Data Processing Agreement (DPA)

Last updated: April 24, 2026

This page is the customer-facing template of the Art. 28(3) GDPR Data Processing Agreement under which Statnive processes personal data on behalf of customers of statnive.live (SaaS) and the WordPress plugin's paid Pro tiers.

Parties

Processor:

Herr Parhum Khoshbakht
Schiffenberger Weg 1
35394 Giessen
Germany

Email: support@statnive.com

Controller: the customer entity identified in the order form.

Subject matter and duration

Statnive processes personal data only on the documented instructions of the controller, for the duration of the underlying subscription, plus a 30-day export window after termination.

Nature and purpose of processing

Privacy-first web analytics: cookieless visit attribution, channel grouping, traffic quality scoring, and (where enabled) WooCommerce or commerce revenue attribution.

Categories of data subjects

Visitors to the controller's web properties.

Categories of personal data

  • Hashed visitor identifiers (rotating-salt SHA-256, no raw IP persisted).
  • HTTP request metadata (path, referrer, UTM parameters).
  • Geo-coarse country and region (no city, no postcode).
  • Device and browser categorisation (no fingerprint).

Sub-processors

The current list of sub-processors is published on the privacy policy page and updated within 7 days of any upstream change. Customers receive 30 days' notice by email of any new sub-processor before it processes their data.

Location of processing

EU/EEA only. Hosted on Netcup VPS in Nuremberg, Germany. Self-hosted deployments are processed wherever the customer chooses to deploy the binary; in that case Statnive is not a processor for the customer's data.

Technical and organisational measures (TOMs)

  • Cookieless tracker. No localStorage, sessionStorage, or fingerprinting.
  • Daily-rotating salts; raw IPs never persisted.
  • SHA-256 or stronger in every security path. No SHA-1, no MD5.
  • Tracker payloads validated server-side via hostname allowlist (per-site key check).
  • Encrypted at rest (full-disk LUKS) and in transit (TLS 1.2+).
  • Backups encrypted and stored within EU/EEA.
  • Access strictly need-to-know; audit-logged.

Data subject rights

Statnive provides export and erasure tools that the controller can invoke directly, plus engineering support for any rights request that requires manual handling, at no additional cost.

Audit rights

The controller may audit Statnive's compliance once per year on 30 days' notice; security questionnaires and penetration-test summaries are available on request without additional audit.

How to sign

Email support@statnive.com with your legal entity name and contact. We countersign within five business days.

Get Statnive Free