Data Processing Agreement
Last updated: May 27, 2026
1. Overview
This Data Processing Agreement ("DPA") forms part of the Sleek Analytics Terms of Service and applies when Sleek Analytics processes Customer Personal Data on behalf of a customer in connection with the Service.
For the purposes of applicable data protection laws, including the GDPR and UK GDPR, the customer is the controller of Customer Personal Data and Sleek Analytics is the processor, except where Sleek Analytics processes account, billing, security, or operational data for its own business purposes as described in the Privacy Policy.
2. Definitions
"Customer Personal Data" means personal data processed by Sleek Analytics on behalf of the customer through the Service. "Customer" means the person or entity that creates a Sleek Analytics account or uses the Service. "Data Protection Laws" means the privacy and data protection laws applicable to the processing, including the GDPR, UK GDPR, and similar laws where applicable.
3. Subject Matter and Duration
Sleek Analytics processes Customer Personal Data to provide privacy-first website analytics, realtime dashboards, usage measurement, optional revenue reporting, optional AI analytics assistance, optional Telegram digests, support, billing, security, and related product functionality.
The processing continues for the term of the customer's use of the Service and until Customer Personal Data is deleted or returned in accordance with this DPA, the Terms, and the Privacy Policy.
4. Categories of Data
Depending on how the Service is used, Customer Personal Data may include:
- Account data such as name, email address, profile image, authentication provider identifiers, and session metadata.
- Site configuration data such as site name, domain, public site key, plan, usage counters, and sharing settings.
- Analytics event data such as page URL, normalized referrer, event type, event name, event properties provided by the customer, timestamps, session identifiers, pseudonymous visitor identifiers, browser, operating system, device category, country, city, page duration, and web vitals.
- Billing and subscription data such as Stripe customer and subscription identifiers, plan status, invoices, and payment-related metadata processed by Stripe.
- Optional Stripe revenue data, including encrypted restricted API keys, invoice/payment amounts, timestamps, customer email addresses returned by Stripe, charge or invoice identifiers, and product descriptions.
- Optional imported analytics data, such as Plausible export data uploaded or imported by the customer.
- Optional Telegram notification data such as chat identifiers, chat type, Telegram username, timezone, delivery hour, and notification status.
- Optional AI chat prompts and analytics query results used to answer the customer's questions about their analytics data.
Sleek Analytics does not intentionally collect visitor IP addresses for analytics storage and does not set analytics cookies. Customers must not send sensitive personal data, special category data, protected health information, payment card numbers, government identifiers, passwords, or children's data to the Service.
5. Customer Instructions
Sleek Analytics will process Customer Personal Data only on documented customer instructions, including through the Terms, this DPA, the Privacy Policy, product settings, support requests, and customer use of the Service, unless applicable law requires otherwise. If Sleek Analytics believes an instruction violates Data Protection Laws, it will inform the customer unless legally prohibited from doing so.
6. Confidentiality and Access
Sleek Analytics restricts access to Customer Personal Data to personnel and contractors who need access to operate, secure, support, or improve the Service. Those personnel are bound by confidentiality obligations and must follow internal access controls.
7. Security Measures
Sleek Analytics maintains technical and organizational measures designed to protect Customer Personal Data, including:
- Encryption in transit using TLS.
- Encryption at rest where supported by infrastructure providers.
- AES-256-GCM encryption for stored Stripe restricted API keys.
- Role-based and need-to-know access to production systems.
- Use of managed infrastructure providers with physical and network security controls.
- Separation of account/configuration data, analytics event data, and short-lived realtime presence data.
- Logging, monitoring, and operational controls appropriate to the size and nature of the Service.
- Data minimization practices, including cookieless analytics and no intentional storage of visitor IP addresses in analytics events.
8. Subprocessors
The customer authorizes Sleek Analytics to use subprocessors to provide the Service. Sleek Analytics remains responsible for its subprocessors' processing of Customer Personal Data to the extent required by Data Protection Laws.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel | Application hosting, serverless functions, edge delivery, and request routing | United States / global infrastructure |
| Neon | PostgreSQL database hosting for account, site, billing, and configuration data | European Union / United States, depending on deployment |
| ClickHouse or ClickHouse-compatible infrastructure | Analytics event storage and query processing | European Union / United States, depending on deployment |
| Redis-compatible infrastructure | Realtime visitor presence, short-lived cache, and rate/state coordination | European Union / United States, depending on deployment |
| Stripe | Subscription billing, checkout, customer portal, invoices, and optional revenue reporting | United States / global infrastructure |
| Resend | Transactional email delivery, lifecycle notices, and product notifications | United States / global infrastructure |
| Google and GitHub | Optional OAuth sign-in providers | United States / global infrastructure |
| OpenAI | Optional AI chat feature for answering questions about customer analytics data | United States / global infrastructure |
| Telegram | Optional Telegram bot notifications and digest delivery when enabled by the customer | Global infrastructure |
Sleek Analytics may update this list from time to time. If a new subprocessor materially changes the risk profile of the Service, Sleek Analytics will provide reasonable notice through the Service, website, email, or other practical means. Customers may object on reasonable data protection grounds by contacting hello@getsleek.io.
9. International Transfers
Customer Personal Data may be processed in countries other than the customer's country, including the United States and countries where subprocessors operate. Where required by Data Protection Laws, Sleek Analytics will rely on appropriate transfer mechanisms, such as adequacy decisions, standard contractual clauses, or equivalent safeguards.
10. Assistance With Customer Obligations
Taking into account the nature of the processing and information available to Sleek Analytics, Sleek Analytics will provide reasonable assistance with customer obligations related to data subject requests, security, breach notifications, data protection impact assessments, and consultations with supervisory authorities.
Customers are responsible for responding to data subject requests relating to their websites and for configuring the Service in a lawful manner.
11. Security Incidents
If Sleek Analytics becomes aware of a personal data breach affecting Customer Personal Data, it will notify the affected customer without undue delay and provide information reasonably available to help the customer meet its legal obligations. Sleek Analytics will investigate, mitigate, and remediate the incident as appropriate.
12. Deletion and Return
Customers may delete sites or request account deletion. If a customer deletes a site or closes an account, associated analytics data is deleted within 30 days unless a longer retention period is required by law or necessary for legitimate backup, security, billing, or dispute-resolution purposes.
Expired subscription data may be retained for a limited recovery period as described in the Service and then deleted. Short-lived realtime presence data is automatically expired.
13. Audits and Information
Sleek Analytics will make available information reasonably necessary to demonstrate compliance with this DPA. Customers may request additional information by contacting Sleek Analytics. Any audit must be reasonable, limited to the Service, subject to confidentiality, and conducted in a way that does not compromise the security, privacy, or availability of Sleek Analytics or other customers.
14. Customer Responsibilities
The customer is responsible for having a lawful basis for its use of Sleek Analytics, providing required notices to website visitors, configuring event properties appropriately, avoiding the collection of prohibited or sensitive data, and complying with applicable privacy laws for its own websites, applications, and users.
15. Contact
Questions about this DPA or data protection at Sleek Analytics can be sent to hello@getsleek.io.