Date

Data Processing Agreement

This Data Processing Agreement (“DPA”) is an addendum to the Terms and Conditions between Swetrix Ltd. (“Swetrix”, “we”, “us”) and the customer (“Customer”, “you”).

If you are accepting this DPA on behalf of your customer or organization, you warrant that: (a) you have full legal authority to bind your customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of your customer, to this DPA.

This DPA applies to visitor data processed by Swetrix on behalf of the customer in connection with the use of our service.

1. Definitions

  • “You” or “customer” refers to the company or organization that signs up to use Swetrix to analyze website visitors, track errors, or use CAPTCHA.
  • “Service” refers to the Swetrix analytics, error tracking, and CAPTCHA platform.
  • In the course of providing the Service, Swetrix may process visitor data on behalf of the customer.
  • “Data Protection Legislation” means the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), its United Kingdom counterpart ("UK GDPR"), and all other applicable laws relating to processing of visitor data and privacy.
  • “Data controller”, “data processor”, “data subject”, “personal data” and “processing” shall be interpreted in accordance with applicable Data Protection Legislation.
  • The parties agree that the customer is the data controller and that Swetrix is its data processor in relation to visitor data that is processed in the course of providing the service.

2. Privacy and security of your visitor data

We take multiple measures to protect and secure your data through backups, redundancies, and encryption. When you use our service to measure your website traffic, track errors, or serve CAPTCHAs, Swetrix will collect information about your visitors ("End Users").

You entrust us with your site data and we take that trust to heart. You agree that Swetrix may process your data as described in our Data Policy and Privacy Policy and only for that purpose.

You retain full ownership and control of your website data. We obtain no rights from you to your website data. We do not sell your data and only share it with trusted service providers where necessary to operate and provide the service.

By using Swetrix, site measurement is carried out in an anonymous and privacy-friendly way. We minimize data collection in general. We measure only the most essential data points and nothing else.

We do not use cookies, browser cache nor local storage for tracking visitors. We do not store, retrieve nor extract anything from visitor devices without consent.

Every HTTP request includes the IP address and User-Agent. We use the IP address transiently in memory to help generate a unique but anonymized session identifier. To anonymize these data points and make them impossible to relate back to the user, we run them through a hash function with a rotating salt:

hash(salt + website_id + ip_address + user_agent)

This generates an irreversible random string used to identify the session. We then generate a random number (64-bit unsigned integer) and only store that randomly generated number in the database to link pageviews to the same session. The raw IP address, User-Agent, and the hash itself are never stored in our database, logs, or on disk. Old salts are deleted to prevent linking visitor information across longer timeframes.

We also collect general technical details (such as device type, browser name and version, and operating system) for our standard analytics, error tracking, and CAPTCHA services. For error tracking specifically, we may collect technical details such as error messages and stack traces. However, we do not store IP addresses for any of these services.

3. Organizational and technical security measures

Swetrix Ltd. is registered in the United Kingdom, recognized by the EU as a country with an adequate level of data protection. All analytics data collected is stored and processed on secure servers located in the European Union (Germany), hosted by Hetzner Online GmbH.

We use HTTPS in transit. We apply strict firewall rules, private networking, and secure backups to ensure your data remains protected.

Our analytics platform is open source software, allowing anyone to audit our code and understand how data is handled. This transparency increases trust and security.

4. Processor’s obligations

  • Swetrix processes visitor data only in accordance with documented instructions from the customer through the use of the Service.
  • Swetrix will notify the customer without undue delay if an instruction infringes applicable Data Protection Legislation.
  • Swetrix ensures confidentiality of visitor data. Personnel authorized to process visitor data have committed themselves to confidentiality.
  • Swetrix implements appropriate technical and organizational measures to protect visitor data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.
  • Swetrix uses sub-processors where necessary. These sub-processors are bound by data protection agreements and may process data only to provide the services Swetrix has retained them for.
  • Swetrix will notify the customer of any data breach without undue delay and take appropriate mitigation steps.
  • Swetrix will assist the customer with data protection obligations and forward any data subject requests to the customer, as we do not hold identifiable data allowing us to process such requests directly.

5. Sub-processors

Swetrix engages the following sub-processors to operate the Service and process End User data:

  • Hetzner Online GmbH (Germany): Infrastructure and server hosting.
  • Functional Software Inc. / Sentry (United States): Error tracking and monitoring.

By accepting this DPA, you provide general authorization for Swetrix to engage these sub-processors. We will notify you of any changes to sub-processors via our website or email.

6. Data deletion

You can choose to delete your website data or your entire account at any time from your Swetrix dashboard. Upon deletion, all associated data will be permanently and irreversibly deleted without undue delay.

7. Customer undertakings

  • The Customer warrants that it has the necessary rights and legal basis to provide visitor data for processing.
  • The Customer is responsible for determining the lawfulness of processing, providing privacy notices, implementing safeguards, and notifying authorities where required by applicable law.
  • The Customer agrees not to pass any personal data, Personally Identifiable Information (PII), or Protected Health Information (PHI) to Swetrix through URLs, custom events, metadata, error messages, or any other data fields.

8. Liability and Indemnity

Each party indemnifies the other against claims arising from breaches of this DPA to the extent permitted by applicable law and subject to the limitation of liability set forth in our Terms and Conditions.

9. Duration and Termination

This DPA comes into effect upon your use of the Service and replaces any previously agreed data processing agreement between you and Swetrix. It shall remain in effect until the termination of your Swetrix account or the Terms and Conditions.

Confidentiality obligations survive termination.

10. Acceptance

Use of the Swetrix Service constitutes acceptance of this DPA. No separate signature is required. If you require a signed copy of this agreement, please contact us.

11. Contact Us

If you have any questions about this DPA, please contact us at contact@swetrix.com.

Last updated: March 24, 2026