Thank you for choosing Litlyx Analytics! We are dedicated to maintaining the privacy, security,
and integrity of your data in accordance with the most stringent data protection regulations,
including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA),
and Privacy and Electronic Communications Regulations (PECR).
This DPA serves as an addendum to the Terms of Service between Litlyx
Analytics and you, the
customer, and outlines our mutual responsibilities for processing personal and non-personal data
in relation to the use of our analytics service. By using our services, you agree to the terms
outlined in this DPA.
Definitions
To ensure clarity, this DPA defines several key terms:
- “Customer” or “Controller” refers to the organization, company, or individual that
subscribes to Litlyx Analytics services and controls the data.
- “Litlyx Analytics” or “Processor” refers to the service provider responsible for processing
data on behalf of the customer.
- “Data Protection Legislation” refers to all applicable laws governing data protection and
privacy, including the GDPR, CCPA, PECR, and any other relevant jurisdiction-specific laws.
- “Personal Data” means any information relating to an identified or identifiable natural
person.
- “Processing” refers to any operation performed on data, whether automated or not, including
collecting, storing, organizing, altering, or erasing such data.
- “Subprocessor” refers to any third-party service provider used by Litlyx Analytics to assist
with processing data on behalf of the customer.
- “Data Breach” refers to any breach of security leading to accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
Definitions
This DPA governs the processing of all data (whether personal or non-personal) collected and
processed by Litlyx Analytics on behalf of the customer as part of providing analytics services.
This agreement is effective for the entire period the customer uses Litlyx Analytics services,
and it automatically terminates upon the cessation of service unless explicitly stated
otherwise.
Nature, Purpose, and Categories of Data Processing
Litlyx Analytics is designed as a privacy-conscious analytics platform. As such, we intentionally
avoid the collection of personal data whenever possible, focusing instead on anonymous and
aggregated data to deliver valuable insights about website traffic. The primary purpose of
processing this data is to provide you with analytics that help monitor website performance,
user behavior, and general trends.
The types of data we process include, but are not limited to:
- Page URLs: We track the specific pages visited on your website to determine page
popularity and user behavior.
- HTTP Referrers: This helps identify the source of your website traffic by noting the
referring website.
- Browser and Operating System Information: Basic details on visitors' browser and OS help
assess how visitors interact with your site, ensuring compatibility and performance
optimization.
- Device Type: We categorize whether a visitor uses a desktop, mobile, or tablet device.
- Geolocation: We identify only the country or region of visitors based on their IP address,
which is anonymized immediately upon collection.
Importantly, Litlyx Analytics does not collect personal data, persistent identifiers, or cookies.
All data processed is anonymized and aggregated, ensuring that no data can be linked to an
identifiable individual.
Roles and Responsibilities of the Parties
- Customer (Data Controller): As the data controller, the customer is responsible for
determining the purpose and legal basis for collecting and processing data. The customer
must ensure compliance with applicable data protection laws, including providing the
necessary disclosures and obtaining any required consents from data subjects.
- Litlyx Analytics (Data Processor): As the data processor, Litlyx Analytics processes data
solely according to the customer’s instructions, as outlined in this DPA and the Terms of
Service. We commit to ensuring that all data processing activities are carried out in
compliance with GDPR and other applicable regulations, prioritizing the privacy and security
of the data processed on behalf of the customer.
Security Measures to Protect Data
At Litlyx Analytics, we employ rigorous security measures to protect the data entrusted to us.
These measures include:
- Data Encryption: All data is encrypted both in transit (using HTTPS) and at rest,
preventing unauthorized access during transmission and storage.
- Data Anonymization and Minimization: We use hashing techniques to anonymize sensitive data
points, such as IP addresses and User-Agent strings. No raw IP addresses are stored. We
apply a daily salt to ensure data cannot be linked across sessions or days, further
protecting visitor privacy.
- Secure Hosting Environment: All data is securely hosted on Hetzner servers located in
Nuremberg, Germany. These servers are powered by 100% renewable energy and comply with
strict European Union data protection laws.
- Access Controls: Access to customer data is restricted to authorized personnel only, all
of whom are trained in data protection protocols. We implement role-based access controls
and ensure that sensitive data can only be accessed by individuals who need it to provide
support or maintain the service.
- Backups and Data Replication: Regular backups are taken to ensure data availability in
case of a disaster. These backups are encrypted and stored securely within the European
Union.
Use of Subprocessors
Litlyx Analytics uses a limited number of subprocessors to facilitate the delivery of our
services. These subprocessors are subject to rigorous data protection assessments and are bound
by contractual agreements that enforce the same level of privacy protection as outlined in this
DPA.
The key subprocessors we work with include:
- Hetzner Online GmbH (Germany): Provides secure server hosting for all data, ensuring
compliance with EU data protection laws.
- MongoDB, Inc. (United States): Provides secure database hosting and management. MongoDB
adheres to strict data protection standards, with data stored in compliance with relevant
privacy regulations. We use our self-hosted version of MongoDB hosted on hetzner servers.
- Stripe, Inc. (United States): Handles payment processing for Litlyx Analytics. Stripe is
GDPR-compliant and ensures secure transactions and fraud prevention.
- Google LLC (United States): Manages authentication services through Google Auth, allowing
secure user login. Google Auth follows stringent data protection standards, including GDPR
compliance.
- Brevo SAS (formerly Sendinblue) (France): Manages email communication services. Brevo
ensures that all data processing for email campaigns adheres to GDPR and other privacy
regulations.
We will inform you of any changes to our subprocessors and provide you with the option to object
if necessary. Any objection must be based on legitimate grounds relating to data protection.
Notification of Data Breaches
In the event that Litlyx Analytics becomes aware of a data breach involving customer data, we
will notify you without undue delay and, in any event, within 48 hours of becoming aware of the
breach. This notification will include:
- A detailed description of the breach and its nature.
- The likely consequences of the breach.
- The measures we have taken or plan to take to mitigate the breach and prevent future
occurrences.
We will provide ongoing updates as more information becomes available, and we will assist you in
meeting any legal obligations related to the breach, including notification to relevant
supervisory authorities and data subjects where required.
Data Subject Rights and Assistance
As the data controller, the customer is responsible for addressing data subject requests (e.g.,
access, correction, deletion). However, Litlyx Analytics is committed to assisting you in
responding to such requests whenever applicable. Although we do not process personal data
directly, we will support you in ensuring compliance with GDPR, CCPA, or other applicable data
protection laws by ensuring data is handled securely and anonymized effectively.
Data Retention and Deletion Policy
Data processed by Litlyx Analytics is retained for as long as necessary to provide the services
specified in the agreement. Once your account is terminated or you issue a request for data
deletion, we will follow the data deletion procedures outlined below:
- Account Deletion: All data, including backups, will be permanently deleted from our servers
within 60 days.
- Deletion of Specific Data: If you request the deletion of specific data, we will execute
this request in compliance with GDPR or applicable regulations.
Once deleted, the data cannot be recovered, as we do not store any backup copies beyond this
retention period.
Customer’s Obligations
The customer, as the data controller, agrees to:
- Comply with all applicable data protection laws, including the obligation to provide
adequate privacy notices to data subjects and obtain any necessary consents where required.
- Ensure that any data provided to Litlyx Analytics is lawfully obtained and processed.
- Ensure that its use of Litlyx Analytics services does not violate any applicable laws or
regulations.
The customer is solely responsible for determining the lawful basis for processing visitor data,
whether that basis is consent, legitimate interest, or other grounds under applicable laws.
Limitation of Liability and Indemnity
Both parties agree to indemnify and hold each other harmless from any claims, damages, or losses
arising from a breach of this DPA. Litlyx Analytics shall not be liable for any indirect or
consequential damages, including loss of profits, resulting from the processing of customer
data, except where required by law.
Termination of Agreement
This DPA will automatically terminate upon the end of the customer’s relationship with Litlyx
Analytics, either through account deletion or termination of services. Upon termination, all
customer data will be permanently deleted in accordance with the data retention policy specified
in this DPA.
Governing Law and Dispute Resolution
This DPA is governed by the laws of the European Union and any relevant Member State laws. Any
disputes arising under this agreement shall be subject to the exclusive jurisdiction of the
courts of the European Union or the applicable national courts of the Member State in question.
Contact Information
If you have any questions, concerns, or requests related to this DPA, data protection, or the
services provided by Litlyx Analytics, please contact our Data Protection Officer (DPO) at
privacy@litlyx.com.
Last updated: September 25, 2024