Sign inCreate Free Account
DPA

Data Processing Agreement

How UserTrail processes customer personal data when acting as a processor for website analytics.

Last updated: June 6, 2026

Purpose

This Data Processing Agreement describes how UserTrail processes personal data on behalf of customers when providing website analytics, heatmaps, session replay, funnels, journeys, forms, surveys, and related services.

This DPA is incorporated into the UserTrail subscription terms where a customer uses UserTrail to process personal data from website visitors.

This page is provided as a practical DPA summary and should be reviewed with legal counsel before being relied on as a formal legal agreement.

Roles

For visitor data collected from a customer website, the customer is typically the controller and UserTrail is typically the processor. For UserTrail account, billing, security, product usage, and support data, UserTrail may act as an independent controller.

Processing instructions

UserTrail processes customer personal data only to provide the service, follow customer configuration, comply with applicable law, protect the service, and fulfil written customer instructions.

Categories of data

  • Website interaction data such as URLs, page paths, clicks, scroll depth, movement samples, session identifiers, visitor identifiers, device/browser metadata, timestamps, and referrers.
  • Customer-configured survey responses and form interaction metadata.
  • Account and team data such as email addresses, permissions, site details, and support messages.
  • Technical logs needed for security, debugging, abuse prevention, and service reliability.

Customer obligations

  • Provide required notices and obtain required visitor consents before using UserTrail.
  • Add the tracking script only after consent where consent is required.
  • Configure masking, exclusions, retention, and access controls appropriately.
  • Avoid collecting sensitive data, passwords, payment details, or private content through UserTrail.
  • Respond to data subject requests where the customer is controller.

Subprocessors

UserTrail uses subprocessors to host, store, transmit, and support the service. Current subprocessors are listed on the Subprocessors page. UserTrail remains responsible for subprocessors used to process customer personal data.

Security measures

  • Authentication and role-based access controls for dashboard users.
  • Least-privilege access to infrastructure and customer data where operationally feasible.
  • Staff do not have direct access to customer data as part of normal operations.
  • Internal-only database access in production infrastructure where configured.
  • Daily database backups.
  • Monitoring, logging, and incident response processes appropriate to the service.
  • Reasonable technical and organisational measures to protect confidentiality, integrity, and availability.

Data subject requests

Where UserTrail acts as processor, UserTrail will reasonably assist the customer with access, deletion, export, correction, restriction, or objection requests where technically possible and where sufficient identifiers are provided.

Deletion and return

On termination or written request, UserTrail will delete or return customer personal data where technically feasible, subject to legal obligations, security logs, backups, and legitimate retention needs.

International transfers

If personal data is transferred internationally, UserTrail will rely on applicable safeguards such as adequacy decisions, Standard Contractual Clauses, the UK IDTA/Addendum, or other lawful transfer mechanisms as required.

Contact

For DPA requests, contact info@usertrail.io.