Data Processing Agreement

Last updated: April 27, 2026.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Clycyo ("Data Processor") and you, our customer ("Data Controller"). It sets out the terms, requirements, and conditions under which Clycyo processes personal data on your behalf when you use our analytics services.

1. Definitions and Scope

In the context of this agreement, terms such as "Personal Data," "Processing," "Data Subject," "Data Controller," and "Data Processor" shall have the meanings given to them under the General Data Protection Regulation (GDPR). This agreement applies to all data processed by Clycyo on behalf of the customer through the implementation of our tracking code.

2. Roles and Responsibilities

You act as the Data Controller and determine the purposes and means of the processing of data on your websites. Clycyo acts as the Data Processor, processing data only on your documented instructions as outlined in our Terms of Service and Privacy Policy. Because our standard service relies on anonymization, the personal data entering our systems is immediately hashed and decoupled from any identifiable individual.

3. Processing Details

The subject matter of the processing is the provision of web analytics. The duration of the processing matches the duration of your active subscription. The types of data processed include IP addresses (which are hashed and anonymized instantly), user agent strings, and behavioral metrics (page views, referrers, events). We do not collect names, emails, or other direct identifiers from your website visitors.

4. Security Measures

Clycyo implements comprehensive technical and organizational measures to ensure a level of security appropriate to the risk. This includes encryption of data in transit and at rest, secure logical architectures, access control mechanisms, and continuous monitoring of our infrastructure. We commit to notifying you without undue delay after becoming aware of any personal data breach affecting your data.

5. Sub-processors

You authorize Clycyo to engage sub-processors (such as cloud hosting providers) to deliver the service. We ensure that any sub-processor is bound by written obligations that provide the same level of data protection as this DPA. A list of current sub-processors is available upon request, and we will notify you of any intended changes concerning the addition or replacement of sub-processors.

6. Data Subject Rights

Given the anonymous nature of the analytics data we store, identifying specific data subjects is mathematically infeasible. However, should a data subject request arise that relies on data you control, we will assist you to the extent possible using appropriate technical and organizational measures to fulfill your obligation to respond.

7. Data Deletion

Upon the termination of your account, Clycyo will delete all your data, including analytics records, from our primary systems within 30 days, unless applicable legislation requires longer storage. Archival backups are rotated and securely destroyed according to industry standard timelines.