Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Pulse Analytics Terms of Service (the "Agreement") between:
- The Customer identified in the Pulse Analytics account ("Controller", "you"); and
- Pulse Analytics, operated by Loovl OÜ, registry code 17497447, VAT identifier EE102982660, registered in Estonia ("Processor", "Pulse", "we", "us"). Registered address for service of legal notices: see Section 18.
This DPA governs the Processing of Personal Data by Pulse on behalf of the Customer in connection with the Customer's use of the Pulse Analytics service (the "Service"). It is designed to comply with Article 28 of Regulation (EU) 2016/679 ("GDPR") and incorporates by reference the relevant modules of Commission Implementing Decision (EU) 2021/915 (the "EU SCC for Intra-EEA Controller-to-Processor") where applicable.
By using the Service, the Customer accepts this DPA. No separate signature is required, although a signed PDF copy is available on request to privacy@loovl.eu.
1. Definitions
Unless otherwise defined here, capitalised terms have the meaning given in the GDPR.
- "Personal Data" means any data Processed under this DPA that constitutes "personal data" within the meaning of Article 4(1) GDPR.
- "Processing" has the meaning given in Article 4(2) GDPR.
- "Data Subject" means a visitor of the Customer's website(s) where the Pulse tracker is installed.
- "Sub-processor" means any third party engaged by Pulse to Process Personal Data on its behalf in connection with the Service, as listed in Annex 1.
- "Service" means the Pulse Analytics web analytics platform, including the tracker script, ingestion API (
/api/collect), dashboard, public share links, and any related features. - "Authorised Persons" means employees, contractors, and Sub-processors of Pulse who require access to Personal Data to perform the Service.
2. Roles and Subject Matter
2.1. The Customer is the Controller of Personal Data of the Data Subjects. Pulse is the Processor, acting only on the Customer's documented instructions.
2.2. Subject matter: Provision of privacy-preserving web analytics for the Customer's websites.
2.3. Duration: For the duration of the Customer's account, plus the retention periods set out in Section 9.
2.4. Nature and purpose: Collection, aggregation, hashing, storage, and presentation of website usage data for the Customer's analytics needs.
2.5. Categories of Data Subjects: Visitors to the Customer's websites where the Pulse tracker is installed.
2.6. Categories of Personal Data Processed:
| Category | Detail |
|---|---|
| Pseudonymous visitor identifier | SHA-256 hash of IP + User-Agent + daily-rotating salt + site_id, stored as 16 hex characters. Cannot be reversed; salts are deleted after 48 hours. |
| Pseudonymous session identifier | Same construction as the visitor identifier plus a 30-minute time bucket. Used to count sessions and infer first-page attribution within a session window. |
| Technical context | Browser (name and version), operating system (name and version), device type (mobile / tablet / desktop), screen resolution (width × height in pixels). |
| Page context | URL path (no query strings), referring URL, language of the page (<html lang>), hostname. |
| Marketing attribution | UTM parameters parsed from the page URL (utm_source, utm_medium, utm_campaign, utm_term, utm_content). |
| Approximate geolocation | Country (ISO-3166-1 alpha-2), region (ISO-3166-2 code), city — derived from offline IP databases without external API calls. |
| Custom event names and properties | Only those the Customer explicitly chooses to send via the tracker (window.myAn(...)) or via the official WordPress integration. Up to 16 keys per event, each value up to 512 bytes. Sensitive fields known to Pulse (phone_click.number, email_click.email) are masked at collection time so that only the first characters and the domain are retained. |
| Account data (Customer, not Data Subjects) | Email, name, hashed password, billing identifiers. Processed as Controller-to-Processor under separate Privacy Policy. |
2.7. Personal Data Pulse does NOT collect or store:
- Raw IP addresses (used in-memory only for hashing and geolocation, never written to any database or log)
- Cookies,
localStorage,sessionStorage, or any client-side persistent identifiers - Browser fingerprints (canvas, fonts, plugins, etc.)
- Form input contents, keystrokes, mouse movements
- Cross-site tracking identifiers
- Names, email addresses, phone numbers of Data Subjects (unless the Customer explicitly transmits them as event properties — strongly discouraged)
2.8. Data Subject opt-out. Visitors to the Customer's websites can disable Pulse measurement at any time by setting the flag localStorage.setItem('pulse-opt-out', '1') in their browser. The Pulse tracker reads this flag on every page load and exits before sending any data. The opt-out persists per-browser until the visitor clears local storage. Pulse honours the browser's Do Not Track signal in the same manner. The Customer is encouraged to reference these controls in its own visitor-facing privacy notice.
3. Customer Instructions
3.1. Pulse Processes Personal Data only on the Customer's documented instructions, including this DPA, the Agreement, the Customer's configuration of the Service (sites added, events tracked), and any subsequent written instructions provided through the dashboard or by email to privacy@loovl.eu.
3.2. Pulse will inform the Customer if it considers an instruction to violate the GDPR or other applicable data protection law, without obligation to perform a legal review on the Customer's behalf.
4. Confidentiality
4.1. Pulse ensures that all Authorised Persons accessing Personal Data are bound by appropriate written confidentiality obligations or are under a statutory obligation of confidentiality.
4.2. Access to Personal Data is restricted on a strict need-to-know basis for the operation, maintenance, and support of the Service.
5. Security Measures (Article 32 GDPR)
Pulse implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The current measures are described in Annex 2. Pulse may update these measures from time to time, provided the level of protection is not materially decreased.
6. Sub-processors
6.1. The Customer grants Pulse general written authorisation to engage Sub-processors, subject to this Section 6.
6.2. The current list of Sub-processors is set out in Annex 1 and is also published at https://loovl.eu/legal/subprocessors.
6.3. Pulse will provide the Customer with at least 14 days' prior notice of any addition or replacement of a Sub-processor by updating the public list and by email notification to the Customer's account email.
6.4. The Customer may object to a new Sub-processor on reasonable data protection grounds within the notice period by contacting privacy@loovl.eu. If the parties cannot resolve the objection in good faith, the Customer may terminate the Agreement and receive a pro-rata refund of any prepaid fees for the unused period, as the Customer's exclusive remedy.
6.5. Pulse imposes data protection obligations on each Sub-processor that are no less protective than those of this DPA. Pulse remains fully liable to the Customer for any failure of a Sub-processor to fulfil its data protection obligations.
7. International Data Transfers
7.1. All Processing of Data Subjects' Personal Data takes place on infrastructure located within the European Economic Area (Hetzner Online GmbH, data centres in Germany and Finland). No Data Subject Personal Data is transferred outside the EEA in the course of providing the Service.
7.2. Customer-account billing data (email, name, billing address, last 4 digits of payment instrument) will be shared with a third-party Merchant of Record solely for the purpose of processing payment and tax compliance, once paid plans launch. The specific provider and the applicable transfer basis (intra-EEA — no mechanism required; or, for a non-EEA provider, an adequacy decision or Standard Contractual Clauses) will be disclosed in the Sub-processors list before activation. The Merchant of Record does not receive or have access to Data Subject Personal Data.
7.3. Pulse will not transfer Data Subject Personal Data outside the EEA without first putting in place a valid transfer mechanism (e.g. SCCs, adequacy decision) and notifying the Customer.
8. Assistance to the Controller
8.1. Data Subject Rights (Chapter III GDPR). Pulse provides the Customer, through the dashboard and the API, with the ability to fulfil requests under Articles 15–22 GDPR, including the deletion of all events for a given site or visitor hash. To the extent the Customer cannot reasonably fulfil such a request through the available functionality, Pulse will assist on reasonable written request.
8.2. Security, breach notification, DPIA (Articles 32–36 GDPR). Taking into account the nature of the Processing and the information available to Pulse, Pulse will provide reasonable assistance to the Customer in fulfilling its obligations under Articles 32 to 36 GDPR.
9. Data Retention and Deletion
9.1. Event data: Retained for three (3) years by default via automatic ClickHouse TTL on the events table. The Customer may shorten this period by request.
9.2. Daily-rotating salts: Deleted automatically two (2) days after rotation by a daily cron job. After this point, retroactive de-anonymisation of any visitor identifier is impossible.
9.3. Account and billing data: Retained for the duration of the Agreement plus the period required to comply with statutory record-keeping obligations (typically up to 7 years under Estonian law for accounting records).
9.4. On termination of the Agreement, the Customer may export their data through the dashboard during a 30-day grace period. After the grace period, all event data is logically deleted on request via ALTER TABLE events DELETE WHERE site_id = ... and physically removed by ClickHouse background merge processes (typically within minutes to hours, guaranteed within 30 days). Account and billing records are retained as set out in Section 9.3.
9.5. The Customer may at any time request earlier deletion of all event data for one or more sites by deleting the site through the dashboard or by emailing privacy@loovl.eu.
10. Personal Data Breach
10.1. Pulse will notify the Customer without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach affecting the Customer's Personal Data.
10.2. The notification will, to the extent known, describe: (a) the nature of the breach, (b) the categories and approximate number of Data Subjects and records concerned, (c) the likely consequences, (d) measures taken or proposed to address the breach and mitigate adverse effects.
10.3. Pulse will reasonably assist the Customer in fulfilling its obligations under Articles 33 and 34 GDPR.
11. Audit Rights
11.1. Pulse will make available to the Customer, on reasonable written request and no more than once per twelve (12) months (unless required by a competent supervisory authority or following a Personal Data Breach), all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA.
11.2. Where Pulse provides a recent independent third-party audit report (e.g. ISO 27001 or SOC 2 once obtained), the Customer agrees that this report will be deemed sufficient to demonstrate compliance for the period covered.
11.3. The Customer or its mandated auditor may, on reasonable written notice and at the Customer's cost, conduct an on-site audit during normal business hours, provided the auditor is bound by appropriate confidentiality and is not a competitor of Pulse.
12. Cooperation with Supervisory Authorities
Pulse will cooperate with supervisory authorities (including the Estonian Data Protection Inspectorate) on request, and will inform the Customer if it receives a legally binding request for disclosure of Personal Data by a public authority, unless prohibited by law.
13. Liability
13.1. Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
13.2. Nothing in this DPA limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) any liability that cannot be excluded or limited under applicable law.
14. Term and Termination
14.1. This DPA takes effect on the Effective Date and remains in effect for the term of the Agreement.
14.2. Sections 4 (Confidentiality), 9 (Retention and Deletion), 12 (Cooperation), and 13 (Liability) survive termination.
15. Governing Law and Jurisdiction
15.1. This DPA is governed by the laws of the Republic of Estonia, without regard to conflict-of-laws principles, and is supplemented by the GDPR and any other directly applicable EU data protection law.
15.2. The courts of Viru County (Viru Maakohus), Estonia have exclusive jurisdiction over any disputes arising out of or in connection with this DPA, subject to mandatory consumer protection rules that may grant Data Subjects rights to bring claims in their country of habitual residence.
16. Severability and Entire Agreement
16.1. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force.
16.2. This DPA, together with the Agreement, the Privacy Policy, and any annexes, constitutes the entire agreement between the parties with respect to the subject matter and supersedes all prior agreements.
16.3. In case of any conflict between this DPA and the Agreement on the subject of data protection, this DPA prevails.
17. Updates to this DPA
Pulse may update this DPA from time to time. The Customer will be notified of material changes at least 30 days in advance by email and through the dashboard. The latest version is always available at https://loovl.eu/legal/dpa. Continued use of the Service after the effective date of an update constitutes acceptance.
18. Contact
For any DPA-related inquiries, including requests for a signed PDF copy:
Email: privacy@loovl.eu Postal address: Loovl OÜ, Ravi tn 19-1, 30326, Kohtla-Järve, Ida-Virumaa, Estonia
Annex 1 — Sub-processors
Last updated: 2026-05-10
The following Sub-processors are engaged by Pulse to provide the Service. The list is also published at https://loovl.eu/legal/subprocessors and the Customer is notified at least 14 days in advance of any change (Section 6.3).
Active Sub-processors
| Sub-processor | Role | Location | Data Subjects' data? | Transfer mechanism |
|---|---|---|---|---|
| Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) | Hosting and infrastructure (compute, storage, network) | Germany and Finland | Yes — all event data, hashed visitor identifiers, account data | Intra-EEA, no transfer mechanism required |
Planned Sub-processors (not currently active)
The following Sub-processors are scoped for activation when paid plans launch. They do not currently process any Customer or Data Subject Personal Data. Activation will be announced through the public Sub-processors page and by email to existing Customers at least 14 days in advance, in line with Section 6.3.
| Sub-processor | Planned role | Location | Data Subjects' data? | Transfer mechanism (when active) |
|---|---|---|---|---|
| Third-party Merchant of Record (specific provider named before activation) | Merchant of Record: payment processing, billing, tax compliance | To be confirmed before activation | No — will receive only Customer billing data (email, name, billing address, payment instrument), no Data Subject Personal Data | Confirmed before activation: intra-EEA (no mechanism) if EEA-based, otherwise adequacy decision or SCCs; supplementary measure: data minimisation (no Data Subject Personal Data transferred) |
Resources NOT acting as Sub-processors (for transparency):
- DB-IP IP-to-City Lite and MaxMind GeoLite2 geolocation databases: distributed as offline
.mmdbfiles installed on Pulse infrastructure. No request leaves Pulse infrastructure during geolocation lookup. - Favicon services: DuckDuckGo (
icons.duckduckgo.com), Google (www.google.com/s2/favicons) — used only by the Pulse server to fetch and cache referer-domain favicons (server-to-server, public hostname only). The Customer's Data Subjects' browsers never make requests to these services. - Country flag services: flagcdn.com, hatscripts.github.io — same model as favicons (server-side fetch by ISO country code, locally cached).
- Email delivery (exim4): operated on Pulse infrastructure (Hetzner), no third-party email provider.
Annex 2 — Technical and Organisational Measures (Article 32 GDPR)
Last updated: 2026-05-10
2.1 Data Minimisation by Design
- Raw IP addresses are never written to any database, log, or backup. They exist only in memory of the ingestion process for the duration of a single request, used solely to compute a daily-salted SHA-256 hash and to perform offline geolocation.
- No cookies, no
localStorage, nosessionStorageare set on Data Subjects' browsers by the tracker. - No browser fingerprinting (canvas, font enumeration, plugin enumeration, hardware identifiers).
- Pseudonymisation: Visitor identifier is
SHA-256(IP || User-Agent || daily_salt || site_id), truncated to 16 hex characters. The daily salt rotates at 00:00 UTC and is permanently deleted 48 hours later, making retroactive de-pseudonymisation cryptographically infeasible.
2.2 Encryption
- In transit: TLS 1.2+ enforced on all public endpoints (
pulse.loovl.eu,loovl.eu,/api/collect). Modern cipher suites; HTTP Strict Transport Security (HSTS) enabled. - At rest — production database: Production server storage is operated by Hetzner Online GmbH on access-controlled infrastructure (restricted SSH key authentication, network firewall isolating internal database services to
localhost). At-rest disk encryption is applied to attached encrypted Block Storage Volumes when used. The current production root volume is not encrypted at the host filesystem level; Hetzner data centres operate ISO 27001-certified physical access controls. - At rest — backups: Account and metadata backups (MariaDB
analytics_meta— including hashed credentials, account email, billing identifiers) are encrypted with AES-256 (GnuPG symmetric, AES256 cipher) before being written to disk. Decryption requires a passphrase stored separately from the production application stack and not embedded in any deployable artefact. Aggregated event backups (ClickHouseanalytics_events, containing pseudonymous visitor identifiers and session-level aggregations only — no IP addresses, no email addresses, no plaintext credentials) are stored on access-controlled infrastructure and will be migrated to encrypted Block Storage at scale-up. - Backup retention: 14 days on the production host, with manual off-site copies pulled by the operator on a periodic cadence.
2.3 Access Control
- SSH access to production servers is restricted to public-key authentication; password authentication is disabled.
- Access to production credentials (databases, API keys) is limited to Authorised Persons on a need-to-know basis.
- Administrator passwords are hashed with bcrypt (cost factor ≥ 12).
- Network-level firewall (iptables) restricts access to internal services (MariaDB, ClickHouse, Redis) to localhost and authorised hosts only.
2.4 Network Security
- Web traffic terminates at Nginx with rate-limiting on sensitive endpoints (
/api/collect,/login,/signup). - Fail2ban actively bans abusive IPs based on configurable rules (login brute-force, scanner patterns).
- Bot traffic is filtered at the ingestion layer using the
isbotlibrary before any Personal Data is computed or stored.
2.5 Application Security
- Input validation on all endpoints; output escaping (
escapeHtml) on all user-controlled data rendered in HTML. - Cryptographically signed session cookies (HMAC).
- Parameterised queries on all database access (no string concatenation).
- Regular dependency updates and review for known vulnerabilities.
2.6 Resilience and Backups
- Daily automated backups of the MariaDB metadata database.
- ClickHouse data is partitioned by month and site; partitions can be restored independently.
- Redis persistence enabled (AOF) to prevent loss of in-flight events during process restart.
2.7 Logging and Monitoring
- Application logs at
warn/errorlevel only in production. Event ingestion is not logged at request level. - Web server access logs retain client IP for 14 days for security investigations and abuse mitigation, then are rotated and deleted.
2.8 Personnel
- Authorised Persons are bound by written confidentiality obligations.
- Access is reviewed periodically and revoked promptly upon role change or departure.
2.9 Sub-processor Management
- Sub-processors are evaluated for technical and organisational measures before engagement.
- Each Sub-processor is bound by a data protection agreement no less protective than this DPA.
- The Sub-processor list is publicly maintained at https://loovl.eu/legal/subprocessors.
2.10 Incident Response
- Incident response procedure with defined roles and escalation paths.
- Personal Data Breach notification to Customers within 48 hours of discovery (Section 10).
- Post-incident review and remediation tracking.
2.11 Continuous Improvement
- Pulse reviews and updates these technical and organisational measures at least annually, or more frequently in response to evolving threats, regulatory guidance (e.g. EDPB), or material changes to the Service.
End of DPA