Data Processing Agreement

Last updated: March 21, 2026

1. Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer using Aizen Analytics ("Customer") and Aizen Analytics ("Aizen"). It applies when Aizen processes personal data on the Customer's behalf through Aizen's analytics collection and reporting features.

This public DPA focuses on analytics event data and related reporting generated through Aizen's tracking endpoints. Aizen acts as controller, not processor, for its own account, billing, authentication, abuse-prevention, and product operations data.

2. Roles

Customer is the controller for personal data collected from Customer's websites or apps through Aizen. Aizen is the processor for that data to the extent the data is processed on Customer's behalf to provide the service.

Customer remains responsible for determining whether Customer has an appropriate legal basis to use Aizen, whether Customer must provide notices or obtain consent, and whether Customer's implementation is lawful for Customer's jurisdiction and industry.

3. Subject Matter, Duration, and Instructions

Aizen processes Customer data only to provide analytics collection, storage, aggregation, dashboards, site-level reporting, customer-controlled sharing, customer notifications, and related security and abuse-prevention measures described in the service documentation and settings.

Processing continues for as long as Customer uses the relevant Aizen features and for the retention periods described below, unless shorter deletion is triggered by a site deletion or account deletion workflow.

Customer instructs Aizen to process data according to Customer's configuration, the Aizen product interfaces, documented APIs, and these terms. Aizen will not use Customer analytics data for advertising or for building cross-customer behavioral profiles.

4. Categories of Data Subjects and Data

Data subjects: visitors and users of Customer's measured websites or apps.

Data categories that may be processed:

  • Page URL and normalized page path
  • Validated UTM campaign parameters
  • Referrer origin and referring domain, with referrer path and query removed
  • Browser name and version
  • Operating system name and version
  • Device type and screen width
  • Approximate geolocation derived from IP lookup, including country, region, city, latitude, longitude, and accuracy radius
  • Timestamp
  • A day-scoped pseudonymous session hash
  • Custom event names and properties sent by Customer
  • Outbound link click URLs recorded through the built-in exit-link event
  • For mobile events, optional screen names and app versions if Customer sends them

Data Aizen does not intentionally store in the analytics database:

  • Raw IP addresses
  • Full raw user-agent strings
  • Analytics cookies or local storage identifiers created by the tracker
  • Cross-site or cross-day visitor identifiers
  • Referrer paths and referrer query strings

5. Customer Restrictions and Responsibilities

Customer must not use Aizen to process special category data, children's data, payment card data, government identifiers, authentication secrets, session tokens, or other high-risk personal data unless Aizen has expressly agreed in writing.

Customer must not send personal data or secrets in custom event properties, outbound link URLs, or other fields unless Customer has independently verified that such use is lawful and appropriate. Aizen's automatic filtering is heuristic only and does not guarantee complete removal of personal data.

6. Confidentiality and Security Measures

Aizen will ensure that personnel authorized to process Customer data are subject to appropriate confidentiality obligations and will implement reasonable technical and organizational measures designed to protect Customer data, including:

  • HTTPS/TLS for data in transit
  • Day-scoped session hashing using a rotating salt that is deleted after about 48 hours
  • Application-level handling of IP addresses in memory for rate limiting, geolocation, and session hashing instead of writing raw IP addresses to the analytics database
  • Heuristic filtering of some obvious personal data patterns in event properties
  • Authenticated dashboard access and site-scoped authorization checks
  • Customer-controlled sharing through opt-in public links and read-only API keys, with customer-managed revocation or rotation controls
  • Rate limiting, origin validation, and bot filtering on relevant public endpoints
  • Retention controls that automatically age out raw events and daily salts

7. Subprocessors

Aizen may use subprocessors to provide the service. Categories of subprocessors for Customer analytics data may include:

  • Cloud hosting, storage, and database providers
  • CDN and security providers
  • Email delivery providers, but only where Customer enables analytics-related emails such as weekly reports or spike alerts
  • GeoIP data providers for approximate location enrichment
  • Optional integration providers where Customer chooses to connect a third-party analytics source such as Google Search Console

A current named vendor list is available on request. Aizen will require subprocessors to protect Customer data through written obligations appropriate to the nature of the processing.

8. Assistance and Security Incidents

Taking into account the nature of the processing, Aizen will provide reasonable assistance to Customer in responding to data subject requests and regulatory inquiries where Customer cannot do so alone using the product.

Because Aizen intentionally avoids storing raw IP addresses and direct account-style identifiers in the analytics database, Aizen may not be able to identify, retrieve, correct, or delete a specific visitor-level record after collection.

If Aizen becomes aware of a confirmed personal data breach affecting Customer data processed under this DPA, Aizen will notify Customer without undue delay and provide information reasonably available to Aizen about the incident.

9. Retention and Deletion

  • Raw event data is retained for 90 days
  • Daily aggregate rollups are retained for 3 years on Starter and 5 years on Growth
  • Daily salts used for session hashing are deleted after about 48 hours
  • Optional Search Console data is retained for up to 16 months

Customer can delete a site directly through the product. Full account deletion is currently processed after a 7-day grace period. Once deletion runs, Customer data in Aizen's application database is deleted, subject to any separate legal retention obligations that may apply to third-party payment or infrastructure providers outside the scope of this DPA.

10. International Processing

Aizen may process Customer data in the United States and other countries where its service providers operate. If Customer needs additional transfer commitments, signed terms, or a named subprocessor list, Customer may request them by contacting Aizen.

This public DPA does not by itself incorporate unsigned Standard Contractual Clauses or any customer-specific transfer annexes.

11. Compliance Information and Audit Requests

Aizen will make available information reasonably necessary to demonstrate compliance with this DPA upon written request. Any additional audit or review activity must be reasonable, proportionate, protective of other customers, and may require a separate agreement.

12. Contact

For DPA questions, named subprocessor requests, or signed-term requests, contact [email protected] and mention DPA in the subject line.

← Back to home