Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the Terms & Conditions between Fallen Leaf Design LTD (“Processor”, “we”, “us”) and you (“Controller”, “you”) and governs our processing of personal data on your behalf when you use Leaflytics.

This DPA is designed to meet the requirements of the UK GDPR and EU GDPR.

Section: Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data (collecting, storing, analysing, deleting, etc.).
• Controller: The entity that determines the purposes and means of processing (you).
• Processor: The entity that processes data on behalf of the Controller (us).
• Sub-processor: A third party engaged by us to process data.

Scope and purpose

You appoint us as a Processor to process personal data solely for the purpose of providing the Leaflytics analytics service as described in our Terms & Conditions.

We will only process personal data on your documented instructions unless required by law.

Types of data processed

Leaflytics is designed to minimise personal data collection. However, depending on your configuration, processed data may include:

Standard analytics (all sites):

• IP addresses (processed for geolocation, not stored)
• Device and browser information
• Page view and session data
• Referrer URLs

E-commerce tracking (WooCommerce sites with optional customer tracking enabled):

• Customer email addresses (hashed)
• Order history and value
• Customer journey data
• Customer Name & Email Address (with customer data enabled)

You control which data is collected through your Leaflytics configuration.

Data subject rights

We will assist you in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, etc.) to the extent technically feasible.

If we receive a request directly from a data subject, we will redirect them to you unless legally required to respond.

Security measures

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS/SSL)
• Encryption at rest
• Access controls and authentication
• Regular security reviews
• EU-based hosting (Hetzner, Germany)

Section: Sub-processors

We use the following sub-processors to deliver Leaflytics:

We will notify you of any changes to sub-processors with at least 14 days’ notice. You may object to a new sub-processor by terminating the service.

Data retention and deletion

We retain analytics data for up to 2 years. Upon termination of your account:

• You may export your data before cancellation
• We will delete all data from our servers within 7 days of cancellation
• Backup copies are purged within 30 days

Data transfers

All data is stored within the European Economic Area (Germany). We do not transfer data outside the EEA unless:

• Required by a sub-processor (in which case appropriate safeguards apply)
• You explicitly request it

Where transfers occur, we ensure appropriate safeguards are in place (Standard Contractual Clauses or equivalent).

Audit rights

Upon reasonable request and subject to confidentiality obligations, we will provide information necessary to demonstrate compliance with this DPA.

Data breach notification

In the event of a personal data breach, we will:

• Notify you without undue delay (and within 72 hours where feasible)
• Provide details of the breach, likely consequences, and measures taken
• Assist you in meeting your own breach notification obligations

Term and termination

This DPA remains in effect for as long as you use Leaflytics. Upon termination, our data processing obligations continue until all personal data is deleted.

Liability

Liability under this DPA is subject to the limitations set out in our Terms & Conditions.

Contact

For DPA-related queries, contact:

Fallen Leaf Design LTD
hello@leaflytics.co.uk