Data Processing Agreement (DPA)

The DPA governs snorklee's processor role when the service measures audience on a customer site. The customer remains the controller: it chooses to use snorklee, selects the measured sites and informs visitors.

#Processing purpose

snorklee processes minimised data to provide audience statistics, technical reports, exports and compliance documents.

Excluded purposes are explicit: no behavioural advertising, no advertising sale or sharing, no cross-site matching, no session replay, no visitor CRM import.

#Data involved

Main categories are viewed pages, authorised events, referrer hostnames, countries/regions, browser/device families, errors, aggregate scroll/click signals and UTM source/medium/campaign when present.

The customer must not send sensitive data, emails, phone numbers, customer identifiers, advertising click IDs or secrets in events, properties or UTMs.

#Security and processors

snorklee applies TLS, access separation, reduced logs, role controls, short raw-event retention and site deletion on request.

Main processors are listed in the privacy policy and in the PDF documents generated from the Compliance tab. They cover hosting, geolocation, transactional email, payment, optional aggregate AI and public audit scans.

#Customer assistance

snorklee assists the customer with access, erasure, export, processor information and security documentation. When there is no stable visitor identifier, visitor erasure is handled by time range or site deletion.

#Signature

The operational DPA is generated and signable from the Compliance tab of the dashboard. This page explains the content in plain language; the signed document prevails if there is a discrepancy.