Data Processing Addendum (DPA)

Last updated: December 5, 2025

This Data Processing Addendum ("Addendum") forms part of the Terms of Service ("Agreement") between Linea Analytics ("Processor") and the customer using the Linea Analytics service ("Controller"). This Addendum applies when the Controller submits or transmits Personal Data to the Processor in connection with use of the Service.

Unless otherwise defined, terms used in this Addendum have the meanings set out in the GDPR and UK GDPR.

1. Subject Matter, Duration, and Documented Instructions

The Processor will process Personal Data solely for the purpose of providing the Linea Analytics service and related support.

The Controller's documented instructions consist of:

  • the Agreement (Terms of Service)
  • the Privacy Policy
  • any additional written instructions provided by the Controller and acknowledged by the Processor

The Processor will notify the Controller if it believes an instruction violates applicable law.

Processing continues for as long as the Controller maintains an active account or until deletion is requested, subject to legal retention requirements.

2. Nature and Purpose of Processing

The Processor provides privacy-first website analytics. Processing activities include:

  • receiving minimal technical data for aggregated analytics
  • hosting, storing, and securing data
  • processing account and billing information
  • providing customer support
  • maintaining and improving the Service

The Processor does not create identifiers, does not store IP addresses, does not fingerprint users, and does not use Personal Data for advertising, profiling, or cross-site tracking.

3. Types of Personal Data

Controller Account Data

  • Name (optional)
  • Email address
  • Website domain(s)
  • Billing and payment information (handled by a third-party payment processor)

Visitor Analytics Data

Collected by the Controller via the Processor's tracker script:

  • page URL visited
  • referrer URL
  • timestamp
  • device and browser type
  • screen size or viewport
  • country or region (derived from IP, which is not stored)

Analytics data is processed only in aggregated, non-identifying form.

Note on Data Subject Rights Feasibility

Because analytics data is aggregated and not tied to individuals, certain data subject rights requests may not be technically feasible. In such cases, GDPR permits the Processor to decline requests where it cannot identify the data subject.

4. Categories of Data Subjects

  • Controller account users
  • Visitors to the websites monitored by the Controller

5. Processor Obligations

The Processor shall:

  1. Process Personal Data only on the Controller's documented instructions.
  2. Ensure personnel with access to Personal Data are bound by confidentiality.
  3. Implement appropriate technical and organizational measures to safeguard Personal Data.
  4. Notify the Controller of a confirmed Personal Data breach without undue delay and within 72 hours of confirmation.
  5. Assist the Controller with:
    • data subject rights requests
    • data protection impact assessments (DPIAs)
    • consultations with supervisory authorities
  6. Delete or return Personal Data upon termination of the Service unless retention is legally required.
  7. Not transfer Personal Data outside its disclosed hosting locations except under a valid transfer mechanism.

6. Controller Obligations

The Controller shall:

  1. Ensure its use of the Service complies with applicable data protection laws.
  2. Establish a lawful basis for processing visitor data.
  3. Provide an accurate privacy notice describing the use of the Processor's analytics service.
  4. Not instruct the Processor to process data in violation of applicable laws.

7. Sub-processors

The Controller grants general authorization for the Processor to use sub-processors necessary to operate the Service (e.g., hosting providers, payment processors, email delivery).

The Processor shall:

  • impose the same data protection obligations on sub-processors as set out in this Addendum
  • remain fully liable for the performance of its sub-processors
  • maintain a list of sub-processors available upon request
  • notify the Controller of changes to sub-processors, typically by email or posting updates online, providing 30 days' notice to object

If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service.

8. International Transfers

When transferring Personal Data outside the EEA, UK, or other regions requiring transfer safeguards, the Processor will ensure a valid transfer mechanism is in place, such as:

  • the EU Standard Contractual Clauses (SCCs)
  • the UK International Data Transfer Addendum (UK Addendum)
  • the EU–US Data Privacy Framework or UK Extension (if self-certified)

The Processor will provide details of its hosting region(s) and transfer mechanisms upon request.

9. Security Measures

The Processor maintains technical and organizational measures appropriate to the nature of the Personal Data, including:

  • no storage of IP addresses
  • encryption in transit
  • access control and least-privilege access
  • audit logging and monitoring
  • secure software development practices
  • backups and data recovery procedures
  • documented incident response processes

A more detailed description of security measures is available upon request and may be updated as technology evolves.

10. Data Subject Rights Assistance

The Processor will assist the Controller in responding to requests from data subjects under GDPR and UK GDPR. Because analytics data is aggregated and not associated with individuals, some requests may not be feasible. The Processor will inform the Controller when this is the case.

11. Audit Rights

Upon reasonable notice, the Controller may request information necessary to demonstrate compliance with this Addendum. Audits may be conducted:

  • no more than once per year
  • during normal business hours
  • through remote review unless an onsite review is required

Audits must not disrupt the Processor's operations or compromise the security of other customers.

12. Termination and Return/Deletion of Data

Upon termination of the Service, the Processor will delete or return Personal Data as described in the Privacy Policy, unless retention is required by law. Analytics data is aggregated and non-identifying and may be retained for statistical purposes.

13. Liability and Precedence

Liability under this Addendum is governed by the Agreement unless prohibited by law.

If there is a conflict between this Addendum and the Agreement, this Addendum prevails with respect to the processing of Personal Data.