Data Processing Agreement

Effective: 1 May 2026 · Last updated: 11 May 2026

This Data Processing Agreement ("DPA") forms part of the Trackflowy Terms of Service between Solo Funnels ("Trackflowy", "Processor") and the Customer named on the Trackflowy account ("Customer", "Controller"). It applies whenever Trackflowy processes personal data on the Customer's behalf in providing the Service, and supplements our Privacy Policy. Customers can accept this DPA in-product or request a countersigned copy at privacy@trackflowy.com.

1. Definitions

Capitalised terms not defined here have the meanings given in the Terms of Service or, where used, in the GDPR.

  • "Applicable Data Protection Law" means all laws applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), and any successor or analogous legislation.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Trackflowy on the Customer's behalf in connection with the Service.
  • "End User" means a natural person whose personal data is processed by Trackflowy on the Customer's behalf — typically a visitor to a website or property the Customer controls.
  • "Subprocessor" means any third party engaged by Trackflowy to process personal data on the Customer's behalf.
  • "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission in Decision 2021/914 for the transfer of personal data to third countries, as amended or replaced.
  • "Processing", "Controller", "Processor", "Data Subject" have the meanings given in GDPR Article 4.

2. Roles of the Parties

The Customer is the Controller of the personal data processed under this DPA. Trackflowy is the Processor and processes personal data only on the Customer's documented instructions, as set out in this DPA and the Terms of Service.

The Customer's documented instructions for the purposes of GDPR Article 28(3)(a) are the Terms of Service, this DPA, the configurations the Customer makes within the Service (for example, the destinations and conversion goals they create), and any additional written instructions given in support tickets or admin tools.

Where Trackflowy uses de-identified, aggregated data derived from the Customer's personal data for its own legitimate purposes (including service improvement, security, and statistical analysis) in a manner that cannot reasonably re-identify any End User, Trackflowy acts as an independent Controller for that activity, and will only do so in compliance with Applicable Data Protection Law.

3. Scope of Processing

The subject matter, duration, nature and purpose of the processing, the categories of personal data, and the categories of Data Subjects are described in Annex I below.

4. Customer Obligations

The Customer represents and warrants that:

  • it has all rights, consents, notices, and lawful bases required by Applicable Data Protection Law to authorise the processing carried out by Trackflowy on its behalf;
  • where the Service is deployed to End Users in the EEA, the UK, Switzerland, or any jurisdiction with an active "cookie law" or equivalent regime, the Customer has obtained valid, prior consent (or has another applicable legal basis under that regime) before any Trackflowy script reads from or writes to an End User's device;
  • its instructions to Trackflowy comply with Applicable Data Protection Law; and
  • it will not use the Service to process special categories of personal data (GDPR Article 9), criminal offence data, payment card numbers, government identifiers, passwords, or other particularly sensitive information.

The Customer will respond to Data Subject requests it receives directly. Trackflowy will provide reasonable assistance under §7.

5. Trackflowy's Obligations as Processor

Trackflowy will:

  • Process only on instructions — process personal data only on the Customer's documented instructions, including with regard to transfers, unless required to do otherwise by EU, Member-State, or other applicable law, in which case Trackflowy will inform the Customer of that legal requirement in advance unless prohibited from doing so.
  • Confidentiality — ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
  • Security — implement appropriate technical and organisational measures, as set out in Annex II.
  • Subprocessors — engage subprocessors only on the terms of §8.
  • Assistance — with Data Subject rights (§7), security/breach/DPIA obligations (§9, §10), and deletion or return of data at the end of processing (§11).
  • Records — maintain a record of processing activities carried out on the Customer's behalf, available on reasonable request.
  • Audit — make available the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, as set out in §12.
  • Notify of contravening instructions — inform the Customer immediately if, in Trackflowy's opinion, an instruction infringes Applicable Data Protection Law.

6. Assistance with Data Subject Rights

Trackflowy will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

Where Trackflowy receives a Data Subject request directly relating to personal data it processes on the Customer's behalf, Trackflowy will, unless prohibited by law, forward the request to the Customer without undue delay and will not respond to it directly, except to confirm receipt and to refer the Data Subject to the Customer.

The Customer may submit Data Subject request escalations to privacy@trackflowy.com. Trackflowy will respond within thirty (30) days.

7. Subprocessors

The Customer gives Trackflowy general written authorisation to engage the subprocessors listed in our Privacy Policy.

Trackflowy will give the Customer at least thirty (30) days' prior notice of any addition or replacement of a subprocessor, by updating the published list and, where practical, notifying the Customer's account administrator by email or in-app notice. The Customer may object on reasonable data-protection grounds within that period; if the parties cannot in good faith resolve the objection, the Customer may terminate the part of the Service that depends on the new subprocessor and receive a pro-rata refund of pre-paid fees for the unused period.

Trackflowy will impose on each subprocessor, by written contract, data-protection obligations no less protective than those in this DPA, and remains liable to the Customer for the acts and omissions of its subprocessors as if they were Trackflowy's own.

8. Security and Breach Notification

Trackflowy will implement and maintain the technical and organisational measures described in Annex II.

Trackflowy will notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a personal data breach affecting the Customer's personal data. The notice will include, to the extent then known: the nature and likely consequences of the breach; the categories and approximate number of Data Subjects and records affected; the measures taken or proposed to address the breach; and the contact details of Trackflowy's point of contact.

Trackflowy will cooperate with the Customer in good faith and provide reasonable assistance with the Customer's own notification obligations. Trackflowy's notification of, or response to, a breach is not an acknowledgement of fault or liability.

9. DPIAs and Prior Consultation

Trackflowy will provide the Customer with reasonable assistance, taking into account the nature of the processing and the information available to Trackflowy, with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under Applicable Data Protection Law.

10. Deletion and Return of Personal Data

On termination or expiry of the Service, Trackflowy will, at the Customer's choice, delete or return to the Customer all personal data processed on the Customer's behalf and delete existing copies, unless retention is required by EU, Member-State, or other applicable law. This mirrors the account-deletion process described in our Privacy Policy.

Trackflowy may retain personal data in encrypted, isolated backups for up to ninety (90) days after deletion has been requested, after which time all backups containing such data will be overwritten or destroyed in the ordinary backup rotation. During this period, the deleted data will not be used or made available for any active processing other than backup restoration in response to a security incident.

11. Audit Rights

The Customer may, at its own expense and not more than once in any twelve-month period (unless an audit is required by a competent supervisory authority or follows a personal data breach), audit Trackflowy's compliance with this DPA, on at least thirty (30) days' prior written notice, during normal business hours, in a manner that does not unreasonably interfere with Trackflowy's operations or the security of other customers' data, and subject to reasonable confidentiality undertakings.

Trackflowy may satisfy its audit obligations by providing a recent third-party audit report (for example, SOC 2 Type II or ISO 27001) or by completing the Customer's standard security questionnaire, as long as the information provided is sufficient to demonstrate compliance with this DPA.

12. International Data Transfers

The parties acknowledge that Trackflowy operates a globally distributed Service on Cloudflare's edge network, and that personal data may be transferred to, or processed in, jurisdictions outside the EEA, the UK, or Switzerland.

To the extent such a transfer requires an Article 46 GDPR (or analogous UK GDPR / FADP) transfer mechanism, the parties incorporate by reference the EU Standard Contractual Clauses in Decision 2021/914 — Module Two (controller-to-processor) where Trackflowy acts as the Customer's processor, and Module Three (processor-to-processor) where the Customer is itself a processor for an underlying controller — governed by the law of Ireland, with the competent supervisory authority being the Irish Data Protection Commission.

For transfers subject to the UK GDPR, the parties incorporate the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner's Office. For transfers subject to the Swiss FADP, the parties apply the SCCs as varied by Swiss Federal Data Protection and Information Commissioner guidance.

The parties will, where reasonably required, carry out and document a transfer impact assessment in good faith.

13. CCPA / CPRA — Service Provider Status

Where the CCPA / CPRA applies, Trackflowy is a "Service Provider" (and not a "Third Party") with respect to Personal Information processed on the Customer's behalf. Trackflowy will not sell or share Personal Information; will not retain, use, or disclose Personal Information for any purpose other than the specific business purpose of providing the Service and the limited purposes permitted under CCPA / CPRA §1798.140(e); will not retain, use, or disclose Personal Information outside the direct business relationship with the Customer; and will not combine Personal Information received from the Customer with Personal Information from other sources, except as expressly permitted under that section.

Trackflowy will notify the Customer if it determines that it can no longer meet its obligations under this section.

14. Liability and Order of Precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law, including any liability a Data Subject may pursue directly against either party under GDPR Article 82.

If there is any conflict between this DPA, the Terms of Service, the SCCs, or the UK IDTA, the order of precedence (highest first) is: (1) the SCCs and UK IDTA, in respect of restricted transfers; (2) this DPA; (3) the Terms of Service.

Annex I — Description of Processing

Subject matter, nature and purpose: Trackflowy provides link tracking, click analytics, conversion attribution, and related tools for content creators and businesses. Processing consists of receiving, storing, analysing, and presenting click and conversion data generated by End Users of the Customer's marketing properties.

Duration: for the term of the Customer's subscription to the Service, plus the post-termination retention period set out in §10.

Categories of Data Subjects: the Customer's authorised users (the Controller's own staff), and End Users (visitors who click a Customer's tracking link, or who visit a property on which a Customer has installed the Trackflowy script).

Categories of Personal Data: account data of the Customer's staff (name, email address, hashed password, 2FA secret and recovery codes, session metadata); End-User click and conversion data (short-link identifier, timestamp, truncated IP address, User-Agent, referrer URL, click ID, conversion event type and value where supplied by the Customer, and any custom event metadata supplied by the Customer); and support communications.

Special categories of data: none. Customers may not use the Service to process special categories of personal data (GDPR Article 9), criminal offence data, payment data, or government identifiers.

Retention: account data, click and conversion records, and audit logs are retained for the life of the Customer's account, as described in our Privacy Policy.

Annex II — Technical and Organisational Security Measures

Trackflowy implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Pseudonymisation and encryption: TLS 1.2+ in transit for all Customer and End-Visitor traffic; at-rest encryption of the underlying storage (Cloudflare D1); passwords stored only as one-way hashes (PBKDF2); End-Visitor IP addresses truncated before storage.
  • Confidentiality, integrity, availability and resilience: Cloudflare's globally distributed network and DDoS protection; daily automated backups of the production database, retained for at least 30 days; multi-region replication of Customer account data.
  • Restoration of availability after an incident: documented disaster-recovery procedures with backups tested at least annually; point-in-time recovery available for the primary database.
  • Regular testing and evaluation: static analysis, dependency-vulnerability scanning, and automated CI security checks on each release; Sentry error monitoring with PII scrubbing in front-end and back-end SDKs.
  • Access management: role-based access control inside the Service; mandatory 2FA for all Trackflowy staff with production access; least-privilege, logged, and reviewed access.
  • Data protection by design and by default: consent-required tracking mode available out of the box; customer-facing settings to opt out of cross-site identifiers; a published, versioned subprocessor list.
  • Incident response: 72-hour breach notification (§8); a documented incident-response runbook.
  • Transfers under GDPR Chapter V: SCCs and UK IDTA as set out in §12; transfer impact assessments on request.

Contact

For questions about this DPA, or to request a countersigned copy, contact us at privacy@trackflowy.com.