DATA PROCESSING AGREEMENT.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Galor Analytics ("Processor") and the entity agreeing to these terms ("Controller"), together the "Parties".

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to all processing of personal data that Galor Analytics performs on behalf of the Controller in connection with the Galor Analytics service ("Service").

By using the Service, the Controller accepts this DPA. If the Controller is accepting on behalf of an organization, the Controller represents that they have the authority to bind that organization.

1. Definitions

Capitalized terms not defined herein have the meanings given in the GDPR.

• "Controller" means the entity that determines the purposes and means of the processing of personal data by using the Service (typically a marketing agency or website operator).
• "Processor" means Galor Analytics, operated by Rok Znidar Petelinsek, trading as galor.agency, registered in Slovenia, European Union.
• "Data Subjects" means the individuals whose personal data is processed through the Service, specifically visitors to the Controller's websites.
• "Sub-processor" means a third party engaged by the Processor to process personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
• "Service" means the Galor Analytics platform, including the tracker script, ingestion API, and dashboard, as described at galor.group.

2. Subject Matter and Duration of Processing

2.1 Subject Matter

The Processor provides web analytics services to the Controller. The Processor collects, stores, aggregates, and displays analytics data from visitors to the Controller's websites using a JavaScript tracker script and server-side ingestion pipeline.

2.2 Duration

This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination of the Service agreement, the Processor will delete or return all personal data within 30 days, unless retention is required by applicable law (Section 10).

3. Nature and Purpose of Processing

The Processor processes personal data solely to:

• Collect website visitor analytics events (pageviews, clicks, scroll depth, web vitals, form interactions, session data)
• Derive geographic location from IP addresses (IP is anonymized before storage by zeroing the last octet)
• Enrich visitor data with company information using truncated IP addresses (for lead identification)
• Aggregate and display analytics data in the Controller's dashboard
• Generate automated analytics reports and alerts
• Deliver AI-powered analytics insights based on aggregated data
• Process payments and manage the Controller's subscription
• Send transactional emails (reports, alerts, invitations) on behalf of the Controller

The Processor does not process personal data for any purpose other than those described above and as instructed by the Controller. The Processor does not sell personal data, use it for advertising, or share it with third parties except as described in the Sub-processor list (Annex B).

4. Types of Personal Data and Categories of Data Subjects

4.1 Categories of Data Subjects

• Visitors to websites operated by or on behalf of the Controller

4.2 Types of Personal Data — Cookieless Mode (Default)

Collected without cookies or consent requirement:

• Page URL and referrer URL (sanitized to remove PII patterns such as email addresses, tokens, and credit card numbers)
• UTM campaign parameters
• Browser name and version, operating system (derived from User-Agent string)
• Country, region, and city (derived from IP address; the IP address itself is anonymized by zeroing the last octet before any storage or further processing)
• Viewport dimensions and device type (mobile, tablet, desktop)
• Screen resolution
• Behavioral events: pageview timestamps, scroll depth percentages, click coordinates, web vitals (LCP, FCP, TTFB, CLS), form start/abandon signals
• Per-session random identifier (not tied to a user, not persisted across sessions)
• Consent state (granted, denied, or unset)

4.3 Types of Personal Data — Persist Mode (Consent Required)

Collected only with explicit visitor consent (Tier 2 or Tier 3 consent):

• Persistent visitor identifier stored in a first-party cookie (_galor_vid, 2-year expiry)
• Cross-session behavior data (return visits, time between sessions)
• Lead scoring metrics (accumulated behavioral data)
• If provided by the visitor via identified forms: email address (stored as SHA-256 hash), name, phone number, company name

4.4 Data Never Collected

• Raw (non-anonymized) IP addresses
• Credit card or payment card numbers
• Passwords or authentication tokens
• Health, biometric, or special category data as defined in GDPR Article 9
• Data from minors (the Service is not directed at persons under 16)

5. Obligations and Rights of the Controller

The Controller shall:

• Ensure it has a valid legal basis under GDPR Article 6 for each category of personal data collected (consent, legitimate interest, or contract)
• Inform Data Subjects about the analytics processing in its own privacy policy, including the identity of the Controller and the use of Galor Analytics as a processor
• If using Persist Mode (Tier 2/3), obtain valid consent from Data Subjects before enabling persistent tracking and provide a mechanism for consent withdrawal
• Respond to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection) and instruct the Processor to assist where necessary
• Not instruct the Processor to process data in violation of applicable data protection law
• Maintain a record of processing activities as required by GDPR Article 30

6. Obligations of the Processor

6.1 Instructions

The Processor processes personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification.

6.2 Confidentiality

The Processor ensures that all persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 Security (Article 32)

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The specific measures are detailed in Annex A (Technical and Organizational Measures).

6.4 Sub-processors

The Processor shall not engage another processor without prior general written authorization from the Controller. The Controller provides general authorization for the Sub-processors listed in Annex B.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors by updating the Sub-processor list at this URL (galor.group/dpa) and notifying the Controller by email at least 30 days before the change takes effect. If the Controller objects to the change within that period, the Processor shall either not proceed with the change or allow the Controller to terminate the agreement without penalty.

Where the Processor engages a Sub-processor, the Processor shall impose on the Sub-processor the same data protection obligations as set out in this DPA by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.

6.5 Data Subject Rights

The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR. This includes:

• Right of access (Article 15): The Processor provides data export functionality in the dashboard (JSON and CSV formats).
• Right to erasure (Article 17): The Processor provides a GDPR erasure pipeline accessible via the dashboard Settings page. Upon request, all data associated with the specified visitor or website is queued for deletion with a 7-day safety cooldown, then permanently deleted from all tables (ClickHouse events, sessions, profiles, and PostgreSQL records).
• Right to rectification (Article 16): The Controller may contact the Processor at privacy@galor.group to correct inaccurate data.
• Right to data portability (Article 20): The Processor provides data export in machine-readable JSON and CSV formats.
• Right to restriction (Article 18): The Controller may pause data collection by removing the tracker script from their website or disabling the website in the dashboard.

6.6 Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event no later than 48 hours after becoming aware of a personal data breach affecting the Controller's data. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the Processor's point of contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects

This enables the Controller to fulfill its own notification obligations under GDPR Article 33 (notification to the supervisory authority within 72 hours) and Article 34 (communication to Data Subjects).

6.7 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be conducted with reasonable advance notice (minimum 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Controller shall bear its own costs of any audit. The Processor may charge reasonable fees for time spent assisting with audits beyond standard documentation review.

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes GDPR or other EU or Member State data protection provisions.

6.8 Data Protection Impact Assessments

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 35 (Data Protection Impact Assessment) and 36 (Prior Consultation), taking into account the nature of the processing and the information available to the Processor.

7. International Data Transfers

All primary data storage and processing occurs within the European Union, specifically on Hetzner infrastructure in Nuremberg and Falkenstein, Germany.

Certain Sub-processors are established in the United States (see Annex B). For these transfers, the Processor relies on the following safeguards pursuant to GDPR Chapter V:

• EU-US Data Privacy Framework: Where the Sub-processor is certified under the EU-US Data Privacy Framework (DPF), transfers are made on that basis (GDPR Article 45 adequacy decision of 10 July 2023).
• Standard Contractual Clauses (SCCs): Where DPF certification is not available, the Processor ensures that Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) are in place with the Sub-processor.

The Processor conducts a Transfer Impact Assessment (TIA) for each US-based Sub-processor to evaluate whether the legal framework in the recipient country provides adequate protection. Details of supplementary measures are described in Annex A.

Data minimization for US transfers: The Processor minimizes personal data sent to US-based Sub-processors. Specifically:

• IPinfo receives only truncated IP addresses (last octet zeroed) for company enrichment
• MaxMind GeoIP database is downloaded and processed locally in the EU; no personal data is sent to MaxMind servers
• Resend receives only the email addresses necessary for transactional email delivery (Controller's own email, not visitor data)
• Paddle processes only the Controller's payment data (not visitor data) and is established in the UK with EU adequacy

8. Data Retention and Deletion

The Processor retains personal data only for as long as necessary for the purposes described in Section 3, subject to:

• Analytics events: Retained for the duration of the Controller's subscription plus 30 days after termination. Default TTL is configurable per website, up to 5 years.
• Account data: Retained until the Controller deletes their account, then deleted after a 30-day grace period.
• Billing records: Retained for 7 years as required by EU invoicing and tax law.

8.1 Deletion upon Termination

Upon termination of the Service agreement, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies, unless EU or Member State law requires storage of the personal data. The Controller may export all data in JSON or CSV format via the dashboard before termination.

8.2 GDPR Erasure Pipeline

The Processor provides a self-service GDPR erasure pipeline via the dashboard Settings page. Upon initiation, a 7-day safety cooldown period applies, after which all associated data is permanently deleted from all storage systems (ClickHouse and PostgreSQL). Deletion is verified and logged.

9. Liability

Each Party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either Party's liability for breaches of data protection law to the extent that such limitation would be prohibited by applicable law.

10. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Slovenia, without regard to its conflict of laws provisions. The courts of Ljubljana, Slovenia have exclusive jurisdiction over any dispute arising from this DPA, without prejudice to the right of a Data Subject to lodge a complaint with a supervisory authority or to bring proceedings before the courts of the Member State where they reside.

11. Amendments

The Processor may update this DPA to reflect changes in applicable law, Sub-processors, or security measures. Material changes will be communicated to the Controller by email at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance. If the Controller does not agree, it may terminate the Service agreement without penalty within that 30-day period.

12. Contact

For questions about this DPA or to exercise rights under it:
Galor Analytics — Data Protection
Email: privacy@galor.group
Web: galor.group