Back to home

Data Processing Addendum

Thank you for choosing Litlyx Analytics! We are dedicated to maintaining the privacy, security, and integrity of your data in accordance with the most stringent data protection regulations, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Privacy and Electronic Communications Regulations (PECR).


This DPA serves as an addendum to the Terms of Service between Litlyx Analytics and you, the customer, and outlines our mutual responsibilities for processing personal and non-personal data in relation to the use of our analytics service. By using our services, you agree to the terms outlined in this DPA.

Definitions


To ensure clarity, this DPA defines several key terms:

  • “Customer” or “Controller” refers to the organization, company, or individual that subscribes to Litlyx Analytics services and controls the data.
  • “Litlyx Analytics” or “Processor” refers to the service provider responsible for processing data on behalf of the customer.
  • “Data Protection Legislation” refers to all applicable laws governing data protection and privacy, including the GDPR, CCPA, PECR, and any other relevant jurisdiction-specific laws.
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” refers to any operation performed on data, whether automated or not, including collecting, storing, organizing, altering, or erasing such data.
  • “Subprocessor” refers to any third-party service provider used by Litlyx Analytics to assist with processing data on behalf of the customer.
  • “Data Breach” refers to any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Definitions


This DPA governs the processing of all data (whether personal or non-personal) collected and processed by Litlyx Analytics on behalf of the customer as part of providing analytics services. This agreement is effective for the entire period the customer uses Litlyx Analytics services, and it automatically terminates upon the cessation of service unless explicitly stated otherwise.


Nature, Purpose, and Categories of Data Processing


Litlyx Analytics is designed as a privacy-conscious analytics platform. As such, we intentionally avoid the collection of personal data whenever possible, focusing instead on anonymous and aggregated data to deliver valuable insights about website traffic. The primary purpose of processing this data is to provide you with analytics that help monitor website performance, user behavior, and general trends.


The types of data we process include, but are not limited to:


  • Page URLs: We track the specific pages visited on your website to determine page popularity and user behavior.
  • HTTP Referrers: This helps identify the source of your website traffic by noting the referring website.
  • Browser and Operating System Information: Basic details on visitors' browser and OS help assess how visitors interact with your site, ensuring compatibility and performance optimization.
  • Device Type: We categorize whether a visitor uses a desktop, mobile, or tablet device.
  • Geolocation: We identify only the country or region of visitors based on their IP address, which is anonymized immediately upon collection.

Importantly, Litlyx Analytics does not collect personal data, persistent identifiers, or cookies. All data processed is anonymized and aggregated, ensuring that no data can be linked to an identifiable individual.

Roles and Responsibilities of the Parties


  • Customer (Data Controller): As the data controller, the customer is responsible for determining the purpose and legal basis for collecting and processing data. The customer must ensure compliance with applicable data protection laws, including providing the necessary disclosures and obtaining any required consents from data subjects.
  • Litlyx Analytics (Data Processor): As the data processor, Litlyx Analytics processes data solely according to the customer’s instructions, as outlined in this DPA and the Terms of Service. We commit to ensuring that all data processing activities are carried out in compliance with GDPR and other applicable regulations, prioritizing the privacy and security of the data processed on behalf of the customer.

Security Measures to Protect Data


At Litlyx Analytics, we employ rigorous security measures to protect the data entrusted to us. These measures include:


  • Data Encryption: All data is encrypted both in transit (using HTTPS) and at rest, preventing unauthorized access during transmission and storage.
  • Data Anonymization and Minimization: We use hashing techniques to anonymize sensitive data points, such as IP addresses and User-Agent strings. No raw IP addresses are stored. We apply a daily salt to ensure data cannot be linked across sessions or days, further protecting visitor privacy.
  • Secure Hosting Environment: All data is securely hosted on Hetzner servers located in Nuremberg, Germany. These servers are powered by 100% renewable energy and comply with strict European Union data protection laws.
  • Access Controls: Access to customer data is restricted to authorized personnel only, all of whom are trained in data protection protocols. We implement role-based access controls and ensure that sensitive data can only be accessed by individuals who need it to provide support or maintain the service.
  • Backups and Data Replication: Regular backups are taken to ensure data availability in case of a disaster. These backups are encrypted and stored securely within the European Union.

Use of Subprocessors


Litlyx Analytics uses a limited number of subprocessors to facilitate the delivery of our services. These subprocessors are subject to rigorous data protection assessments and are bound by contractual agreements that enforce the same level of privacy protection as outlined in this DPA. The key subprocessors we work with include:


  • Hetzner Online GmbH (Germany): Provides secure server hosting for all data, ensuring compliance with EU data protection laws.
  • MongoDB, Inc. (United States): Provides secure database hosting and management. MongoDB adheres to strict data protection standards, with data stored in compliance with relevant privacy regulations. We use our self-hosted version of MongoDB hosted on hetzner servers.
  • Stripe, Inc. (United States): Handles payment processing for Litlyx Analytics. Stripe is GDPR-compliant and ensures secure transactions and fraud prevention.
  • Google LLC (United States): Manages authentication services through Google Auth, allowing secure user login. Google Auth follows stringent data protection standards, including GDPR compliance.
  • Brevo SAS (formerly Sendinblue) (France): Manages email communication services. Brevo ensures that all data processing for email campaigns adheres to GDPR and other privacy regulations.

We will inform you of any changes to our subprocessors and provide you with the option to object if necessary. Any objection must be based on legitimate grounds relating to data protection.

Notification of Data Breaches


In the event that Litlyx Analytics becomes aware of a data breach involving customer data, we will notify you without undue delay and, in any event, within 48 hours of becoming aware of the breach. This notification will include:


  • A detailed description of the breach and its nature.
  • The likely consequences of the breach.
  • The measures we have taken or plan to take to mitigate the breach and prevent future occurrences.

We will provide ongoing updates as more information becomes available, and we will assist you in meeting any legal obligations related to the breach, including notification to relevant supervisory authorities and data subjects where required.

Data Subject Rights and Assistance


As the data controller, the customer is responsible for addressing data subject requests (e.g., access, correction, deletion). However, Litlyx Analytics is committed to assisting you in responding to such requests whenever applicable. Although we do not process personal data directly, we will support you in ensuring compliance with GDPR, CCPA, or other applicable data protection laws by ensuring data is handled securely and anonymized effectively.

Data Retention and Deletion Policy


Data processed by Litlyx Analytics is retained for as long as necessary to provide the services specified in the agreement. Once your account is terminated or you issue a request for data deletion, we will follow the data deletion procedures outlined below:

  • Account Deletion: All data, including backups, will be permanently deleted from our servers within 60 days.
  • Deletion of Specific Data: If you request the deletion of specific data, we will execute this request in compliance with GDPR or applicable regulations.

Once deleted, the data cannot be recovered, as we do not store any backup copies beyond this retention period.

Customer’s Obligations


The customer, as the data controller, agrees to:

  • Comply with all applicable data protection laws, including the obligation to provide adequate privacy notices to data subjects and obtain any necessary consents where required.
  • Ensure that any data provided to Litlyx Analytics is lawfully obtained and processed.
  • Ensure that its use of Litlyx Analytics services does not violate any applicable laws or regulations.

The customer is solely responsible for determining the lawful basis for processing visitor data, whether that basis is consent, legitimate interest, or other grounds under applicable laws.

Limitation of Liability and Indemnity


Both parties agree to indemnify and hold each other harmless from any claims, damages, or losses arising from a breach of this DPA. Litlyx Analytics shall not be liable for any indirect or consequential damages, including loss of profits, resulting from the processing of customer data, except where required by law.

Termination of Agreement


This DPA will automatically terminate upon the end of the customer’s relationship with Litlyx Analytics, either through account deletion or termination of services. Upon termination, all customer data will be permanently deleted in accordance with the data retention policy specified in this DPA.

Governing Law and Dispute Resolution


This DPA is governed by the laws of the European Union and any relevant Member State laws. Any disputes arising under this agreement shall be subject to the exclusive jurisdiction of the courts of the European Union or the applicable national courts of the Member State in question.

Contact Information


If you have any questions, concerns, or requests related to this DPA, data protection, or the services provided by Litlyx Analytics, please contact our Data Protection Officer (DPO) at privacy@litlyx.com.

Last updated: September 25, 2024