Data Processing Agreement

This Data Processing Agreement (the DPA) is entered into between you (the customer, acting as Controller for the personal data of visitors to your websites) and Spreenovate GmbH, operator of mcp-analytics (acting as Processor) when you embed our tracking snippet on a site you own or operate. It forms part of, and is incorporated into, our Terms of Service.

Last updated June 2026. If you need a countersigned PDF copy for your records, write us at info@mcp-analytics.com and we will return one within five business days.

1. Parties and roles

For the personal data of your visitors, you are the Controller and we are the Processor. We process this data only on your documented instructions, as set out in this DPA and our public documentation.

For the personal data of you, the account holder (your email, your API tokens), we are the Controller. That relationship is governed by the privacy policy, not this DPA.

2. Subject matter, duration, nature, and purpose

Subject matter

Processing of pseudonymous event data emitted by your website visitors when they load pages instrumented with the mcp-analytics tracking snippet.

Duration

For as long as you maintain an active mcp-analytics account and have not requested deletion. Raw event data is automatically deleted by ClickHouse TTL 2 years after collection.

Nature

Ingestion, hashing, storage, aggregation, and querying of event data on your behalf. No automated decision-making, no profiling for purposes other than the aggregate analytics you query.

Purpose

To provide you with web analytics that you can query through Claude or any other MCP-capable client, replacing a traditional analytics dashboard.

3. Types of personal data and categories of data subjects

Data subjects: visitors to your websites and users of any product you have instrumented.

Personal data we process per pageview / event:

• Timestamp, event name, URL path, URL host
• Referrer host (and path in balanced / all privacy modes)
• UTM parameters (source, medium, campaign)
• Full User-Agent string (used for bot classification)
• Browser, browser version, operating system, device class (derived from User-Agent)
• Timezone, browser language, viewport size, color-scheme preference (from privacy-clean Web APIs)
• Engagement time and scroll depth (fired on page-leave)
• A traffic-class label (user, ai_user_action, ai_search, ai_training, search_index, social_unfurl, scanner, bot_other)
• Custom event properties you choose to send via mcpa('track', ...)
• A pseudonymous session_id and visitor_id derived from the visitor's IP, User-Agent, your per-site salt, and (in strict mode) a daily-rotating server salt

What we do not process: raw IP addresses are not persisted in the analytics database. The IP is used in-memory to compute the visitor and session hash, then discarded. The single narrow exception is our anti-abuse table (abuse_events), which records the IP of clients that repeatedly send invalid payloads to our ingest endpoint (legal basis: Art. 6 (1)(f), legitimate interest in service availability). Those records are not used for analytics and are not joined with visitor data.

Special-category data under Art. 9 GDPR is not collected and we ask that you do not transmit any to us via custom event properties.

4. Obligations of the Processor (Art. 28(3) GDPR)

4.1 Processing only on documented instructions

We process personal data only on your documented instructions, including with regard to transfers of personal data to a third country, unless required to do otherwise by Union or Member State law. The documented instructions consist of this DPA, the privacy modes you choose per site, the tracking snippet configuration you deploy, and any custom event properties you send.

4.2 Confidentiality

Anyone we authorise to process personal data under this DPA is subject to a confidentiality obligation, either by contract or by professional duty. Today, the only authorised person is the company managing director.

4.3 Security of processing (Art. 32 GDPR)

The technical and organisational measures we maintain include:

• TLS 1.3 in transit, no plaintext analytics endpoints
• At-rest encryption on the host filesystem (LUKS)
• SHA-256 hashing for all session and visitor identifiers, with daily-rotating salt in strict mode
• Tokens stored as SHA-256 digests, never in plaintext
• Principle-of-least-privilege access to production: SSH key, no password auth, no shared accounts
• Automated backups of account data, encrypted at rest, 30-day retention
• Rate limiting on every public endpoint to mitigate brute-force and abuse
• OAuth 2.1 with PKCE and Dynamic Client Registration; no client secrets shared with public clients
• Audit log of OAuth consent and token-issuance events

4.4 Sub-processors

You authorise us to engage the sub-processors listed in section 6 below. We will notify you at least 30 days in advance of any new sub-processor via the email on your account, giving you the opportunity to object. If you object on reasonable data-protection grounds, you may terminate the affected service with pro-rata refund of any prepaid fees.

Each sub-processor is bound by a written contract that imposes substantially the same data-protection obligations as set out in this DPA.

4.5 Assistance with data-subject rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, in fulfilling your obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). In practice, because visitor records are pseudonymous, the typical path is bulk deletion via your account or a targeted query you provide us.

4.6 Assistance with controller obligations

We assist you in ensuring compliance with Art. 32 (security), Art. 33 (breach notification), Art. 34 (communication to data subjects), Art. 35 (data-protection impact assessments), and Art. 36 (prior consultation), taking into account the nature of the processing and the information available to us.

4.7 Personal-data-breach notification

We will notify you of a personal data breach affecting your data without undue delay and in any case within 72 hours of becoming aware of it. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

4.8 Return or deletion at end of services

At your choice, we will delete or return all personal data after the end of the services and delete existing copies, unless Union or Member State law requires storage of the personal data. The default on account deletion is full irreversible erasure within 30 days.

4.9 Audit rights

We will make available to you all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. In the interest of proportionality, we ask that audit requests be made in writing with at least 30 days notice, that audits be limited to once per calendar year absent a documented incident, and that the auditor be bound by confidentiality.

5. International data transfers

All processing of analytics events takes place inside the European Union (Hetzner Falkenstein, Germany). The single international transfer is to Postmark (ActiveCampaign LLC, USA) for the delivery of transactional emails to you, the account holder. That transfer is covered by the EU-U.S. Data Privacy Framework certification held by ActiveCampaign LLC, supplemented by the European Commission's Standard Contractual Clauses (2021/914) where relevant.

No visitor analytics data is transferred to Postmark or to any other non-EU recipient.

6. Sub-processors

The current list of sub-processors authorised under this DPA:

Sub-processor	Purpose	Location	Transfer mechanism
Hetzner Online GmbH	Infrastructure (compute, storage, networking) for the application and ClickHouse	Falkenstein, Germany	Intra-EU, no transfer mechanism required
ActiveCampaign LLC (Postmark)	Transactional email delivery to the account holder (verification links, plan notices)	USA	EU-U.S. Data Privacy Framework + SCCs (2021/914)

Material changes to this list, including additions and replacements, will be notified by email to your account address at least 30 days in advance.

7. Retention and deletion

• Raw events in ClickHouse: 2 years from ingestion, then automatic delete via TTL
• Materialised aggregate views: same 2-year horizon as the underlying events
• Account data: until you request deletion
• OAuth tokens: refresh tokens expire 90 days after last use; access tokens 1 hour after issuance
• Verification tokens: 24 hours, purged after use
• Abuse-related IP records: 30 days, then automatic purge
• kamal-proxy access logs (host-level): rotated at 10 MB per container, no centralised retention

8. Liability

Each party is liable for damages caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the controller. Other limitations of liability set out in the Terms of Service apply.

9. Term and termination

This DPA enters into force when you begin sending events to mcp-analytics and continues for as long as we process personal data on your behalf. On termination, the deletion obligation in section 4.8 applies.

10. Governing law and jurisdiction

This DPA is governed by the laws of the Federal Republic of Germany, excluding its conflict-of-laws rules. The courts of Berlin, Germany have exclusive jurisdiction over disputes arising out of or in connection with this DPA, subject to any non-derogable consumer-protection rules where you, as a controller, qualify as a consumer in your jurisdiction.

11. Contact

For all DPA-related questions, breach notifications, sub-processor objections, or audit requests, contact us at info@mcp-analytics.com. We aim to respond within five business days.