LiteStats iconLitestats

Data Processing Agreement

Last updated: 9 July 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Use between LiteStats ("Processor", "we", "us"), a sole trader registered in Ireland, and you ("Controller", "you", "your") for the provision of the LiteStats analytics service.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent provisions under the UK GDPR. By creating a LiteStats account, you agree to this DPA.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
  • "Processing" means any operation performed on Personal Data as defined in Article 4(2) GDPR.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and purpose of processing

The Processor processes data on behalf of the Controller for the sole purpose of providing web analytics services as described in the Terms of Use. The categories of data processed include:

  • Page URLs and referrer URLs from website visitors
  • Browser, operating system, and device type information (derived from user agent strings)
  • Country of origin (derived from IP geolocation at the point of collection — IP addresses are discarded immediately and never stored)
  • UTM campaign parameters
  • Session identifiers (random UUIDs, non-persistent, cleared when the browser tab closes)
  • Timestamps and session duration data

Note: LiteStats is specifically designed so that the data listed above does not constitute Personal Data under normal circumstances, as it cannot be used to identify a natural person. However, this DPA applies to the fullest extent any processed data could be considered Personal Data under applicable law.

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the EU/EEA, unless required by applicable law
  • Ensure that all persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement appropriate technical and organisational security measures in accordance with Article 32 GDPR, as detailed in Section 4
  • Not engage another sub-processor without prior general written authorisation of the Controller (see Section 5). The Controller hereby provides general authorisation for the sub-processors listed in Section 5.
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by appropriate technical and organisational measures
  • Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, data protection impact assessments, prior consultation)
  • At the Controller's choice, delete or return all Personal Data upon termination of the service, and delete existing copies unless applicable law requires storage
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits
  • Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes GDPR or other applicable data protection provisions

4. Security measures

The Processor implements the following technical and organisational security measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing:

  • Encryption of all data in transit using TLS 1.2 or higher
  • Encrypted database connections between application and database servers
  • Access controls with the principle of least privilege — only the Processor has access to production systems
  • All infrastructure hosted within the EU (Hetzner, Germany) with physical security provided by Hetzner's ISO 27001 certified data centres
  • Input validation, sanitisation, and rate limiting on all API endpoints
  • Automated bot detection and filtering
  • Regular security updates and patching of all system components
  • No storage of IP addresses, device fingerprints, or other direct personal identifiers
  • Session-based authentication with automatic expiry

5. Sub-processors

The Controller hereby authorises the use of the following sub-processors. The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

Sub-processorPurposeData locationTransfer safeguard
Hetzner Online GmbHServer infrastructure, application hosting, ClickHouse and PostgreSQL databasesGermany, EUN/A (EU)
Stripe Inc.Payment processing (paid plans only)USAEU-US Data Privacy Framework, SCCs
Amazon Web Services (SES)Transactional email delivery (authentication emails)EU (eu-west-1, Ireland)N/A (EU)

The Processor shall notify the Controller by email at least 30 days before adding or replacing sub-processors, giving the Controller the opportunity to object. If the Controller objects on reasonable data protection grounds, the Processor shall work with the Controller to find an alternative solution. If no resolution is possible, the Controller may terminate the service.

6. International transfers

All core data infrastructure (application servers, analytics database, user database) is located within the European Union (Germany), hosted by Hetzner Online GmbH. Analytics data and account data do not leave the EU.

Where Personal Data is transferred outside the EU/EEA (limited to Stripe for payment processing), the Processor ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision (EU) 2021/914)
  • The EU-U.S. Data Privacy Framework, where the sub-processor is certified
  • Supplementary technical and organisational measures as appropriate

7. Data breach notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Data Breach affecting Personal Data processed on behalf of the Controller. The notification shall include:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
  • The name and contact details of the Processor's data protection contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Data Breach.

8. Data subject requests

The Processor shall promptly (and in any event within 5 business days) notify the Controller if it receives a request from a data subject to exercise their rights under GDPR. The Processor shall not respond to the data subject directly unless instructed by the Controller, except to acknowledge receipt of the request. The Processor shall assist the Controller in fulfilling such requests by appropriate technical and organisational measures, taking into account the nature of processing.

9. Data protection impact assessments

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments (DPIAs) and prior consultations with supervisory authorities that the Controller is required to carry out under Articles 35 and 36 GDPR, taking into account the nature of processing and the information available to the Processor.

10. Audits

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations under Article 28 GDPR. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable advance notice (minimum 30 days) and during normal business hours. The Controller shall bear the cost of any audit.

11. Duration and termination

This DPA remains in effect for the duration of the service agreement between the parties. Upon termination of the service for any reason:

  • The Controller may request a data export (available via the dashboard or by contacting privacy@litestats.io) before data deletion
  • All Personal Data shall be permanently deleted within 30 days of the termination date
  • The Processor shall provide written confirmation of deletion upon request
  • The Processor may retain data to the extent required by applicable law (e.g. tax records), in which case the data protection obligations of this DPA continue to apply

12. Liability

Each party is liable for damage caused by processing that infringes the GDPR, in accordance with Article 82 GDPR. The Processor's liability under this DPA is subject to the limitations set forth in the Terms of Use, except to the extent such limitations are prohibited by applicable law.

13. Governing law

This DPA is governed by the laws of Ireland and subject to the exclusive jurisdiction of the courts of Ireland, without prejudice to the rights of data subjects under applicable data protection law.

14. Contact

For questions about this DPA or to exercise your rights, contact us at privacy@litestats.io.