article 28

Data Processing Agreement

Last updated: July 11, 2026

You do not need to sign anything. This DPA applies automatically to every Datalenk account, from the moment you start using the service. If your legal team needs a countersigned copy on paper, email [email protected] and you will get one, at no cost and without a sales call.

1.Who is who

For the analytics data you collect from your own website, you are the data controller and Datalenk is the processor. You decide what is measured and why. We act on your instructions, which are given through your configuration in the dashboard and through this agreement.

Datalenk is operated by Go To Agency, a company registered in France. For your own account information (your email, your billing details), we are the controller, and our Privacy Policy covers it.

2.What we process, and what we deliberately do not

By default (the cookieless layer): page URL, referrer, an approximate location derived from the IP address, device, browser, operating system, language, and an ephemeral session key. The raw IP address is used in memory to derive a coarse location and is then discarded. It is never written to disk. Nothing is stored on or read from your visitor's device: no cookie, no localStorage.

If you enable the Persistent layer (an explicit opt-in, per site, with a consent acknowledgement in the dashboard): a pseudonymous random identifier is stored on the visitor's device (localStorage plus a first-party cookie, 90 days). This is what recognizes a returning visitor. It contains no personal data and is never shared or joined across sites.

If you call identify(): the email address you pass is hashed server-side with HMAC and a secret pepper, then discarded. We never store it in clear text.

If you enable replay: pointer coordinates, scroll positions and click positions, as percentages of the page, with timing. No DOM content, no text, no form input, no keystrokes. Deleted after 30 days.

We never sell data, never use it for advertising, never build a profile across our customers' sites, and never use one customer's data to improve anything for another. That last one is not a favour: doing it would make us a controller, and we intend to stay a processor.

3.Where it lives, and for how long

All analytics data is stored on servers in Germany (Hetzner), on database engines we run ourselves. Your visitors' data never leaves the EU, and no transfer mechanism is required for it.

Retention follows your plan: three years on Starter, five on Growth, unlimited on Scale. Replay data is deleted after 30 days regardless of plan. When you delete a site or an account, it goes to a 30-day bin (so a mistake is reversible), then everything is permanently erased: the events, the aggregates, the customer records, the email logs.

4.Sub-processors

The complete, named list is on our sub-processors page, kept current. It separates what touches your visitors' data (all EU) from what touches our own operations (billing and transactional email, where there are US vendors, covered by the EU Standard Contractual Clauses).

We update that page before a new sub-processor starts handling data, not after. If you object to one, tell us: you can terminate without penalty and export everything.

5.Security

Encryption in transit (TLS) and at rest. Access to production is limited to the people who operate it, with key-based authentication. Third-party credentials you give us (a read-only Stripe key, a Search Console token) are encrypted with AES-256-GCM using a dedicated key, never in plain text. Passwords are hashed with scrypt. Our founder console requires a secret link, a password and a TOTP code, and every administrative action is written to an audit log.

If a breach affects your data, we notify you without undue delay and with what we actually know, not a press release.

6.Your rights as controller

Export: your raw events, as CSV or JSON, from the dashboard or the API, at any time, without asking us. Deletion: delete a site or your account from the dashboard and it is erased on the schedule above. Data subject requests: if one of your visitors asks you to erase their data, contact us with the identifier and we will remove it from our stores.

Audit: we answer security questionnaires and we will walk a compliance team through the architecture. We are a small company: we do not host on-site audits, and we would rather tell you that up front than write a clause we cannot honour.

7.The honest part

A DPA is not a compliance certificate, and no vendor can make you compliant on its own. What this document gives you is a clear, written statement of what we do with your data, so your own assessment has something solid to stand on. If anything here is ever contradicted by how the product actually behaves, that is a bug and we want to hear about it: [email protected].