Data Processing Agreement
This is a plain-language summary / template of our DPA. For a signed agreement, email privacy@lyticdata.com. It is not legal advice.
1. Roles
You (the customer) are the data controller / fiduciaryfor your end-users' data. LyticData is the processor, processing data only to operate the analytics service you configured.
2. What is processed
Anonymous visitor identifiers, optional opaque customer-supplied references, page URLs/paths, referrer/UTM, device/browser/OS, coarse location (country/city), on-page behavior, and error messages/stack traces. No names, no emails, no raw IP addresses.
3. Privacy by design
- End-users identified only by a random anonymous ID.
- IP used transiently to derive country, then discarded.
- Country/city granularity only.
- Per-project logical isolation.
- Raw event data retained 90 days, then aggregated and deleted.
4. Sub-processors
- Vercel — application hosting.
- MongoDB Atlas — database (encrypted at rest).
- Anthropic — phrases the natural-language wording of insights.
- Clerk — authentication for your LyticData account.
- Resend — transactional email to you.
- Payments processor — for your subscription billing.
5. Security
Encryption in transit (TLS) and at rest, least-privilege database access, no public database network exposure, and rotated credentials.
6. Data-subject rights tooling
- Erasure of a single end-user's data within a project.
- Export of all of a project's data.
- Deletion on disconnect — removing a project erases all its data.
7. Breach notification
We will notify you without undue delay and within 72 hours of becoming aware of a personal-data breach affecting your data.
8. Deletion on termination
On termination or project disconnect, we delete all of the project's data.
See also our Privacy Policy.