BetterMeter
Legal
DocsSign in

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between BetterMeter, operated by Paraito Inc. ("Processor", "we", "us"), and the entity or person agreeing to these terms ("Controller", "Customer", "you"). This DPA applies to the processing of Personal Data by BetterMeter on behalf of the Customer in connection with the BetterMeter analytics service ("Service").

This DPA is effective as of March 22, 2026 and replaces any prior data processing terms between the parties. By using the Service, you agree to this DPA. If you are accepting on behalf of your employer or another entity, you represent that you have full legal authority to bind that entity to this DPA.

1. Definitions

The following definitions apply throughout this DPA:

  • "Personal Data"means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • "Processing" means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Controller" means the Customer, who determines the purposes and means of the Processing of Personal Data.
  • "Processor"means BetterMeter (Paraito Inc.), who processes Personal Data on behalf of the Controller in accordance with the Controller's documented instructions.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Applicable Data Protection Law"means Regulation (EU) 2016/679 of the European Parliament and of the Council (the "GDPR"), and any applicable national implementing legislation, as well as any other applicable data protection or privacy laws, including but not limited to the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and the California Consumer Privacy Act (CCPA) to the extent applicable.
  • "Standard Contractual Clauses"or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2. Scope of Processing

This section describes the nature, purpose, and scope of the Processing carried out by BetterMeter on behalf of the Customer.

2.1 Categories of Data Subjects

  • Visitors to the Customer's websites and web applications
  • Users of the Customer's CLI tools
  • Users interacting with the Customer's MCP servers
  • Consumers of the Customer's APIs

2.2 Types of Personal Data Processed

  • Hashed IP addresses (SHA-256 with daily rotating salt — raw IP addresses are never stored)
  • Page URLs and referrer URLs
  • Browser type and version (user agent string)
  • Operating system and device type
  • Screen width
  • Timezone
  • Geolocation data derived from IP address (country, region, city — resolved at ingestion time, before the IP is discarded)
  • Custom event names and properties as configured by the Customer

2.3 Purpose of Processing

BetterMeter processes Personal Data solely for the purpose of providing the Service to the Customer, which includes:

  • Web analytics (page views, sessions, referrer analysis)
  • CLI tool usage analytics
  • MCP server usage analytics
  • API usage analytics
  • Bot and crawler detection and classification
  • AI traffic attribution
  • Brand monitoring services
  • Generating aggregated, anonymised reports and dashboards for the Customer

2.4 Duration of Processing

BetterMeter will process Personal Data for the duration of the service agreement between the parties, plus any applicable data retention period as described in Section 12 (Term and Termination). Analytics data is retained for the lifetime of the Customer's account unless the Customer requests earlier deletion.

3. Roles and Responsibilities

The parties acknowledge and agree to the following allocation of data protection roles:

  • Customer as Controller: The Customer is the Controller for all analytics data collected from their website visitors, CLI tool users, MCP server users, and API consumers. The Customer determines which sites and tools to track, which events to collect, and how the resulting analytics data is used.
  • BetterMeter as Processor:BetterMeter acts as the Processor for analytics data, processing it solely on the Customer's documented instructions and for the purpose of providing the Service.
  • BetterMeter as Controller: BetterMeter acts as an independent Controller for Customer account data (such as email address, name, and authentication credentials) that is necessary for providing and managing access to the Service. This account data is processed in accordance with the BetterMeter Privacy Policy.

BetterMeter shall not process Personal Data for any purpose other than providing the Service as described in this DPA and the Agreement. BetterMeter shall not sell, rent, or otherwise commercially exploit Personal Data, nor shall it combine Personal Data from different Customers.

4. Processing Instructions

BetterMeter processes Personal Data only in accordance with the Customer's documented instructions. The Customer's instructions are constituted by:

  1. This DPA and the Agreement;
  2. The Customer's Service configuration, including which sites to track, which events to collect, and which analytics features to enable;
  3. Any additional documented instructions provided by the Customer in writing.

BetterMeter shall immediately inform the Customer if, in its opinion, an instruction from the Customer infringes Applicable Data Protection Law. BetterMeter shall not be required to assess the legality of the Customer's instructions but shall act in good faith to flag potential concerns.

BetterMeter shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security Measures

BetterMeter implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk of Processing, in accordance with Article 32 of the GDPR.

5.1 Technical Measures

  • IP address hashing: All IP addresses are hashed using SHA-256 with a daily rotating salt at ingestion time. Raw IP addresses are never written to persistent storage. This ensures that individual visitors cannot be identified from stored data.
  • Encryption in transit:All data transmitted between the Customer's properties and BetterMeter's servers is encrypted using HTTPS/TLS 1.2 or higher.
  • Encryption at rest: All stored data is encrypted at rest. The primary database (hosted by Neon Inc. on AWS) uses AES-256 encryption. The event queue (hosted by Upstash Inc.) uses encryption at rest for all stored data.
  • No cookies: BetterMeter does not use cookies, localStorage, or any form of persistent client-side storage for visitor tracking.
  • No fingerprinting: BetterMeter does not engage in browser fingerprinting or cross-site tracking. Visitor uniqueness is determined by a daily hash that cannot be reversed or used to track individuals across days.
  • No PII collection: The tracking script does not collect names, email addresses, or any directly identifying information from tracked visitors.
  • API key security: Customer API keys are stored as SHA-256 hashes. Plaintext keys are shown only once at creation time and cannot be recovered.
  • Network isolation: Database and queue services are not directly accessible from the public internet and are accessed through authenticated, encrypted connections.

5.2 Organisational Measures

  • Access control: Role-based access control is enforced for all Customer data. Team members may be assigned Owner, Admin, or Viewer roles with corresponding permissions.
  • Principle of least privilege: Internal access to production systems is restricted to authorised personnel and limited to the minimum necessary for operational and support purposes.
  • Security reviews: Regular security reviews of the event processing pipeline, authentication flows, and data storage mechanisms are conducted.
  • Incident response: BetterMeter maintains an incident response process for identifying, containing, and remediating security incidents.
  • Employee obligations: All personnel with access to Personal Data are bound by confidentiality obligations.

6. Sub-processors

The Customer provides general authorisation for BetterMeter to engage the following Sub-processors for the Processing of Personal Data. The current list of Sub-processors is:

Sub-processorPurposeLocationData Processed
Vercel Inc.Application hosting, edge compute, cron jobsUnited StatesAll event data (in transit)
Neon Inc.PostgreSQL database hostingUnited States (AWS us-east-1)All stored analytics and account data
Upstash Inc.Redis event queueUnited StatesEvent data (temporary, typically less than 1 minute)
Google LLCOAuth authentication providerUnited StatesCustomer email and name (authentication only)
GitHub Inc.OAuth authentication providerUnited StatesCustomer email and name (authentication only)
Resend Inc.Transactional email deliveryUnited StatesCustomer email addresses
SerpAPI LLCBrand monitoring search dataUnited StatesSearch queries, domain names

6.1 Sub-processor Changes

BetterMeter will notify the Customer at least 30 days before engaging a new Sub-processor or replacing an existing Sub-processor. Notification will be provided via email to the Customer's registered account email address.

The Customer may object to a new Sub-processor by providing written notice to BetterMeter within 14 days of receiving the notification. If the Customer objects, BetterMeter will use reasonable efforts to make available an alternative arrangement that avoids the use of the objected-to Sub-processor. If no alternative is reasonably available, either party may terminate the affected portion of the Service.

6.2 Sub-processor Obligations

BetterMeter imposes data protection obligations on each Sub-processor by way of a written contract that provides at least the same level of protection as this DPA, in accordance with Article 28(4) of the GDPR. BetterMeter remains fully liable for the performance of each Sub-processor's obligations.

7. International Data Transfers

BetterMeter's infrastructure is located in the United States. To the extent that the Processing of Personal Data involves a transfer of Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States or any other country that has not received an adequacy decision from the European Commission, the following safeguards apply:

  1. Standard Contractual Clauses: BetterMeter relies on the Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) as the primary transfer mechanism. Module Two (Controller to Processor) applies to the transfer of analytics data. The SCCs are hereby incorporated by reference into this DPA.
  2. UK International Data Transfer Addendum: For transfers from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner) is incorporated by reference.
  3. Swiss Data Protection: For transfers from Switzerland, the SCCs apply with the modifications required under the Swiss Federal Act on Data Protection (FADP).
  4. Supplementary measures: BetterMeter implements the technical measures described in Section 5 (Security Measures) as supplementary measures to the SCCs, including IP hashing, encryption in transit and at rest, and the absence of cookies or fingerprinting.

BetterMeter ensures that each Sub-processor involved in international data transfers provides appropriate safeguards in accordance with Applicable Data Protection Law.

8. Data Breach Notification

BetterMeter will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Customer's data.

8.1 Notification Content

The notification will include, to the extent reasonably available:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  • The name and contact details of the point of contact where more information can be obtained;
  • A description of the likely consequences of the Personal Data Breach;
  • A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

8.2 Cooperation

BetterMeter will cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach. BetterMeter will also provide reasonable assistance to the Customer in fulfilling the Customer's obligation to notify supervisory authorities and Data Subjects, where required under Applicable Data Protection Law.

9. Data Subject Rights

BetterMeter will assist the Customer, by appropriate technical and organisational measures insofar as this is possible, in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including the rights of:

  • Access (Article 15 GDPR)
  • Rectification (Article 16 GDPR)
  • Erasure / right to be forgotten (Article 17 GDPR)
  • Restriction of processing (Article 18 GDPR)
  • Data portability (Article 20 GDPR)
  • Objection (Article 21 GDPR)

9.1 Privacy-First Design Limitations

Due to BetterMeter's privacy-first architecture — specifically, the use of hashed identifiers with daily rotation and the absence of raw IP address storage — it is generally not possible to identify a specific Data Subject within the analytics data. This design choice is intentional and serves the principle of data minimisation under Article 5(1)(c) of the GDPR.

Where BetterMeter cannot identify a Data Subject in the analytics data, Articles 15 to 20 of the GDPR do not apply, in accordance with Article 11 of the GDPR, unless the Data Subject provides additional information enabling their identification.

9.2 Site-Level Deletion

BetterMeter provides the Customer with functionality to delete an entire site and all associated analytics data. This permanently and irreversibly removes all event data, aggregated statistics, and configuration for the specified site.

10. Audit Rights

BetterMeter will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

  • The Customer must provide at least 30 days' written notice before conducting an audit.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt BetterMeter's operations.
  • The Customer may conduct no more than one audit per twelve-month period, unless required by a supervisory authority or following a Personal Data Breach.
  • The Customer shall bear the costs of any audit it initiates, unless the audit reveals material non-compliance by BetterMeter.
  • Where reasonable, BetterMeter may satisfy audit requests by providing relevant documentation, third-party audit reports, or certifications in lieu of permitting on-site access.
  • The Customer and its auditors shall maintain the confidentiality of all information obtained during the audit.

11. Data Protection Impact Assessment

BetterMeter will provide reasonable assistance to the Customer in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required under Articles 35 and 36 of the GDPR, to the extent that the Customer does not otherwise have the information necessary and such information is available to BetterMeter.

12. Term and Termination

This DPA shall remain in effect for the duration of BetterMeter's Processing of Personal Data on behalf of the Customer.

12.1 Data Deletion on Termination

Upon termination of the service agreement, BetterMeter will, at the Customer's choice:

  1. Delete all Customer Personal Data within 30 days of termination; or
  2. Return all Customer Personal Data to the Customer in a standard, machine-readable format, and subsequently delete all copies within 30 days.

The Customer may request data export at any time during the term of the Agreement. If no instructions are received within 30 days of termination, BetterMeter will proceed with deletion.

12.2 Survival

The obligations of confidentiality and data protection set out in this DPA shall survive the termination or expiry of the Agreement. Sections 5 (Security Measures), 8 (Data Breach Notification), and 10 (Audit Rights) shall survive for as long as BetterMeter retains any Personal Data processed under this DPA.

13. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA shall limit either party's liability with respect to any claims by Data Subjects or fines imposed by supervisory authorities under Applicable Data Protection Law.

14. Governing Law

This DPA shall be governed by and construed in accordance with the governing law of the Agreement, except to the extent that Applicable Data Protection Law requires the application of the law of another jurisdiction. For Processing subject to the GDPR, the applicable provisions of EU law shall apply. For Processing subject to the UK GDPR, the applicable provisions of UK law shall apply.

15. Modifications

BetterMeter may update this DPA from time to time to reflect changes in Applicable Data Protection Law, our processing activities, or our Sub-processor list. We will notify the Customer of any material changes at least 30 days before they take effect. Continued use of the Service after the effective date of a revised DPA constitutes acceptance of the updated terms.

16. Contact

For any questions, requests, or concerns relating to this Data Processing Agreement, please contact us at:

Email: dpa@bettermeter.com

For general privacy inquiries, please refer to our Privacy Policy.

Last updated: March 22, 2026