Data Processing Agreement (DPA)

1. Parties

This Data Processing Agreement ("DPA") is entered into between the user of the service ("Data Controller") and AuraMetrics.io ("Data Processor"), operated by its owner with contact address at hello@aurametrics.io. This DPA supplements the AuraMetrics.io Terms of Service and Privacy Policy.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4 of the GDPR. "Processing" includes any operation performed on personal data, including collection, storage, use, transmission and deletion. "Subprocessor" means any third party engaged by the Processor to assist in the processing of personal data.

3. Scope of processing

AuraMetrics.io processes personal data exclusively to provide the services contracted by the user. Data processed includes:

• Email address (authentication via Google OAuth)
• Name and profile photo (from Google account)
• Google Analytics 4 data (read-only access, temporarily processed and not stored as raw data permanently)
• URLs and domains analyzed by the modules
• Audit history generated by the modules

We do not process sensitive data, children's data, or biometric data. We do not sell, share, or use personal data for advertising.

3b. Google Analytics Data Usage

AuraMetrics.io accesses Google Analytics 4 data using read-only permissions in order to provide analytics and reporting features within the platform.

This data is used exclusively to:

• Analyze event tracking and configuration (Data Quality Audit)
• Detect issues such as missing events, duplicated conversions, or inconsistencies
• Generate reports and store audit results within the user's account
• Identify and measure traffic sources, including AI-generated traffic (AI Traffic module)
• Display aggregated metrics such as sessions, conversions, and revenue within dashboards

AuraMetrics.io may store processed and derived data (such as audit results, detected issues, and summarized metrics) to provide historical insights and reporting functionality.

AuraMetrics.io does not store raw Google Analytics data permanently. Any temporary caching is used only to display data in the dashboard and is deleted within a limited time.

Data Sharing and Use Restrictions

• AuraMetrics.io does not sell, share, or disclose Google Analytics data or any derived data to third parties.
• User data is used solely to provide the functionality of the platform and generate insights for the user.
• AuraMetrics.io does not use Google user data for advertising, profiling, or resale.

User Control and Data Deletion

Users retain full control over their data. Users can:

• Disconnect their Google account at any time
• Revoke access via Google Security Settings
• Request deletion of their data stored in AuraMetrics

Upon account deletion, all associated data (including audit history and processed reports) is permanently deleted within a defined period.

4. Legal basis for processing

Processing is based on: (a) performance of the service contract (Art. 6(1)(b) GDPR), (b) explicit user consent when connecting their Google account (Art. 6(1)(a) GDPR), and (c) legitimate interest to improve the service and prevent fraud (Art. 6(1)(f) GDPR).

5. Processor obligations

AuraMetrics.io commits to:

• Process personal data only according to the Controller's documented instructions
• Ensure that persons authorized to process data commit to confidentiality
• Implement appropriate technical and organizational measures to ensure security of processing (Art. 32 GDPR)
• Not engage subprocessors without prior authorization (see subprocessor list)
• Assist the Controller in responding to data subject rights requests
• Notify the Controller of any data breach within 72 hours
• Delete or return all personal data at the end of the service

6. Security measures

AuraMetrics.io implements the following measures:

• Encryption in transit (TLS/HTTPS on all connections)
• Encryption at rest (Supabase with AES-256 encryption)
• OAuth 2.0 authentication (no password storage)
• Google access tokens with automatic refresh and read-only scope
• Row Level Security (RLS) in database - each user only sees their data
• No credit card data storage (processed by PayPal)
• Access monitoring and audit logs

7. Subprocessors

AuraMetrics.io uses the following subprocessors to provide the service. The complete and updated list is available on our Subprocessors page.

View subprocessor list →

8. International data transfers

Data may be transferred outside the European Economic Area (EEA) to servers of our subprocessors in the United States. These transfers are made under: (a) Standard Contractual Clauses (SCCs) approved by the European Commission, (b) the EU-U.S. Data Privacy Framework where applicable, and (c) additional security measures described in Section 6.

9. Data subject rights

Users have the right to access, rectify, delete, port and restrict the processing of their personal data pursuant to Articles 15-22 of the GDPR. To exercise these rights, contact: hello@aurametrics.io. We will respond within 30 days.

To request complete deletion of your account and data: send an email to hello@aurametrics.io with subject "Data deletion request" from the email associated with your account.

10. Data retention

Personal data is retained while the user's account is active. Audit history is retained for 12 months. After account deletion, all personal data is deleted within 30 days. Anonymized system logs may be retained for up to 90 days for security purposes.

11. Data breach notification

In the event of a security breach affecting personal data, AuraMetrics.io will notify the Data Controller within 72 hours of becoming aware of the breach, including: nature of the breach, categories and number of affected data subjects, likely consequences, and measures taken or proposed.

12. Term and termination

This DPA takes effect when the user creates an account and remains in force while using the service. Upon termination, AuraMetrics.io will delete all personal data in accordance with Section 10, unless the law requires its retention.

13. Contact

For inquiries related to this DPA or data protection:

Email: hello@aurametrics.io