This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service between Analyzati and the customer.

If you are accepting this DPA on behalf of your customer, you warrant that: (a) you have the full legal authority to bind your customer to this DPA; (b) you have read and understood this DPA, and (c) you agree, on behalf of your customer, to this DPA.

These service terms incorporate the Analyzati Data Processing Agreement” (“DPA”) when the General Data Protection Regulation (“GDPR”) applies to your use of Analyzati services to process visitor data as defined in the DPA. We protect and secure your visitor data to the high standards set out in the agreement.


Privacy and security of your visitor data

We take many measures to protect and secure your data through backups, redundancies, and encryption. When you use our service to measure your website stats, Analyzati will collect information about your visitors.

You entrust us with your site data and we take that trust to heart. You agree that Analyzati may process your data as described in our data policy and for no other purpose. We do our best to deserve that trust by being open about who we are, and how we work, and keeping an open door to your feedback.

You own all right, titles, and interests to your website data. We obtain no rights from you to your website data. We do not collect and analyze personal information from web users and use these behavioral insights to sell advertisements. When using Analyzati, you 100% own and control all of your website data. We don’t sell or share your site data with any third parties, and we won’t abuse your visitor’s privacy.

Even though the purpose of Analyzati is to track the usage of a website, this can still be done without tracking, collecting, or storing any personal data or personally identifiable information (PII), without using cookies, and while respecting the privacy of your website visitors.

By using Analyzati, all the site measurement is carried out absolutely anonymously. We minimize data collection in general. We measure only the most essential data points and nothing else. All the metrics we do collect fit on one single page.

We do not attempt to generate a device-persistent identifier because they are considered personal data under GDPR. We do not use cookies, browser cache nor the local storage. We do not store, retrieve nor extract anything from visitor’s devices. The data we process cannot be used to identify any single individual.

Every single HTTP request sends the IP address and the User-Agent to the server so that’s what we use. We generate a daily changing identifier using the visitor’s IP address and User-Agent. To anonymize these datapoints and make them impossible to relate back to the user, we run them through a hash function with a rotating salt.

hash(daily_salt + website_domain + ip_address + user_agent)

This generates a random string of letters and numbers that is used to calculate unique visitor numbers for the day. The raw data IP address and User-Agent are never stored in our logs, databases or anywhere on disk at all.

Old salts are deleted every 24 hours to avoid the possibility of linking visitor information from one day to the next. Forgetting used salts also removes the possibility of the original IP addresses being revealed in a brute-force attack. The raw IP address and User-Agent are rendered completely inaccessible to anyone, including ourselves.

The group of data subjects affected by the processing of their data under this agreement includes end-users of the controller’s websites which make use of the service provided by the processor.

You can find more information about our processing of your visitor data and what types/categories of data we collect on your behalf in our publicly available data policy.

Organizational and technical security measures

All of the data that we do track is kept fully secured, encrypted, and hosted on servers in Amsterdam, The Netherlands and Paris, France. This ensures that all of the website data is being covered by the European Union’s strict laws on data privacy. Your visitor data never leaves the EU and EU-owned cloud infrastructure.

For encryption, we use HTTPS in transit and the hashing process at rest. Our hashing process is much stronger than encryption. Encryption implies that there’s a key that can decrypt and reveal the raw data. In our database, the raw IP address and User Agent are rendered completely inaccessible to anyone, including ourselves. In addition to this, we use strict firewall rules and private encrypted networking. We keep offsite backups with replication including strong crypt passwords.

Processor’s obligations with respect to the controller

How we handle delete instructions

You can choose to delete your account at any time. We provide simple no-questions-asked deletion links.

All your stats will be permanently deleted immediately when you delete your Analyzati account or when you delete your site stats. We cannot recover this information once it has been permanently deleted.

Customer undertakings and Analyzati assistance

  1. determining the lawfulness of any processing, performing any required data protection impact assessments, and accounting to regulators and individuals, as may be needed;
  2. providing relevant privacy notices to data subjects as may be required in your jurisdiction;
  3. implementing your own appropriate technical and organizational measures to ensure and demonstrate processing in accord with this DPA;
  4. notifying any relevant regulators or authorities of any incident as may be required by law in your jurisdiction.

Liability and Indemnity

Duration and Termination

Are customers required to sign the Analyzati DPA?

In order to use our products and services, you need to accept our DPA. By using our product you are agreeing to our terms of service, and you are automatically accepting our DPA and do not need to sign a separate document. We provide the same privacy rights and protection to all customers.

Can a customer share the Analyzati DPA with its customers?

Yes. The DPA is a publicly available document and customers who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.

Do customers need to notify anyone upon accepting our DPA?

No. You are not required to notify us or any third party upon accepting our DPA though, as mentioned above, you are free to do so.

Contact Us

If you have a question about the Data Processing Agreement (DPA), please contact us.

If you have any questions or concerns regarding your information and personal data, please contact us at

Last updated: March 12, 2023