Data Processing Addendum

This DPA forms part of the agreement between the customer as controller and TrackLayer as processor for personal data submitted to the service. It applies for the duration of the subscription and any post-termination deletion period.

TrackLayer processes personal data only on documented customer instructions, including configuration in the product, API calls, support requests, and the agreement. We will notify the customer if an instruction appears unlawful where required by law.

Processing includes collection, validation, hashing, storage, enrichment, deduplication, identity matching, routing, transmission to configured destinations, diagnostics, support, security monitoring, audit logging, export, deletion, and backup handling.

Data subjects are end users, prospects, customers, leads, subscribers, and website visitors of the controller. Categories may include online identifiers, hashed email or phone, click IDs, cookie IDs, IP address, user agent, consent state, event timestamps, order values, and commerce metadata.

Personnel authorized to process personal data are subject to confidentiality obligations. TrackLayer maintains technical and organizational measures including encryption in transit, access control, logging, monitoring, backup controls, separation of environments, and incident response.

Customers authorize TrackLayer to use subprocessors needed to provide the service. TrackLayer maintains written agreements with subprocessors and publishes the current list at /legal/subprocessors.

Taking into account the nature of processing, TrackLayer assists customers with data subject requests, security obligations, personal data breach notices, DPIAs, prior consultations, audits, exports, and deletion workflows where applicable.

After termination, TrackLayer will delete or return customer personal data according to the agreement and documented customer instructions, unless applicable law requires retention.