Respectlytics Respect lytics
Menu

Data Processing Agreement

Last updated: December 12, 2025

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Loheden AI Solutions AB, a company registered in Sweden ("Processor", "we", "us", or "Respectlytics"), and the entity or individual accepting the Terms of Service ("Controller", "you", or "Customer"), collectively referred to as the "Parties".

This DPA applies to the processing of data by the Processor on behalf of the Controller in connection with the provision of the Respectlytics analytics platform and related services (the "Service").

By using the Service, you agree to be bound by this DPA. This DPA is incorporated by reference into our Terms of Service and applies automatically to all customers without requiring a separate signature.

This DPA is provided for informational purposes and does not constitute legal advice. Privacy regulations vary by jurisdiction and change over time. We recommend consulting with your legal team to determine the specific requirements that apply to your situation.

2. Definitions

For the purposes of this DPA:

  • "Controller" means the entity that determines the purposes and means of processing personal data. In the context of this DPA, you are the Controller of any personal data submitted to the Service through your applications.
  • "Processor" means the entity that processes personal data on behalf of the Controller. Respectlytics acts as a Processor when processing data submitted through your applications.
  • "Data Subject" means an identified or identifiable natural person whose data may be processed.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or erasure.
  • "Sub-processor" means any third party engaged by the Processor to process data on behalf of the Controller.
  • "Analytics Data" means the event data submitted to the Service through your applications via our SDK or API.

3. Roles and Responsibilities

3.1 Controller Responsibilities

As the Controller, you are responsible for:

  • Determining whether the processing of data through the Service requires a legal basis under applicable privacy regulations in your jurisdiction
  • Obtaining any consents, authorizations, or permissions required by applicable law before submitting data to the Service
  • Ensuring that you have the lawful right to collect and transmit data to the Processor
  • Maintaining a privacy policy in your applications that accurately describes your data collection practices
  • Responding to data subject requests where required by applicable law
  • Ensuring compliance with all applicable privacy laws and regulations in your jurisdiction
  • Consulting with your legal team to determine your specific compliance requirements

You acknowledge that we do not provide legal advice and that you are solely responsible for determining your compliance obligations.

3.2 Processor Responsibilities

As the Processor, Respectlytics will:

  • Process Analytics Data only for the purposes described in this DPA and our Privacy Policy
  • Process data only on your documented instructions, unless required by law
  • Ensure that personnel authorized to process data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to data subject requests, to the extent technically feasible and as described in Section 9
  • Delete or return Analytics Data upon termination of the Service, subject to our data retention policies
  • Make available information necessary to demonstrate compliance with our obligations under this DPA

4. Data Processing Details

4.1 Subject Matter and Purpose

The Processor provides analytics services that aggregate and analyze usage data from the Controller's mobile and web applications. The purpose of processing is to provide the Controller with insights into application usage patterns, user engagement, conversion metrics, and related analytics.

4.2 Duration of Processing

Processing continues for the duration of the Controller's use of the Service. Upon termination, Analytics Data is deleted in accordance with our data retention policies as described in our Privacy Policy.

4.3 Categories of Data

The Service is designed with a strict allowlist architecture. The API accepts only the following data fields and rejects any additional data:

  • Event name: a string identifier describing the tracked action
  • Session identifier: a randomly generated, ephemeral identifier stored only in device memory (RAM)
  • Timestamp: the date and time of the event
  • Platform: the operating system type (iOS, Android, web)
  • Application version: the version string of the application
  • Locale: the language and region preference setting
  • Device type: general device category
  • Operating system version: the version of the device operating system
  • Screen name: an optional identifier for the current screen or view
  • Country: derived from transient IP address geolocation (two-letter ISO code)
  • Region: derived from transient IP address geolocation (state or province)

4.4 Privacy-Focused Architecture

The Service implements session-based analytics with the following privacy characteristics:

  • Session identifiers are generated client-side and stored in the client application's memory (browser or app runtime) and are not persisted to device storage such as cookies, localStorage, or files. On the server side, session data exists only transiently during request processing.
  • Session identifiers rotate automatically after two hours of continuous use or upon application restart
  • IP addresses are processed transiently for geolocation purposes only and are never stored, logged, or retained
  • No persistent user identifiers, device identifiers, or advertising identifiers are collected or accepted
  • No device fingerprinting techniques are employed
  • Cross-session tracking is not possible by design

While session identifiers processed through our Service are anonymized and cannot be linked to individuals by Respectlytics, you as the Controller should assess whether your specific use case involves personal data processing under applicable regulations.

4.5 Data the Service Does Not Accept

The API is architecturally designed to reject the following categories of data. You agree not to attempt to submit:

  • Personally identifiable information (names, email addresses, phone numbers, physical addresses)
  • Device identifiers (IDFA, IDFV, Android ID, advertising identifiers)
  • User account identifiers or customer IDs
  • Precise geolocation data or GPS coordinates
  • Health, medical, biometric, or genetic data
  • Financial information
  • Data concerning children
  • Any special categories of personal data

Handling of Prohibited Data: If we detect that prohibited data has been submitted to the Service (whether through circumvention of our API controls or otherwise), we will notify you and may delete such data without liability. You remain solely responsible for any regulatory consequences, claims, or damages arising from your submission of prohibited data categories.

5. Sub-processors

5.1 Authorized Sub-processors

By entering into this DPA, you authorize the Processor to engage the following categories of sub-processors. For the current list of specific sub-processors with detailed information, see Section 9 (Third-Party Services) of our Privacy Policy.

  • Infrastructure Provider: Cloud infrastructure provider operating EU-based data centers. Our servers and databases are deployed exclusively within EU regions.
  • Payment Processor: Payment processing and subscription management. Processes Controller account data (email address, subscription details) for billing purposes.
  • Email Service Provider: Email delivery for transactional and marketing communications to Controllers.

Note: MaxMind GeoLite2 database is used locally within our infrastructure for IP geolocation. No data is transmitted to MaxMind; the database files are downloaded and queries are performed entirely within our own systems.

Where sub-processors are located outside the European Economic Area, we ensure appropriate safeguards are in place in accordance with applicable data protection regulations.

5.2 Sub-processor Obligations

We impose data protection obligations on our sub-processors that are no less protective than those in this DPA. We remain liable for the acts and omissions of our sub-processors to the same extent we would be liable if performing the services directly, subject to the limitations of liability in our Terms of Service.

5.3 Changes to Sub-processors

We may update our list of sub-processors from time to time. Material changes will be communicated through the Service or our website. Your continued use of the Service after such notification constitutes acceptance of the new sub-processor.

6. Data Location and Transfers

All Analytics Data is processed and stored within the European Union. Our servers, databases, and primary infrastructure are located exclusively in EU member states.

Some sub-processors may process data outside the European Economic Area. Where such transfers occur, we use appropriate safeguards recognized under applicable privacy regulations, which may include:

  • Adequacy decisions by relevant authorities
  • Standard contractual clauses
  • Binding corporate rules
  • Other legally recognized transfer mechanisms

7. Security Measures

The Processor implements technical and organizational measures designed to protect Analytics Data, including:

  • Encryption of data in transit using TLS/HTTPS
  • Encryption of data at rest in our databases
  • Access controls and authentication requirements for system access
  • Rate limiting and abuse prevention mechanisms
  • Regular security reviews and updates
  • Logging and monitoring for security incidents
  • Strict 11-field allowlist architecture that rejects any extra data at the API level
  • Transient IP address processing with immediate discard after geolocation lookup

While we implement these measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

8. Data Breach Notification

In the event of a security incident involving Analytics Data that we determine constitutes a breach requiring notification under applicable law, we will:

  • Notify affected Controllers without undue delay after becoming aware of the breach
  • Provide information about the nature of the breach, categories of data affected, and measures taken or proposed to address the breach
  • Cooperate with Controllers in fulfilling their breach notification obligations, to the extent applicable

Given our session-based architecture and the nature of the data we process, the risk and impact of a data breach is significantly reduced compared to traditional analytics services. Session identifiers are random, ephemeral, and cannot be used to identify individuals.

9. Data Subject Requests

If you receive a request from a data subject regarding Analytics Data processed through the Service, we will assist you in responding to such request to the extent technically feasible.

However, you acknowledge that:

  • Analytics Data collected through our session-based architecture generally cannot be linked to identifiable individuals
  • Session identifiers are random, ephemeral, and cannot be used to identify or contact data subjects
  • We do not collect names, email addresses, user IDs, or other identifiers that would allow us to locate a specific individual's data
  • IP addresses are processed transiently and never stored, making it impossible to identify data based on IP address
  • As a result, we may not be able to identify or retrieve specific data subject's information within our Analytics Data

For data subject requests related to your account data (email address, subscription information), you may contact us at the address provided in Section 15.

10. Data Retention and Deletion

We retain Analytics Data for a maximum of twenty-four months from the date of collection, after which it is automatically and permanently deleted.

Upon termination of your account:

  • Your API keys will be invalidated immediately
  • Analytics Data associated with your applications will be deleted within thirty days
  • Account data will be deleted within thirty days, except where retention is required for legal, tax, or accounting purposes

You may request early deletion of Analytics Data by contacting us, subject to any applicable legal retention requirements.

11. Audits and Compliance

Upon reasonable request and subject to appropriate confidentiality obligations, we will make available information necessary to demonstrate our compliance with this DPA.

Given the nature of our Service and the limited categories of data we process, we believe that the information provided in this DPA, our Privacy Policy, and our Terms of Service adequately describes our data processing practices.

For enterprise customers with specific audit requirements, please contact us to discuss arrangements.

12. Controller Instructions

You instruct us to process Analytics Data for the following purposes:

  • Receiving and storing event data submitted through our SDK and API
  • Aggregating and analyzing event data to generate usage statistics and insights
  • Providing access to Analytics Data through the dashboard
  • Deriving approximate geographic location from transiently processed IP addresses
  • Maintaining the security and integrity of the Service

If you require processing for additional purposes, please contact us. We may decline instructions that we believe would violate applicable law or this DPA.

13. Limitation of Liability

The limitations of liability set forth in our Terms of Service apply to this DPA. To the maximum extent permitted by applicable law:

  • Our total cumulative liability arising out of or related to this DPA shall not exceed the greater of (a) the amounts you paid to us for the Service in the twelve months preceding the claim, or (b) one hundred United States dollars (USD $100)
  • We shall not be liable for any indirect, incidental, special, consequential, punitive, or exemplary damages
  • We shall not be liable for any losses arising from your failure to comply with your obligations as a Controller, including failure to obtain necessary consents or comply with applicable privacy regulations

You agree to indemnify us against any claims, damages, or expenses arising from your breach of this DPA or your failure to comply with your obligations as a Controller.

14. Governing Law and Dispute Resolution

This DPA shall be governed by and construed in accordance with the laws of Sweden, without regard to its conflict of law provisions.

For business users: Any dispute arising out of or relating to this DPA shall be subject to the exclusive jurisdiction of the competent courts of Sweden. By using the Service for business purposes, you irrevocably submit to the exclusive jurisdiction of the Swedish courts and agree that:

  • All disputes must be resolved exclusively in the courts of Sweden
  • The decisions and judgments of Swedish courts shall be final and binding
  • You waive any objection to venue or jurisdiction in Swedish courts

For consumer users: If you are a consumer in a jurisdiction where exclusive jurisdiction clauses are not enforceable against consumers under mandatory consumer protection laws, disputes shall be resolved in accordance with such mandatory laws.

15. Contact Information

For questions about this Data Processing Agreement or to exercise any rights under this DPA, please contact us:

Loheden AI Solutions AB
VretavΓ€gen 26
71993 Vintrosa
Sweden

Email: [email protected]

16. Changes to This DPA

We may update this DPA from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this document
  • Notify registered users via email or through the Service, where practicable
  • Post a notice on our website

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated DPA.