Data Processing Agreement

Last updated: April 24, 2026

1. Parties

This DPA is entered into between:

• Tracergram (the “Processor”), the operator of the Tracergram service; and
• the customer who has registered for and is using the Tracergram service (the “Controller” or “Customer”).

Each a “Party” and together the “Parties”.

2. Background and purpose

The Customer has subscribed to the Tracergram service (the “Service”), which provides marketing analytics, conversion tracking and ad attribution for the Customer’s website visitors and Telegram audience. In providing the Service, the Processor processes Personal Data on behalf of the Customer. This DPA sets out the terms governing that processing in accordance with Article 28 of the EU General Data Protection Regulation 2016/679 (“GDPR”) and, where applicable, the UK GDPR.

In the event of conflict between this DPA and the Terms of Service, this DPA prevails for matters of data protection.

3. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. “Personal Data”, “Processing”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, and “Personal Data Breach” have the meanings given in Articles 4 and 28 GDPR.

4. Subject matter, duration, nature and purpose of the Processing

Item	Details
Subject matter	Processing of Personal Data necessary to provide the Service.
Duration	The term of the Customer’s subscription to the Service, plus any retention period set out in Section 12.
Nature and purpose	Collection, storage, organisation, retrieval, transmission and deletion of visit and conversion data for the purpose of providing marketing analytics and ad-attribution functionality to the Customer.
Categories of Data Subjects	Visitors to the Customer’s websites, landing pages, and Telegram channels, groups and bots that the Customer has connected to the Service.
Categories of Personal Data	Pseudonymous visitor identifier; IP address; browser user-agent; referrer URL; page URL; UTM parameters; click identifiers (e.g. fbclid, gclid); Telegram user ID, username and first name (where the Data Subject interacts with the Customer’s Telegram bot); event metadata such as group joins, message events, link clicks, deposit/conversion events; timestamps.
Special categories	None intended. The Customer shall not submit special-category data (Art. 9 GDPR) to the Service.

5. Roles of the Parties

The Customer is the controller of the Personal Data processed via the Service. The Processor is a processor acting on behalf of the Customer and shall process Personal Data only on the Customer’s documented instructions, including those set out in this DPA, the Terms of Service, and the Customer’s configuration of the Service.

The Processor shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

6. Customer’s obligations

The Customer represents and warrants that it has a valid legal basis (including, where required, valid consent) for the Processing of Personal Data through the Service. The Customer is responsible for:

• providing all required notices to Data Subjects (e.g. in its privacy policy and cookie/consent banner);
• collecting and managing any required consents;
• responding to Data Subject requests, except for the Processor’s assistance obligations under Section 10; and
• ensuring that its use of the Service complies with applicable law.

7. Processor’s obligations

The Processor shall:

1. process Personal Data only on the Customer’s documented instructions, except where required to do so by Union or Member-State law (in which case the Processor shall inform the Customer of that legal requirement before Processing, unless prohibited by law);
2. ensure that persons authorised to process Personal Data are bound by confidentiality obligations of a comparable standard to this DPA;
3. implement appropriate technical and organisational measures as set out in Annex II (“TOMs”) to ensure a level of security appropriate to the risk;
4. assist the Customer, taking into account the nature of the Processing, with appropriate technical and organisational measures, in fulfilling its obligations to respond to Data Subject requests and to comply with Articles 32–36 GDPR;
5. at the choice of the Customer, delete or return all Personal Data after the end of the provision of the Service, in accordance with Section 12; and
6. make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR.

8. Sub-processors

The Customer grants the Processor general written authorisation to engage Sub-processors for the provision of the Service. The list of current Sub-processors is set out in Annex III below.

The Processor shall:

• impose written contractual obligations on each Sub-processor that are no less protective than those in this DPA;
• remain fully liable to the Customer for the performance of each Sub-processor’s data-protection obligations; and
• notify the Customer in advance of any intended addition or replacement of a Sub-processor, giving the Customer at least thirty (30) days to object on reasonable data-protection grounds. If the Customer objects and the Parties cannot agree a resolution, the Customer may terminate the affected portion of the Service.

9. International transfers

The Processor shall not transfer Personal Data outside the European Economic Area or the United Kingdom unless an appropriate transfer mechanism is in place, including:

1. an adequacy decision under Article 45 GDPR;
2. the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, for UK transfers, the UK International Data Transfer Addendum, which are incorporated into this DPA by reference and apply automatically to any such transfer; or
3. another lawful transfer mechanism under Chapter V GDPR.

Where the EU SCCs apply, the Parties agree that Module Two (Controller-to-Processor) applies between the Parties; Module Three (Processor-to-Sub-processor) applies between the Processor and any non-EEA Sub-processor; the optional docking clause is included; Clause 7 governs disputes; Clause 11(a) independent dispute resolution is not included; and the Annexes to the SCCs are completed by reference to Annexes I–III of this DPA.

10. Assistance with Data Subject requests, DPIAs and authority enquiries

Taking into account the nature of the Processing, the Processor shall provide reasonable assistance to the Customer, by appropriate technical and organisational measures, to fulfil the Customer’s obligations to respond to requests from Data Subjects exercising their rights under Chapter III GDPR (including access, rectification, erasure, restriction, portability and objection).

The Processor shall, on request and where strictly necessary, assist the Customer with:

• data-protection impact assessments (Art. 35 GDPR);
• prior consultations with supervisory authorities (Art. 36 GDPR); and
• responses to requests or investigations by supervisory authorities.

The Processor may charge a reasonable fee for assistance that exceeds standard support, except where the assistance is required because of the Processor’s own non-compliance.

11. Personal Data Breaches

The Processor shall notify the Customer of a confirmed Personal Data Breach affecting the Customer’s Personal Data without undue delay and in any event within seventy-two (72) hours of becoming aware of it.

The notification shall include, to the extent then known: the nature of the Breach; the categories and approximate number of Data Subjects and records affected; the likely consequences; and the measures taken or proposed to address the Breach and mitigate its effects. The Processor shall reasonably cooperate with the Customer in investigating and remediating the Breach.

12. Return or deletion of data

Upon termination or expiry of the Service, the Processor shall, at the Customer’s choice, delete or return all Personal Data processed on behalf of the Customer, and delete existing copies, unless Union or Member-State law requires storage of the Personal Data.

Unless the Customer instructs otherwise, the Processor shall delete the Customer’s Personal Data within ninety (90) days of termination. Backup copies will be deleted in accordance with the Processor’s standard backup-rotation cycle, not exceeding thirty-five (35) days thereafter.

13. Audits

The Processor shall make available to the Customer all information reasonably necessary to demonstrate compliance with Article 28 GDPR.

The Customer may, no more than once per twelve (12) month period (and at any time following a Personal Data Breach affecting the Customer), audit the Processor’s compliance with this DPA. The Processor may satisfy this obligation by providing:

• up-to-date third-party certifications (e.g. ISO 27001, SOC 2) or audit reports; or
• responses to a reasonable written security questionnaire.

An on-site audit, where strictly necessary and not satisfied by the above, shall be conducted on at least thirty (30) days’ written notice; at the Customer’s expense; by the Customer or an independent auditor (not a competitor of the Processor) bound by confidentiality; and carried out so as not to disrupt the Processor’s operations or compromise the confidentiality of other customers’ data.

14. Liability

The liability of each Party under this DPA shall be subject to the limitations and exclusions of liability set out in the Tracergram Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable law.

15. Term and termination

This DPA takes effect when the Customer accepts the Terms of Service and continues for as long as the Processor processes Personal Data on behalf of the Customer. Sections 12 (deletion/return), 13 (audits) and any other provisions intended to survive termination shall survive.

16. Governing law and order of precedence

This DPA is governed by the same law and jurisdiction as the Tracergram Terms of Service, without prejudice to any mandatory rights of Data Subjects under the GDPR.

In the event of conflict between (i) the EU SCCs, (ii) this DPA, and (iii) the Terms of Service, the order of precedence is: (i) > (ii) > (iii).

17. Contact

Questions, deletion requests, sub-processor objections, and requests for a counter-signed copy of this DPA should be sent to support@tracergram.com.

---

Annex I — Description of the Processing

A. Parties

As set out in Section 1.

B. Description of Transfer

• Categories of Data Subjects: visitors to the Customer’s websites/landing pages and users of the Customer’s Telegram channels, groups and bots that are connected to the Service.
• Categories of Personal Data: pseudonymous visitor identifier; IP address; browser user-agent; referrer; page URL; UTM parameters; click IDs (e.g. fbclid, gclid); Telegram user ID, username and first name; event metadata (group joins, message events, link clicks, deposit/conversion events); timestamps.
• Special-category data: none.
• Frequency of transfer: continuous, for the duration of the Service.
• Nature of Processing: collection, storage, structuring, retrieval, analysis, transmission and deletion to provide marketing analytics and ad-attribution.
• Purpose: provision of the Service to the Customer.
• Retention period: for the duration of the Service plus the deletion period in Section 12.
• Onward transfers: to Sub-processors listed in Annex III, under the safeguards in Section 9.

C. Competent Supervisory Authority

The supervisory authority of the EEA Member State in which the Customer is established, or — where the Customer is not established in the EEA — the supervisory authority of the EEA Member State chosen in accordance with Clause 13 of the SCCs.

---

Annex II — Technical and Organisational Measures (TOMs)

The Processor implements at least the following measures:

1. Access control — role-based access to production systems; multi-factor authentication for staff; least-privilege principle; access logged and reviewed periodically.
2. Encryption — TLS 1.2+ for data in transit; encryption at rest for the production database; encryption of sensitive credentials (e.g. customer-supplied tokens) using authenticated symmetric encryption.
3. Network security — segregated production environment; firewall and security-group rules restricting inbound traffic; DDoS protection at the edge.
4. Application security — secure software-development lifecycle; dependency scanning; rate-limiting and input validation on public endpoints; protection against OWASP Top 10 risks.
5. Logging and monitoring — centralised application and access logs; alerting on suspicious activity; uptime monitoring.
6. Backups and resilience — automated backups with documented retention; periodic restore testing.
7. Pseudonymisation — visitors are identified by a randomly generated pseudonymous identifier rather than directly identifying data.
8. Confidentiality — staff bound by written confidentiality obligations; data-protection training.
9. Sub-processor management — written contracts with all Sub-processors; due-diligence reviews.
10. Incident response — documented breach-response procedure with defined notification timelines.
11. Deletion — documented procedures for deletion of Personal Data on termination or on Data Subject request.

The Processor reviews these measures regularly and may update them, provided the level of protection is not reduced.

---

Annex III — Approved Sub-processors

The Customer authorises the following Sub-processors as of the Effective Date. The Processor will publish updates to this list on this page.

Sub-processor	Service provided	Location of Processing
Hetzner Online GmbH	Application and database hosting / infrastructure	Helsinki, Finland (EU)
Stripe Payments Europe Ltd.	Payment processing for Customer subscriptions	Ireland (EU) / US (under SCCs)

Note: Meta, Google, TikTok and similar advertising platforms to which the Customer transmits conversion events via their server-side APIs are independent controllers of that data, not Sub-processors of Tracergram. Their handling of that data is governed by the Customer’s direct relationship with each platform.

For any questions about this DPA, contact support@tracergram.com.