Data Processing Addendum (DPA)
Last updated: January 2025
1. Purpose
Polixai ("Processor") processes Customer ("Controller") data only for providing analytics insights.
2. Data Types
Polixai may process: GA4 data, Excel/CSV uploads, workspace metadata, and account information. Sensitive personal data should not be uploaded unless explicitly intended by the Customer.
3. Processing Instructions
Polixai processes data only based on Customer actions and instructions. The Customer must ensure compliance with applicable laws.
4. Security Measures
Data is encrypted in transit and at rest. Access is restricted to authorized systems. Full details appear on our Security & Privacy page.
5. Subprocessors
Polixai engages carefully selected subprocessors to assist in delivering our services. These subprocessors process data on our behalf and are subject to data protection obligations consistent with this DPA and applicable law.
Current subprocessors include: OVHcloud (hosting and database, EU), OpenAI (AI processing), Vercel (frontend hosting), Google (Analytics and GA4 API integrations), Snowflake (data processing, when connected by users), and Stripe (payments).
A current list of subprocessors is available upon request. Polixai will notify the Customer of any intended changes to subprocessors, providing an opportunity to object.
6. Data Access & Deletion
Upon request, Polixai will delete account-level metadata and revoke data-source access tokens. Uploaded files may be deleted automatically after processing.
7. Data Subject Rights
The Controller is responsible for responding to requests from data subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, and restriction. The Processor will provide reasonable assistance to the Controller in fulfilling such obligations, taking into account the nature of the processing.
8. International Transfers
Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Incident Notification
Polixai will notify the Customer without undue delay if a data breach affects their data.
10. Confidentiality
Personnel with access to Customer data are bound by confidentiality obligations.
11. Termination
Upon termination, Polixai will delete or return Customer data within a reasonable timeframe unless legally required to retain it.
12. Liability
Liability is limited according to the main Terms & Conditions.
13. Contact
privacy@polixai.io
Stockholm, Sweden