Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement governing use of the heft.io analytics service. When the General Data Protection Regulation (GDPR) or similar data protection law applies to the account holder's use of the service, this DPA sets out how visitor data is processed on behalf of the account holder.
Definitions
"Controller" or "account holder" means the organisation or person using heft.io to analyse website visitors. "Processor" means heft.io. "Visitor data" means the data collected about visitors to the account holder's website, as described in the Data policy.
"Data Protection Legislation" means the GDPR (Regulation (EU) 2016/679) and other applicable laws on processing of personal data. "Data controller," "data processor," "data subject," "personal data," and "processing" have the meanings given in that legislation. The account holder is the data controller; heft.io is the data processor for visitor data processed to provide the service.
Processing and instructions
Visitor data is processed only on the controller's instructions through the service and as set out in the Data policy. The service is designed so that default pageview and session metrics do not store raw IP addresses or full User-Agent strings; see the Data policy.
Custom event payloads may include fields sent by the embedding site. Analytics does not use cookies for measurement; optional opt-out may set a first-party cookie as documented. Visitor data is not processed for any other purpose. If an instruction would breach Data Protection Legislation, the account holder will be informed without undue delay.
Confidentiality and security
Data is kept confidential and appropriate technical and organisational measures are used to protect it. Anyone who accesses the data is bound by confidentiality or a legal obligation of confidentiality.
Application and analytics data are processed in the EU (Scaleway, France). The analytics web app, public marketing site, tracking service, and fonts proxy are delivered via Bunny CDN.
Subprocessors
Subcontractors are used to run the service. They are chosen to meet appropriate data protection and security standards. Changes to the list will be notified to account holders. Account holders may object to a new subprocessor; if the objection cannot be accommodated, the agreement may be terminated.
Data breach
If a personal data breach affecting visitor data processed on behalf of the account holder becomes known, the account holder will be notified without undue delay (and in any event within 48 hours where feasible), with a description of the incident and the measures being taken. Assistance is provided to meet any obligation to notify a supervisory authority or data subjects.
Controller obligations and processor assistance
The controller is responsible for having a lawful basis for the processing, for providing privacy notices to data subjects where required, and for notifying regulators of incidents when the law requires it.
The processor assists with responding to data subject rights requests and demonstrating compliance where possible. Data subject requests received are forwarded to the controller without delay.
Return and deletion of data
When an account or site data is deleted, the data is permanently deleted and no copies are retained.
Duration and acceptance
This DPA applies for as long as visitor data is processed on behalf of the account holder. Use of the service constitutes acceptance of the Terms of Service and this DPA — no separate signature is needed. Confidentiality obligations survive termination.
Contact
Questions about this DPA or your data? Use the contact options on the site.
Last updated: April 2026