TrackOfferz
Legal

Data Processing Agreement

Last updated: 2026-06-06

Start free trial Contact us
14-day free trial No credit card required Cancel any time Self-host or managed

This Data Processing Agreement ("DPA") forms part of the Terms of Service between S. P. Techno Solution Private Limited (operating TrackOfferz) ("Processor") and the network operator ("Controller") and applies to the processing of personal data carried out by the Processor on the Controller's behalf. Where the Controller processes personal data of data subjects in the EEA, UK, or Switzerland, this DPA incorporates the Standard Contractual Clauses described in Section 8.

1. Roles and scope

The Controller determines the purposes and means of processing the click and conversion data routed through the platform; the Processor processes that personal data solely to provide the tracking, attribution, fraud-prevention, reporting, and notification services, and only on the Controller's documented instructions (including those given through the dashboard and configuration). The Processor will inform the Controller if, in its opinion, an instruction infringes applicable data-protection law.

2. Nature of processing

  • Subject matter: affiliate click/conversion tracking and analytics.
  • Categories of data subjects: visitors who click a publisher tracking link; the Controller's publishers and advertisers.
  • Categories of personal data: IP address (optionally anonymised), user agent, device/OS/browser, approximate location, click/transaction identifiers, sub-IDs, and hashed conversion identifiers (e.g. hashed email/phone).
  • Special categories: none are intentionally processed; the Controller agrees not to route special-category data through the platform.
  • Duration: for the term of the Terms of Service, subject to the retention controls in Section 6.

3. Confidentiality

The Processor ensures that personnel authorised to process personal data are bound by appropriate confidentiality obligations and access it on a least-privilege, need-to-know basis.

4. Security measures (Art. 32)

The Processor maintains appropriate technical and organisational measures, including: encryption in transit (TLS); memory-hard password hashing and optional MFA; per-tenant logical isolation; server-side sessions with instant revocation; hashing of conversion PII with a per-tenant pepper; optional IP anonymisation; least-privilege infrastructure access; and logging and monitoring. Measures are reviewed periodically and may be updated provided protection is not materially reduced.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage the sub-processors listed on the Sub-processors page, each under terms no less protective than this DPA. The Processor will give notice before adding or replacing a sub-processor; the Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith toward a resolution.

6. Retention and data minimisation

The Controller configures IP anonymisation, consent gating, and the retention window from its dashboard. Absent a shorter configured window, click events are retained for 13 months and conversion events for 36 months, after which they are automatically deleted. Data routed without a consent signal, where the Controller has enabled consent gating, is not persisted with identifying fields.

7. Assistance to the Controller

  • Data subject rights: the platform lets the Controller look up, export, and erase a data subject's click/conversion records directly. The Processor will provide reasonable additional assistance for requests it cannot self-serve.
  • Personal data breach: the Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, with the information reasonably available to assist the Controller's own notification obligations.
  • DPIAs: the Processor will provide reasonable assistance with data-protection impact assessments and prior consultations.

8. International transfers

The Processor operates from India, which is not subject to an EU adequacy decision. For transfers of EEA/UK/Swiss personal data, the parties incorporate the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor, 2021/914) and, for UK data, the UK International Data Transfer Addendum, which are deemed executed on acceptance of this DPA. The technical measures in Section 4 serve as supplementary measures.

9. Audit

The Processor will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable notice, confidentiality, and frequency limits.

10. Deletion or return

On termination of the services, the Processor will delete or return the Controller's personal data within a commercially reasonable period, except where retention is required by law. Routine deletion also occurs automatically under the retention controls in Section 6.

11. General

This DPA is governed by the law stated in the Terms of Service. In case of conflict between this DPA and the Terms on the subject of data protection, this DPA prevails. The Standard Contractual Clauses prevail over both in case of conflict regarding international transfers.

To execute a countersigned copy of this DPA for your records, contact privacy@trackofferz.com.