heft.io

Data Processing Agreement

If you embed heft.io analytics on your site and the GDPR applies to you, this DPA covers the relationship. You're the controller – you decide what gets tracked. heft.io is the processor – it does the actual processing on your behalf.

What gets processed

heft.io processes visitor data only to provide the analytics service, and only as described in the Tracking Policy. Nothing outside that scope. By default, raw IP addresses and full User-Agent strings are never stored.

If your site sends custom event payloads, those fields pass through too – so don't send personal data you're not allowed to process. Analytics doesn't use cookies for measurement; the optional opt-out mechanism may write to localStorage, as documented.

Security and where data lives

Data is processed in the EU and kept confidential. Everyone with access is bound by a confidentiality obligation. The Subcontractors page lists the providers and their locations.

Subcontractors

A small number of subcontractors are used to run the service – the current list is at Subcontractors. If that list changes, account holders are notified in advance. You can object to a new subcontractor; if the objection can't be accommodated, you can terminate.

Data breaches

If a breach affecting your visitor data becomes known, you'll be notified without undue delay – within 48 hours where feasible – with a description of what happened and what's being done. heft.io will assist with any notification obligations you have to regulators or individuals.

Your responsibilities

As the controller, you're responsible for having a lawful basis for the processing, providing any required privacy notices to your visitors, and notifying regulators when the law requires it. heft.io will help where it can – data subject requests received are forwarded to you promptly.

Deletion

When you delete an account or a site, the data is gone. No copies are kept.

Acceptance

Using the service constitutes acceptance of the Terms of Service and this DPA. No separate signature is needed. Confidentiality obligations survive termination.

Contact

Questions about this DPA or your data? Use the contact options on the site.

Last updated: May 2026