of data in transit (TLS 1.2+)
  • Encryption of data at rest
  • Access controls with principle of least privilege
  • Regular security updates and patching
  • Input validation and rate limiting on all API endpoints
  • Bot detection and filtering
  • No storage of IP addresses or other direct identifiers

5. Sub-processors

The Controller authorises the use of the following sub-processors:

Sub-processorPurposeLocation
Supabase Inc.Database hosting and authenticationUSA (with EU data processing options)
Vercel Inc.Application hosting and CDNUSA / Global edge network
Stripe Inc.Payment processingUSA

The Processor shall notify the Controller before adding or replacing sub-processors, giving the Controller the opportunity to object.

6. International transfers

Where Personal Data is transferred outside the EU/EEA, the Processor ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • The EU-US Data Privacy Framework where applicable
  • Supplementary measures as required by the Schrems II decision

7. Data breach notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. The notification shall include:

  • The nature of the breach, including categories and approximate number of data subjects affected
  • The name and contact details of the Processor's point of contact
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

8. Data subject requests

The Processor shall promptly notify the Controller if it receives a request from a data subject to exercise their rights under GDPR. The Processor shall assist the Controller in fulfilling such requests, taking into account the nature of processing.

9. Duration and termination

This DPA remains in effect for the duration of the service agreement. Upon termination:

  • All Personal Data shall be deleted within 30 days
  • The Processor shall provide written confirmation of deletion upon request
  • The Controller may request a data export before deletion

10. Liability

Liability under this DPA is subject to the limitations set forth in the Terms of Use. Each party is liable for damage caused by processing that infringes the GDPR, in accordance with Article 82 GDPR.

11. Contact

For questions about this DPA, contact us at privacy@litestats.io.