Data Processing Agreement
Publytics is hosted by an European company, whose data infrastructure is based in Germany and Finland. We store data following the European Union's data privacy laws. This Data Processing Agreement ("DPA") is between Publytics and the customer.
If you decide (yourself or on behalf of your customer) to accept this DPA, this means that you: (1) have legal authority to bind yourself / your customer to this policy; (2) you have to read and understand fully this policy; (3) you agree, totally, to this policy (on behalf of your customer too).
We make sure that our product is compliant with the General Data Protection Regulation (namely GDPR: Regulation (EU) 2016/279) , when we process visitor data.
- • "Customer" or "You" refers to the company that signs up to use Publytics and its dashboard in order to monitor the website's stats.
- • In order to provide the service, we may process visitors data on behalf of a customer
- • "Data Protection Legislation" refers to the General Data Protection Regulation (namely GDPR: Regulation (EU) 2016/279) and any other applicable laws relating to processing of visitor data and privacy that exist in any relevant jurisdiction.
- • The terms "data controller," "data processor," "data subject," "personal data," and "processing" shall be understood in accordance with the relevant data protection laws and regulations.
- • Both parties have mutually agreed that the customer shall serve as the data controller and Publytics shall act as the data processor with respect to the visitor data processed while providing the service.
This ensures that all of the website data is being covered by the European Union’s strict laws on data privacy. Your visitor will never leave the EU and EU-owned cloud infrastructure. You can read about Hetzner and their server security certifications here. We implement secure measures to protect your data, including https encryption in transit and a stronger hashing process for data at rest. Unlike encryption, our hashing process renders the raw IP address and User Agent completely inaccessible, even to us. Our system also employs strict firewall rules and private encrypted networking to further safeguard your data.
How we ensure privacy and security of your visitors' data
At Publytics, we take the security and privacy of your data seriously and employ multiple measures such as backups, redundancies, and encryption to ensure its protection. When using our service to track your website stats, Publytics will gather information about your visitors.
We understand that you trust us with your site data, and we value that trust. By agreeing to our data policy, you acknowledge that Publytics may process your data solely for the purpose of providing our service, and we commit to being transparent about our operations and open to your feedback. You retain full ownership of all rights, titles, and interests to your website data. We do not collect or analyze personal information from web users for the purpose of selling advertisements, and we ensure that the privacy of your visitors is respected.
We never attempt to generate a device-persistent identifier because they are considered personal data under GDPR. The data we process cannot be used to identify any single individual. Every HTTP request sends the IP address and the User-Agent to the server, which we use to generate a daily changing identifier using a hash function with a rotating salt to anonymize the data. The raw IP address and User-Agent are never stored in our logs, databases, or anywhere on disk. Old salts are deleted every 24 hours, rendering the raw IP address and User-Agent completely inaccessible to anyone, including ourselves.
The formula that we use generates a random alphanumeric string used only with the purpose of calculating the unique visitor numbers for a single day. After one day, it becomes impossible to relate back to the user, since the salts change and the hash produces a different ID for the same combination of IP, Domain, User Agent.
The hashing process consists into:
- • Salt - This is varied everyday and allows you to be sure that each day the hash is different for the same combination of IP, User-Agent and Hostname.
- • IP Address (e.g. 18.104.22.168) - This is typically a unique identifier to the network, but sometimes if you're on a VPN or proxy it can be the same as other users.
- • User-Agent (e.g. Mozilla/5.0 (Linux; Android 12; SM-S906N Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/80.0.3987.119 Mobile Safari/537.36) - This allows to have more uniqueness than using only the IP Address
- • Hostname (e.g. example.com) - This avoids that we can collect browsing activity between different websites.
The group of data subjects affected by the processing of their data under this agreement includes end-users of the controller’s websites which make use of the service provided by the processor. You can find more information about our processing of your visitor data and what types/categories of data we collect on your behalf in our publicly available data policy.
Our obligations with respect to the controller
Publytics will process visitor data solely in accordance with the customer's instructions via the service's settings. These instructions include (a) operating, maintaining, and supporting the infrastructure used to provide the service, (b) complying with the customer's instructions and processing instructions in their use, management, and administration of the service, and (c) other instructions provided through the service settings. Publytics will process visitor data only in accordance with the agreement.
Publytics guarantees the confidentiality of visitor data processed under this agreement. Our personnel who require access to visitor data are trained in GDPR and data privacy, informed of the data's confidential nature, and comply with the obligations set out in this agreement.
Publytics implements and maintains appropriate technical and organizational security measures designed to protect visitor data against unauthorized or unlawful processing and accidental loss, destruction, damage, theft, alteration, or disclosure. These measures are appropriate to the harm that may result from any unauthorized or unlawful processing, accidental loss, destruction, damage, or theft of the visitor data and consider the nature of the visitor data being protected.
We work with sub-processors after evaluating their commitment to privacy and signing a data processing agreement with them, which includes the controller-processor Standard Contractual Clauses. Subcontractors may process data only to deliver the services that Publytics has retained them to provide, and they are prohibited from using the data for any other purpose. Publytics will notify the controller when modifying the list of subprocessors using in-app notifications, email, and/or blog. The controller can legitimately object and terminate the agreement.
If Publytics becomes aware of any accidental, unauthorized, or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data processed while providing the service, it will notify the customer by email without undue delay (not later than 48 hours after becoming aware of it) and provide the customer with a description of the incident as well as periodic updates to information about the incident, including its impact on customer content. Publytics will also take action to investigate the incident and reasonably prevent or mitigate its effects.
Publytics will not rectify, erase, or restrict the processing of visitor data that is being processed on behalf of the controller unless required by law or the Processor Terms of Service. Publytics will only do so on documented instructions from the controller and in accordance with the data retention rules associated with the controller's subscription plan.
Publytics will assist the controller in complying with obligations concerning the security of personal data and provide assistance for DPIAs. When a data subject asserts their rights as a data subject, the request will be forwarded to the controller without delay.
The customer agrees to never push unique identifiers of their users or something that can allow to re-identify a specific unique user through our script (e.g. with custom dimensions), which would prevent our privacy-based behavior. In that case, the responsibility of violating privacy rules falls on the customer.
Deleting users and sites
You can choose to delete your account and delete your site stats at any time. We provide simple no-questions-asked deletion links. All your stats will be permanently deleted immediately when you delete your data. We cannot recover this information once it has been permanently deleted.
How to accept our DPA
To utilize our products and services, you must acknowledge our DPA. When you use our product, you are accepting our terms of service, and the DPA is automatically included. You are not required to sign any separate agreement. We ensure that all customers receive equal privacy rights and protection.
Duration / Termination
The DPA is effective as of May 12, 2023. Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.
Liability and Indemnity
Both parties agree to indemnify and hold each other harmless from any and all claims, actions, losses, damages, expenses, and third-party claims that may arise directly or indirectly out of or in connection with a breach of this DPA.