SealMetrics
Legal

Data Processing Agreement

Last updated: March 1, 2026

Note: SealMetrics analytics does not collect personal data as defined under GDPR. Our cookieless technology captures anonymous behavioral data only (page URLs, browser type, session behavior) without IP addresses, device fingerprints, or any identifiable information. In most cases, a DPA is not legally required for SealMetrics analytics data. However, we provide this agreement for clients whose internal governance requires one.

1. Scope and purpose

This Data Processing Agreement (“DPA”) supplements the Terms of Service between SealMetrics (“Processor”) and the Client (“Controller”). It governs the processing of any data that may be considered personal data under applicable data protection laws in connection with the SealMetrics analytics service.

2. Data processed

The SealMetrics analytics script collects the following categories of data from Client website visitors:

  • Page URLs and referrer URLs
  • Browser type, operating system, screen resolution
  • Session behavior (page views, scroll depth, clicks, time on page)
  • Country-level geolocation (IP address is used for derivation only and immediately discarded)

No IP addresses, device fingerprints, names, emails, or any directly identifiable information is collected or stored.

3. Processing locations

All data processing and storage occurs exclusively within the European Economic Area (EEA). SealMetrics does not transfer data outside the EEA. All sub-processors are located within the EEA.

4. Security measures

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Data isolation: logical separation at database level per client
  • Access control: principle of least privilege, all access logged
  • Infrastructure: redundant EU availability zones with 24/7 monitoring
  • No cross-customer data access or model training

5. Data retention and deletion

Analytics data is retained for the duration of the service agreement plus 30 days. Upon termination or request, all data is permanently deleted within 30 days. The Client may export data at any time via the API or BigQuery integration prior to deletion.

6. Sub-processors

SealMetrics uses a limited number of sub-processors, all located within the EEA. We will notify the Client of any changes to sub-processors with at least 30 days’ notice. A current list of sub-processors is available upon request.

7. Data subject rights

As SealMetrics does not collect personal data, data subject requests (access, deletion, portability) generally do not apply to analytics data. Should a request be received, SealMetrics will assist the Client in responding to the extent technically feasible.

8. Audit rights

The Client has the right to audit SealMetrics’ compliance with this DPA. Audits may be conducted once per year with reasonable notice. SealMetrics will provide relevant documentation and facilitate reasonable access to systems and processes.

9. Contact

For DPA-related questions or to request a signed copy, contact dpo@sealmetrics.com.

Privacy PolicyTerms of ServiceSecurity Architecture