Apstal Logo
Apstal
Get Started

Data Processing Addendum

Updated April 12, 2026

1. Scope and Purpose

This Data Processing Addendum ("DPA") supplements the Apstal Terms of Service and applies where Apstal processes personal data on behalf of the Customer. It reflects the parties' agreement on the processing of personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on personal data, including collection, storage, use, and deletion.
  • "Data Controller" means the Customer who determines the purposes and means of processing.
  • "Data Processor" means Apstal, which processes personal data on behalf of the Customer.

3. Roles

The Customer acts as the Data Controller. Apstal acts as the Data Processor. Apstal processes personal data only on documented instructions from the Customer, unless required by law to do otherwise.

4. Categories of Data Processed

Apstal may process the following categories of personal data on behalf of the Customer:

  • IP addresses (anonymized where applicable).
  • Device and browser metadata.
  • Approximate geographic location (country/city level).
  • Page views, session duration, and on-page behavioral events.
  • Referral sources and UTM parameters.

Apstal does not intentionally collect sensitive personal data (e.g., health, financial, biometric data) through its tracking script.

5. Security Measures

Apstal implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest.
  • Access controls and authentication mechanisms.
  • Regular security assessments and monitoring.
  • Incident detection and response procedures.
  • Logical separation of customer data.

6. Sub-processors

Apstal engages a limited number of third-party service providers ("Sub-processors") to assist in delivering the Service. All sub-processors are bound by data protection obligations no less protective than those in this DPA.

We will notify customers of any material changes to our sub-processor list. A current list is available upon written request to [email protected].

7. Data Subject Rights

Apstal will assist the Customer in responding to requests from data subjects exercising their rights under applicable law (access, rectification, erasure, portability, objection, restriction). Such assistance will be provided promptly and to the extent technically feasible.

8. Data Breach Notification

In the event of a personal data breach, Apstal will notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, the categories of data affected, and the measures taken or proposed to address it.

9. International Transfers

Where personal data is transferred to a country outside the European Economic Area (EEA) that does not provide an adequate level of data protection, Apstal ensures appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Data Retention and Deletion

Analytics event data is retained based on the Customer's subscription plan: up to 6 months on the Basic plan, up to 12 months on the Premium plan, and custom retention periods for Enterprise accounts. Session replay recordings are retained for 72 hours. Upon termination of the Customer's account or upon written request, Apstal will delete all personal data processed on behalf of the Customer within 30 days, unless retention is required by applicable law.

11. Audit Rights

The Customer may request information reasonably necessary to demonstrate Apstal's compliance with this DPA. Apstal will cooperate with such requests subject to reasonable notice and confidentiality obligations.

12. Duration and Termination

This DPA remains in effect for the duration of the Customer's use of the Service and as long as Apstal retains personal data on behalf of the Customer.

13. Contact

For data processing inquiries or to request the current sub-processor list, contact us at [email protected].