This Data Processing Agreement (“DPA”) forms an integral part of the Terms and Conditions (the “Terms”) entered into between STRACKR, and the Client, being the legal or natural person subscribing to the Service.

STRACKR and the Client are hereinafter individually referred to as a “Party” and collectively as the “Parties”.

Any other term hereby used with capital letters shall have the meanings assigned to them in the Terms.

1. Scope and Duration

This DPA governs the processing of Personal Data carried out by STRACKR as Processor on behalf of the Client in connection with the provision of the Service, in compliance with the Terms and article 28 GDPR.

This DPA forms an integral part of the contractual terms governing the relationship between STRACKR and the Client, together with the Subscription Agreement, the Terms, the Privacy Policy and the Cookie Policy.

This DPA shall enter into force on the effective date of the Subscription Agreement and shall remain in effect for the duration of the Subscription Agreement, for as long as STRACKR processes Personal Data on behalf of the Client in connection with the Service.

Upon termination or expiration of the Subscription Agreement, STRACKR shall cease processing Personal Data on behalf of the Client, except to the extent necessary to comply with applicable legal obligations or with the data retention provisions set out in the Terms and the Privacy Policy.

The provisions of this DPA relating to confidentiality, security of processing and deletion or return of Personal Data shall survive termination for so long as STRACKR retains Personal Data on behalf of the Client.

2. Role of the Parties

For the purposes of the Processing covered by this DPA:

  • The Client acts as a Data Controller within the meaning of Article 4(7) GDPR.
  • STRACKR acts solely as a Data Processor within the meaning of Article 4(8) GDPR.

As such, STRACKR does not determine the purposes for which Client Data or Affiliate Data are collected or processed and does not act as a controller with respect to such data. STRACKR processes such data on documented instructions from the Client, reflected in the Terms, the Subscription Agreement and this DPA, unless required to do so by Union or Member State law.

3. Purpose of Processing

STRACKR processes Personal Data only in the extent necessary to the performance of the Services under the Client’s instructions, and more particularly, exclusively for the following purposes:

  • aggregation of affiliate data from Third-Party Platforms connected by the Client;
  • synchronization and normalization of such data;
  • generation of consolidated dashboards and reports for the Client;
  • technical maintenance and security of the Service.

STRACKR shall not use Client Data for its own purposes, including marketing, profiling, or commercial exploitation.

4. Categories of Data Subjects

Depending on the configuration of the Service by the Client and the Third-Party Platforms connected by the Client, the Personal Data processed by STRACKR on behalf of the Client may relate to the following categories of individuals:

  • Authorized Users accessing the Service under the Client’s Account;
  • representatives, employees or business contacts of the Client whose information may appear in Client Data;
  • individuals whose information appears within Affiliate Data originating from Third-Party Platforms connected to the Service by the Client.

STRACKR does not intentionally collect or process personal data relating to end-users of the Client’s websites or services, and the Service is not designed to perform behavioural tracking or advertising profiling of such end-users.

The categories of Data Subjects depend exclusively on the Client Data and Affiliate Data made available through Third-Party Platforms connected by the Client.

5. Categories of Personal Data Processed

Depending on the configuration of the Service by the Client and the Third-Party Platforms connected by the Client, the Personal Data processed by STRACKR on behalf of the Client may include, where applicable:

  • professional identification data relating to individuals associated with the Client or its partners (such as name, professional email address or user identifiers);
  • pseudonymous identifiers associated with affiliate accounts or publisher profiles;
  • identifiers or references relating to transactions recorded by affiliate platforms (including transaction-level tracking parameters) which may be provided to STRACKR as part of transaction data, it being specified that STRACKR processes such identifiers solely as technical or pseudonymous strings and does not have access to the Client’s underlying datasets or any additional information that would enable it to directly identify a natural person.

Certain technical or transactional data processed through the Service, such as:

  • transaction identifiers,
  • timestamps,
  • commission metrics,
  • API credentials, or system identifiers

May constitute Personal Data only where such data can be linked, directly or indirectly, to an identifiable natural person. Whether such information qualifies as Personal Data depends on the context of its use and the datasets connected by the Client.

STRACKR does not intentionally collect or process personal data relating to end-users of the Client’s websites or services.

In particular, STRACKR does not collect standard direct identifiers of end-users (such as email addresses, IP addresses or phone numbers) through its Service, unless such data is expressly included by the Client within custom tracking parameters, in which case STRACKR remains unable to interpret or attribute such data to an identifiable individual.

For the avoidance of doubt, STRACKR does not independently determine the categories of Personal Data processed through the Service. Such categories depend solely on the configuration of Third-Party Platforms and the data sources selected by the Client.

The Client shall not transmit or make accessible to STRACKR any Personal Data falling within the special categories of data defined under Article 9 GDPR or any data relating to criminal convictions within the meaning of Article 10 GDPR. STRACKR does not intend to process intentionally such categories of data through the Service.

6. Responsibility

6.1. Client’s Responsibility

The Client, acting as Data Controller within the meaning of Article 4(7) GDPR, shall bear the sole responsibility for determining the purposes and means of the processing of Personal Data contained in Client Data and Affiliate Data made available through the Service.

In particular, the Client shall be responsible for:

  • determining and documenting the lawful basis for the processing of Personal Data under Article 6 GDPR;
  • the legality, accuracy and relevance of the Client Data and Affiliate Data made available through the Service, including ensuring that these data do not infringe any applicable law or third-party rights.
  • ensuring that the processing of Personal Data and Affiliate Data through the Service complies with applicable data protection laws;
  • ensuring that the connection and use of Third-Party Platforms comply with applicable legal and contractual requirements;
  • providing all information required under Articles 13 and 14 GDPR to Data Subjects where applicable;
  • responding to requests from Data Subjects exercising their rights under Articles 15 to 22 GDPR.

The Client warrants that:

  • it has determined a valid legal basis under Article 6 GDPR for the processing of Personal Data contained in Client Data;
  • it has obtained any required consent where applicable;
  • it is authorized to transmit or make accessible such Personal Data to STRACKR.

The Client acknowledges that STRACKR is not the source of the collection of Affiliate Data and does not determine the means by which such data are collected by the Client or by Third-Party Platforms.

6.2. Strackr’s Responsibility

STRACKR shall be responsible only for the processing operations carried out under its control in connection with the provision of the Service, and solely to the extent required under applicable data protection laws.

STRACKR undertakes to:

  • processing Personal Data only on behalf of the Client and in accordance with the documented instructions reflected in the Terms, this DPA and the configuration of the Service by the Client;
  • guarantee the confidentiality of the Personal Data;
  • ensure that persons authorized to process the data are subject to confidentiality obligations;
  • limit access to the data to only those persons who need it for the performance of the Mission;
  • implement appropriate technical and organisational measures to ensure the security of the data processed in accordance with Article 32 of the GDPR, including where appropriate:
  • encryption of data in transit and at rest;
  • access control mechanisms;
  • authentication and authorization management;
  • infrastructure monitoring and logging;
  • backup and disaster recovery procedures.
  • inform the Client of any personal data breach as soon as possible after becoming aware of it, in accordance with Article 33.2 of the GDPR ;
  • make available to the controller all information necessary to demonstrate compliance and allow for and contribute to audits, in accordance with Article 28(3)(h) of the GDPR.

STRACKR shall not be responsible for:

  • the legality of Client Data or Affiliate Data;
  • the collection of Personal Data by the Client or by Third-Party Platforms;
  • the accuracy, completeness or lawfulness of data originating from Third-Party Platforms;
  • the Client’s compliance with its obligations as Data Controller.

STRACKR does not determine the purposes or essential means of the Processing of Personal Data contained in Client Data or Affiliate Data.

The technical functionalities of the Service, including the aggregation, processing, visualisation and reporting of Affiliate Data, constitute purely technical means necessary to provide the Service and shall not be interpreted as determining the purposes of Processing.

Nothing in this DPA shall be interpreted as creating joint controllership between STRACKR and the Client within the meaning of Article 26 GDPR.

7.3. Third-Party’s Platforms Responsibility

Third-Party Platforms connected to the Service operate independently from STRACKR.

Such platforms may act as independent Data Controllers with respect to Personal Data processed through their own services.

STRACKR does not determine the purposes for which Personal Data is collected by such Third-Party Platforms and assumes no responsibility for their compliance with applicable data protection laws.

7. Sub-processors

The Client provides STRACKR with a general authorization to engage Sub-Processors for the provision of the Service.

A current list of Third-Party Service providers, which includes Sub-Processors, is made available in STRACKR’s Privacy Policy.

STRACKR shall inform the Client of any intended addition or replacement of Sub-Processors and provide the Client with the opportunity to object on reasonable data protection grounds within a reasonable period.

STRACKR shall ensure that any Sub-Processor is bound by contractual obligations providing a level of data protection equivalent to those set out in this DPA.

STRACKR remains fully liable for the performance of its Sub-Processors’ obligations.

8. Assistance With Data Subject Rights

Taking into account the nature of the processing and the information available to STRACKR, STRACKR shall provide reasonable assistance to the Client, to the extent of the information available to it, in order to enable the Client to:

  • respond to requests from Data Subjects to exercise their rights under Articles 15 to 22 of the GDPR;
  • comply with security and notification obligations; and
  • carry out, where applicable, a data protection impact assessment in accordance with Article 35 of the GDPR.

Any assistance beyond this reasonable scope may be subject to additional billing.

9. International Transfers

Where Personal Data is transferred outside the European Economic Area, STRACKR shall ensure that such transfers are carried out in accordance with Chapter V GDPR, including through the use of Standard Contractual Clauses or other appropriate safeguards.

10. Deletion or Return of Personal Data

Upon termination or expiration of the Subscription Agreement, STRACKR shall delete all Personal Data processed on behalf of the Client within three (3) months following the effective termination the Subscription Agreement, unless Union or Member State law requires storage of the Personal Data.

Notwithstanding the foregoing, the Client may request in writing, prior to the expiration of such three (3) month period, that STRACKR return the Personal Data to the Client, in which case STRACKR shall provide the Personal Data in a commonly used electronic format and subsequently delete the remaining copies in accordance with this Section.

11. Liability

Each Party shall be liable for its own breaches of applicable data protection law. Nothing in this DPA shall limit or exclude liability set out in the Terms or where such limitation is prohibited by applicable law.

12. Governing Law

The DPA shall be governed by French law.

Any dispute arising in connection with this DPA shall fall within the jurisdiction specified in the Terms.