This agreement is incorporated by reference into the Walityk service contract. It applies automatically upon subscribing to a paid plan or creating an account on the platform. A signed copy can be obtained on request at privacy@walityk.com.
1. Parties
- The client, hereinafter “the Controller”, having subscribed to the Walityk service.
- Impulse Analytics, publisher of the Walityk service, hereinafter “the Processor”.
2. Subject matter and duration
The Processor processes the personal data collected via the Walityk tag on behalf of the Controller, for the duration of the service contract. On termination of the contract, the data is returned and/or destroyed within 30 days, except for statutory retention obligations (accounting logs).
3. Description of the processing
| Element | Detail |
|---|---|
| Nature of processing | Server-side collection of analytics events, deduplication, transmission to destinations chosen by the Controller (GA4, Meta CAPI, Google Ads, TikTok Events). |
| Purposes | Audience measurement, multi-touch attribution, real-time debugging. |
| Categories of data | Pseudonymous identifiers, navigation events, country-level geolocation, hashed email and phone (only if provided by the Controller, never persisted in plaintext). |
| Categories of data subjects | Visitors and customers of the Controller’s website. |
4. Processor obligations (Article 28 GDPR)
- Process the data in accordance with the Controller’s documented instructions (destination configuration, consent policy, configurable retention periods).
- Ensure confidentiality by persons authorised to process the data (contractual confidentiality clauses with employees and contractors).
- Implement the technical and organisational security measures described in the annex (TLS/at-rest encryption, Postgres RLS, MFA, admin access logging).
- Assist the Controller in responding to data subject rights requests, within 7 business days of the request being forwarded.
- Notify any data breach within 24 hours to the Controller’s GDPR contact address, together with the elements needed for notification to the supervisory authority within the 72-hour deadline.
- Cooperate with the Controller’s audits, on reasonable notice (15 days), at most once a year, or without notice in the event of a confirmed incident.
- At the end of the contract, return the data in a machine-readable format (CSV / JSON export from the dashboard) then erase it within 30 days.
5. Sub-processors
The Controller authorises the Processor to use the sub-processors listed on the Sub-processors page. Any addition or replacement will be notified by email and published on that page at least 30 days before taking effect, giving the Controller the option to object by terminating the contract without penalty.
6. Transfers outside the EU
Analytics data is stored in the European Union (Supabase Frankfurt). No transfer outside the EU takes place for this data. For payments (Stripe, United States), the Processor has entered into the Standard Contractual Clauses (SCC 2021) and relies on the EU-US Data Privacy Framework adequacy decision.
7. Liability
Each party is liable for the damages it causes through non-compliance with its GDPR obligations, within the limits set out in the main service contract. The Processor cannot be held liable for configurations chosen by the Controller (for example, enabling an advertising destination without obtaining prior consent).
8. Annex — Security measures
- TLS 1.2+ encryption in transit, AES-256 at-rest on Supabase databases.
- Strict Postgres RLS, tenant isolation via
tenant_idpolicies. - HMAC on first-party cookies, no plaintext PII persisted.
- Mandatory MFA for operators, principle of least privilege.
- Encrypted daily backups, 30-day retention, restore tested quarterly.
- Continuous monitoring (structured logs + Sentry-compatible error reporting), 24/7 alerting on critical incidents.