Data Processing Agreement

1. Parties

Data Controller ("you"): The entity or individual accessing the AI Infos Web Statistics service and instructing the processing of personal data.

Data Processor ("we", "us"): AI Infos Web Statistics, the provider of the analytics platform accessible at this domain.

2. Subject Matter and Duration

We process personal data on your behalf for the purpose of providing web analytics services as described in the Terms of Service. Processing continues for the duration of your subscription and ceases upon account termination, subject to the data retention provisions below.

3. Nature and Purpose of Processing

Categories of data subjects:

• Visitors to your website(s) where our tracking script is installed

Categories of personal data processed:

• Anonymised/hashed IP addresses (we never store raw IPs)
• Browser type, operating system, device type
• Country and city (derived from anonymised IP, not exact location)
• Referring URL and UTM parameters
• Pages visited, time of visit, session duration

Processing purposes:

• Providing aggregated website traffic analytics
• Displaying real-time visitor counts
• Goal conversion tracking
• Campaign attribution

4. Our Obligations as Processor

We commit to:

• Process personal data only on your documented instructions
• Ensure persons authorised to process data are under confidentiality obligations
• Implement appropriate technical and organisational security measures (Article 32 GDPR)
• Not engage sub-processors without your prior consent
• Assist you in fulfilling data subject rights requests (access, erasure, portability)
• Delete or return all personal data upon termination of the agreement
• Make available all information necessary to demonstrate compliance
• Notify you without undue delay of any personal data breach (Article 33 GDPR)

5. Sub-processors

We use the following sub-processors. You authorise us to use these by accepting this DPA:

• Hosting provider — Cloud/VPS hosting for data storage and application
• Email delivery — Transactional email for account notifications only

We will notify you of any changes to sub-processors with 30 days' notice.

6. Data Retention and Deletion

We retain analytics data for the period configured in your account settings (default: 365 days). Upon account deletion, all personal data is deleted within 30 days. You may request immediate deletion at any time via the Data Export & Deletion page.

7. International Data Transfers

Your data is stored in the server region you selected during setup. We do not transfer personal data outside of that region except where required by law. Where transfers outside the EEA occur, we ensure adequate safeguards are in place (Standard Contractual Clauses or equivalent).

8. Security Measures

We implement the following technical and organisational measures:

• IP anonymisation — raw IPs are never stored; only SHA-256 hashes
• TLS encryption in transit (HTTPS enforced)
• Encrypted passwords (bcrypt)
• Two-factor authentication available for all accounts
• Role-based access controls
• Regular database backups
• No cookies or cross-site tracking

9. Data Subject Rights

As the data controller, you are responsible for responding to data subject requests. We will assist you by:

• Providing data export functionality (Settings → Export & Delete)
• Processing deletion requests within 72 hours of written request
• Providing information about what data we hold upon request

10. Audit Rights

You have the right to audit our compliance with this DPA. Please contact us at the address below with a minimum of 30 days' notice. Audits must be conducted during business hours and may not disrupt our operations or other customers' data.

11. Liability

Our liability under this DPA is subject to the limitations set out in our Terms of Service. We are only liable for losses caused directly by our breach of this DPA.