Data Processing Agreement

Last updated: December 21, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Rybbit ("Processor", "we", "us") and the customer ("Controller", "you") for the provision of Rybbit's web analytics services ("Services").

This DPA applies to the processing of personal data by Rybbit on behalf of the Controller in connection with the Services, in accordance with applicable data protection laws including the General Data Protection Regulation (GDPR).

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by Rybbit to process Personal Data on behalf of the Controller.

3. Scope of Processing

Rybbit processes Personal Data solely for the purpose of providing the web analytics Services as described in our Terms of Service and Privacy Policy. The categories of data processed include:

  • Page view and session data
  • Device and browser information
  • Geographic location (country/region level, derived from IP addresses which are not stored)
  • Referrer information
  • Page performance metrics
  • JavaScript errors
  • Session replays
  • Custom events configured by the Controller

4. Processor Obligations

Rybbit agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Delete or return Personal Data upon termination of the Services, at the Controller's choice
  • Make available information necessary to demonstrate compliance with this DPA
  • Notify the Controller without undue delay of any Personal Data breach

5. Controller Obligations

The Controller agrees to:

  • Ensure there is a lawful basis for the processing of Personal Data
  • Provide any necessary privacy notices to Data Subjects
  • Ensure instructions to Rybbit comply with applicable data protection laws

6. Sub-processors

The Controller authorizes Rybbit to engage Sub-processors for the provision of the Services. Rybbit will inform the Controller of any intended changes to Sub-processors, giving the Controller the opportunity to object. Current Sub-processors include:

  • Hetzner: Servers and storage
  • Cloudflare: Object storage and security
  • Stripe: Payment processing
  • Resend: Email delivery
  • ipapi.is: IP geolocation (IP addresses are processed but not stored)

7. Security Measures

Rybbit implements appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and updates
  • Incident response procedures
  • Employee security training

8. International Data Transfers

If Personal Data is transferred outside the European Economic Area (EEA), Rybbit ensures appropriate safeguards are in place, such as Standard Contractual Clauses or other legally recognized transfer mechanisms.

9. Data Subject Rights

Rybbit will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including requests for access, rectification, erasure, data portability, and objection to processing.

10. Data Retention

Rybbit retains Personal Data for the duration specified in our Privacy Policy or as agreed with the Controller. Upon termination of the Services, Personal Data will be deleted or returned as requested by the Controller within 30 days.

11. Audits

Rybbit will make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or an appointed auditor, subject to reasonable notice and confidentiality obligations.

12. Term and Termination

This DPA remains in effect for the duration of the Services agreement. The obligations regarding data protection and confidentiality survive termination.

13. Contact

For questions about this DPA or to exercise any rights, please contact us at:hello@rybbit.com