Legal

Data Processing Agreement

Last updated: July 2026

TL;DR: When you use ClearAnalytics, you (the Customer) are the data controller and ClearAnalytics is the data processor. This agreement, entered into as part of our Terms of Service, sets out how we process personal data on your behalf under Article 28 of the GDPR. All processing takes place within the EU. We use a short, transparent list of sub-processors.

1. Parties and roles

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Customer", the data controller) and ClearAnalytics, operated by Coding Agency, a software studio based in the Netherlands ("ClearAnalytics", the data processor). It governs the processing of personal data carried out by ClearAnalytics on behalf of the Customer through the ClearAnalytics service.

2. Subject matter and duration

ClearAnalytics processes personal data only for the purpose of providing privacy-first website analytics to the Customer. Processing continues for the duration of the Customer's active subscription. Upon termination, data is deleted or returned in accordance with section 9.

3. Nature and purpose of processing

ClearAnalytics collects and aggregates website usage data to produce analytics reports. By design, the service does not use cookies, does not fingerprint visitors, and does not store raw IP addresses. Visitor IP addresses are hashed with a daily-rotating salt and immediately discarded, so individual website visitors cannot be re-identified across days.

4. Categories of data subjects and personal data

ClearAnalytics processes limited data in two contexts:

Website visitors of the Customer

  • Page URL and referrer URL
  • Browser, operating system and device type
  • Screen dimensions and language preference
  • Country (derived from IP, then discarded)
  • A non-reversible daily visitor hash (IP + user agent + rotating salt)

Customer account users

  • Name and email address
  • Hashed password and authentication factors
  • Billing details required for subscription payments

5. Processor obligations

ClearAnalytics, as processor, undertakes to:

  • Process personal data only on documented instructions from the Customer, including as set out in the Terms of Service and this DPA
  • Ensure that persons authorised to process the data are bound by confidentiality
  • Implement the technical and organisational security measures described in section 6
  • Engage sub-processors only under the conditions in section 7
  • Assist the Customer in responding to data subject requests
  • Assist the Customer with security, breach notification and data protection impact assessments
  • Delete or return personal data on termination, per section 9

6. Security measures

ClearAnalytics implements appropriate technical and organisational measures to protect personal data, including EU-only data residency, a separate isolated database per customer, encryption in transit (TLS) and application-layer encryption of sensitive credentials at rest, hashed passwords, optional two-factor authentication and passkeys, scoped API tokens, and rate limiting. A detailed overview is available on our Security page.

7. Sub-processors

ClearAnalytics engages the following sub-processors, all of which process data within the EU. We will inform the Customer of any intended changes, giving the Customer the opportunity to object.

Sub-processor Purpose Location
Hetzner Online GmbH Hosting and database infrastructure Germany (EU)
Lettermint Transactional email (login codes, notifications) EU
Mollie B.V. Subscription payment processing Netherlands (EU)

8. International transfers

All personal data is processed and stored exclusively within the European Union. ClearAnalytics does not transfer personal data outside the European Economic Area (EEA). All sub-processors listed in section 7 process data within the EU.

9. Return and deletion of data

Upon termination of the service, or at the Customer's request, ClearAnalytics will delete all personal data processed on the Customer's behalf, unless retention is required by EU or member state law. The Customer may export their analytics data at any time via the API before deletion.

10. Personal data breaches

ClearAnalytics will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and will provide the information reasonably required for the Customer to meet its own notification obligations under the GDPR.

11. Audits

ClearAnalytics will make available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 of the GDPR, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice and confidentiality.

12. Governing law

This DPA is governed by the laws of the Netherlands. Where this DPA conflicts with the Terms of Service on the processing of personal data, this DPA prevails.

13. Contact

For questions about this DPA, to request a signed copy, or to exercise data protection rights, contact us at privacy@clearanalytics.eu.