Data Processing Agreement

Roles and definitions

• Customer (Data Controller) — You, the site owner, who determines the purposes and means of processing visitor data by embedding the Zenith tracking script
• Zenith (Data Processor) — The entity that processes visitor data on behalf of the Customer in accordance with these terms
• Data Subjects — Visitors to the Customer's website(s)

Data processing details

Nature and purpose

Zenith processes anonymous website usage data for the purpose of providing the Customer with website analytics. The processing involves collecting pageview and interaction events from the Customer's website visitors and presenting aggregate statistics in the Zenith dashboard.

Categories of data

Zenith processes the data categories described in our Data Policy. Critically:

• No personal data is stored. IP addresses are used transiently for geolocation and rate limiting, then discarded
• No cookies or persistent identifiers are used
• Session identification uses randomly generated IDs stored only in browser sessionStorage
• No special categories of personal data (as defined in Article 9 of the GDPR) are processed

Duration

Data is processed for the duration of the Customer's subscription and retained according to the plan-specific retention periods (6 months, 1 year, or 2 years). Upon account deletion, all data is permanently removed.

Security measures

Zenith implements the following technical and organisational measures to protect data:

• All data is encrypted in transit via HTTPS/TLS
• IP addresses are never stored — only derived geolocation data (country code, city name) is persisted
• Authentication is managed by Clerk with support for multi-factor authentication
• Infrastructure access is restricted to authorised personnel
• The tracking script is served with strict Content-Type headers and input sanitisation to prevent injection attacks

For full details, see our Security page.

Sub-processors

Zenith uses the following sub-processors to deliver the Service:

• Convex — Database and backend infrastructure
• Vercel — Application hosting, edge network, and geolocation headers
• Clerk — Customer authentication and subscription billing
• Mapbox — Optional map visualisation (receives only city/country names, never IP addresses or visitor data)

We will notify Customers of any changes to sub-processors with reasonable advance notice. No sub-processor has access to raw analytics event data beyond what is necessary to provide the Service.

Processor obligations

• Zenith processes data only in accordance with the Customer's documented instructions as defined by these terms and the Terms of Service
• Zenith will notify the Customer without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach
• Zenith will assist the Customer in responding to data subject access requests, insofar as applicable given the anonymous nature of the data processed
• Upon termination, Zenith will delete all Customer data in accordance with the retention policy or upon explicit request

Customer obligations

• The Customer warrants that they have the right to embed the Zenith tracking script on their website(s)
• The Customer is responsible for providing appropriate privacy notices to Data Subjects (website visitors), informing them of the analytics data collection
• The Customer is responsible for conducting any required Data Protection Impact Assessments (DPIAs)
• The Customer must comply with all applicable data protection legislation in their use of the Service

Data deletion

• Customers can delete individual site data or their entire account from the dashboard at any time
• Analytics events are automatically deleted after the plan-specific retention period
• Account deletion permanently removes all associated data

Contact

For questions about this DPA or data processing matters, contact us at jack@jacksportfolio.com.