Data Processing Agreement

• Controller means the Customer.
• Processor means DATALYR.
• Personal Data means any information relating to an identified or identifiable natural person processed by DATALYR on the Controller’s behalf in connection with the Service.
• Data Subjectmeans an end user whose personal data is processed (typically a visitor or customer of the Controller’s websites, apps, or services).
• Subprocessor means a third party engaged by DATALYR to process personal data on behalf of the Controller.
• Data Protection Laws means the GDPR, UK GDPR, CCPA/CPRA, and any other applicable privacy laws.

DATALYR processes personal data on the Controller’s behalf to provide the Service. Processing continues for the term of the Controller’s subscription and for any post-termination period required to return or delete data under section 16.

Where Customer itself acts as a processor for its own customer (a “Customer Controller”), DATALYR will act as a subprocessor and perform under this DPA accordingly. References to “Controller” in this DPA include the Customer Controller in those cases, and DATALYR’s obligations flow through to the Customer Controller via the Customer.

DATALYR processes personal data to:

• Receive and store events tracked from the Controller’s websites, apps, and connected integrations
• Match events across sessions and devices to enable attribution
• Compute reports, dashboards, customer journeys, and related analytics
• Forward configured conversions to ad platforms (Meta, Google Ads, TikTok, OpenAI Ads) per the Controller’s configuration
• Provide support, security, and operational services in connection with the Service

End users of the Controller’s websites, apps, or services, including visitors, customers, subscribers, leads, and authorized users.

The personal data processed is determined by the Controller. It typically includes:

• Online identifiers (cookies, device IDs, anonymous visitor IDs)
• Click identifiers (fbclid, gclid, ttclid, oppref) and UTM parameters
• IP address, user agent, referrer, language, and timezone
• Email addresses and customer IDs when explicitly identified via identify() calls or revenue-platform integrations
• Order, payment, and subscription data from connected platforms (Shopify, Stripe, Superwall, RevenueCat, Whop)
• Custom event properties the Controller configures and sends

DATALYR will process personal data only on documented instructions from the Controller, including:

• The Controller’s configuration of the Service (workspace setup, integrations, identification, conversion rules)
• This DPA
• The Terms of Service or applicable master agreement
• Other written instructions from the Controller, where reasonable and consistent with the Service

DATALYR will inform the Controller if it believes an instruction violates Data Protection Laws.

DATALYR ensures that personnel authorized to process personal data are bound by confidentiality obligations and have received appropriate training.

DATALYR implements appropriate technical and organizational measures to protect personal data, including:

• Encryption of data in transit (TLS) and at rest where supported
• Least-privilege access controls for personnel
• Authentication and audit logging on administrative interfaces
• Regular review of access, configurations, and dependencies
• Documented incident-response procedures

A more detailed security overview is available on request to security@datalyr.com.

The Controller authorizes DATALYR to engage subprocessors to provide infrastructure, hosting, payments, error monitoring, customer support, and similar operational services. A current list of subprocessors is available on request.

DATALYR will notify the Controller at least 30 days before adding or replacing a subprocessor. The Controller may object on reasonable data-protection grounds; if DATALYR cannot accommodate, the Controller may terminate the subscription as its sole remedy.

DATALYR remains responsible for subprocessor compliance with this DPA.

DATALYR provides tools that help the Controller respond to data subject requests, including:

• Access: export of an end user’s data via the dashboard or API
• Deletion: removal of an end user’s data via the API
• Opt-out: respect for opt-out cookies and Do Not Track signals where the Controller configures the SDK accordingly

If DATALYR receives a data subject request directly, it will forward the request to the Controller without responding (unless required by law).

DATALYR will notify the Controller without undue delay (and where feasible within 72 hours) of becoming aware of a personal data breach affecting the Controller’s data, including information reasonably necessary for the Controller to meet its own notification obligations.

If DATALYR receives a subpoena, court order, government inquiry, or any other request from a third party seeking access to personal data DATALYR processes for the Controller, DATALYR will, unless legally prohibited:

• Notify the Controller of the request as promptly as practicable
• Provide reasonable cooperation to the Controller in challenging the request where lawful grounds exist
• Disclose only the minimum personal data legally required if compelled to respond

DATALYR will provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to DATALYR.

DATALYR is based in the United States and may transfer personal data outside the EEA, UK, or other jurisdictions. Where required by Data Protection Laws, DATALYR relies on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, the Swiss equivalent, or other approved transfer mechanisms.

Once per year, the Controller may audit DATALYR’s compliance with this DPA. DATALYR will provide reasonable cooperation, including responses to security questionnaires and access to relevant policies and any third-party audit reports that exist. On-site audits will be arranged on reasonable advance notice and conducted at the Controller’s expense.

On termination of the subscription, DATALYR will, at the Controller’s choice, delete or return all personal data within 90 days, unless retention is required by law. Backups containing personal data will be deleted in accordance with DATALYR’s standard backup-rotation schedule.

Liability under this DPA is governed by the limitation of liability provisions of the Terms of Service or applicable master agreement. Governing law follows the Terms.

In the event of a conflict between this DPA and the Terms of Service or master agreement with respect to the processing of personal data, this DPA controls. Where Standard Contractual Clauses or equivalent transfer mechanisms have been executed by the parties, those clauses control over this DPA on matters they expressly address.

Privacy and data protection: privacy@datalyr.com

Security: security@datalyr.com