Data Processing Agreement
Last updated: July 2026
TL;DR: When you use ClearAnalytics, you (the Customer) are the data controller and ClearAnalytics is the data processor. This agreement, entered into as part of our Terms of Service, sets out how we process personal data on your behalf under Article 28 of the GDPR. All processing takes place within the EU. We use a short, transparent list of sub-processors.
1. Parties and roles
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Customer", the data controller) and ClearAnalytics, operated by Coding Agency, a software studio based in the Netherlands ("ClearAnalytics", the data processor). It governs the processing of personal data carried out by ClearAnalytics on behalf of the Customer through the ClearAnalytics service.
2. Subject matter and duration
ClearAnalytics processes personal data only for the purpose of providing privacy-first website analytics to the Customer. Processing continues for the duration of the Customer's active subscription. Upon termination, data is deleted or returned in accordance with section 9.
3. Nature and purpose of processing
ClearAnalytics collects and aggregates website usage data to produce analytics reports. By design, the service does not use cookies, does not fingerprint visitors, and does not store raw IP addresses. Visitor IP addresses are hashed with a daily-rotating salt and immediately discarded, so individual website visitors cannot be re-identified across days.
4. Categories of data subjects and personal data
ClearAnalytics processes limited data in two contexts:
Website visitors of the Customer
- Page URL and referrer URL
- Browser, operating system and device type
- Screen dimensions and language preference
- Country (derived from IP, then discarded)
- A non-reversible daily visitor hash (IP + user agent + rotating salt)
Customer account users
- Name and email address
- Hashed password and authentication factors
- Billing details required for subscription payments
5. Processor obligations
ClearAnalytics, as processor, undertakes to:
- Process personal data only on documented instructions from the Customer, including as set out in the Terms of Service and this DPA
- Ensure that persons authorised to process the data are bound by confidentiality
- Implement the technical and organisational security measures described in section 6
- Engage sub-processors only under the conditions in section 7
- Assist the Customer in responding to data subject requests
- Assist the Customer with security, breach notification and data protection impact assessments
- Delete or return personal data on termination, per section 9
6. Security measures
ClearAnalytics implements appropriate technical and organisational measures to protect personal data, including EU-only data residency, a separate isolated database per customer, encryption in transit (TLS) and application-layer encryption of sensitive credentials at rest, hashed passwords, optional two-factor authentication and passkeys, scoped API tokens, and rate limiting. A detailed overview is available on our Security page.
7. Sub-processors
ClearAnalytics engages the following sub-processors, all of which process data within the EU. We will inform the Customer of any intended changes, giving the Customer the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting and database infrastructure | Germany (EU) |
| Lettermint | Transactional email (login codes, notifications) | EU |
| Mollie B.V. | Subscription payment processing | Netherlands (EU) |
8. International transfers
All personal data is processed and stored exclusively within the European Union. ClearAnalytics does not transfer personal data outside the European Economic Area (EEA). All sub-processors listed in section 7 process data within the EU.
9. Return and deletion of data
Upon termination of the service, or at the Customer's request, ClearAnalytics will delete all personal data processed on the Customer's behalf, unless retention is required by EU or member state law. The Customer may export their analytics data at any time via the API before deletion.
10. Personal data breaches
ClearAnalytics will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and will provide the information reasonably required for the Customer to meet its own notification obligations under the GDPR.
11. Audits
ClearAnalytics will make available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 of the GDPR, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice and confidentiality.
12. Governing law
This DPA is governed by the laws of the Netherlands. Where this DPA conflicts with the Terms of Service on the processing of personal data, this DPA prevails.
13. Contact
For questions about this DPA, to request a signed copy, or to exercise data protection rights, contact us at privacy@clearanalytics.eu.