Data Processing Agreement

We offer a data processing agreement for your organization’s data, making it easier to ensure you are using best practice contractual protections. Our data processing agreement clearly articulates our privacy commitments.

In the course of providing our service, Vibetrace may process personal data on your behalf. This document forms part of a contract of service with Vibetrace (as Data Processor) and our customers (Data Controllers). This DPA reflects the parties agreement with regard to the processing of personal data performed using our service. Upon agreement of our DPA, you can use our full service.

How does this Agreement apply?

If the Data Controller is a paying customer of Vibetrace, this Agreement forms part of a contract of service with Vibetrace. If the Controller accepting this Agreement does not pay for Vibetrace services, this Agreement is not valid and is not legally binding.

If you need this agreement in print, please contact us to make it that way.


“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For our specific case, Controller is represented by our customers, who create an account on our service.

“Data Protection Law” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time. The terms “process”, “processes” and “processed” will be construed accordingly.

“Data Subject” means the individual to whom Personal Data relates.

“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Instruction” means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalising, blocking, deletion, making available).

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. In this case is us, Vibetrace

“Terms of service” means the legal agreement between the Controller as the user and the Processor, that governs the Controller’s limited, non-exclusive and terminable right to the use of the Vibetrace site and services as defined in the Terms of Service.


The Processor is appointed by the Controller to Process such Personal Data for and on behalf of the Controller. Services provided by Vibetrace make it necessary for this agreement to be in place, as personal data flows easily from Controller to the Processor.

The Controller shall process Personal Data in accordance with the requirements of the Applicable Laws. The Controller shall have sole responsability for the accuracy, quality and legality of all data and the means by which is acquires this Personal Data


This Agreement commence on the date Controller (Vibetrace’s customer) creates or gets an account on our platform/website.

The Data Processing Agreement is valid until either:

  • The Data Processing Agreement is terminated or revoked.
  • The agreement(s) pertaining to the delivery of the Main Services ceases

Each Controller using Vibetrace service has full control of it’s Personal Date and decides for how long it gets saved into the service. Old data that becomes inactive after specific periods of time will be automatically deleted from Vibetrace servers.

Data processing

The Processor will process Personal Data for the Purpose described in the Terms of Service, as entered into between the parties, on behalf of and under the direction of the Controller.

The data will be processed either within a state of the European Union or outside the are. The Processor, Vibetrace, reserves it’s rights to transfer data to outside European Union territory in order to provide it’s services.

Technical and organization measures

Vibetrace takes all reasonable technical and organizational measures to commit to confidentiality of your data including:

  • Use of encryption
  • Continual monitoring of the confidentiality, integrity, availability, and resilience of our systems
  • Preparedness to restore availability of our services in the event of a physical or technical incident
  • Regular risk assessments of all systems
  • Commercially reasonable steps to ensure employees and those acting on Vibetrace’s behalf maintain confidentiality of personal data
  • Data agreements&privacy confirmations of all sub-processors engaged in providing services to Vibetrace
  • Provide written responses to all reasonable requests for information made by customers
  • Reasonably assist customers with data security audits, including inspections, conducted by the customer, auditors, or other supervisory authorities
  • Provide notice to customers regarding personal data breaches

Rights on Data

Data Controllers and Subjects have the following rights on the Personal Data being processed by Vibetrace

Right to be informed: Controllers or their Subjects can ask about personal data, how it is used, and why it is being used at any time.

Right of access: As outlined in our Privacy Policy (Access to Personal Information).

Right of rectification: Controllers or their Subjects can update (or request updates to) personal information at any time.

Right of erasure: Controllers may cancel their accounts at any time and may additionally request that Vibetrace erase all Personal Data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Your Data Subjects may also request that Controllers do the same for their personal data. Vibetrace reserves the right to keep the minimum amount of information that helps us prevent fraud to keep your deliverability the highest it can be.

Right to restrict processing: Controllers are able to put your account on hold at any time which restricts the sending of email communications, text messages or push notifications. Your data will still be processed for other actions such as billing and by our sub-processors. Controllers may cancel their account to restrict all data processing of your data and reactivate it as long as we have not yet deleted your information according to our retention policies.

Right to data portability: Controllers may export any of your lists, or selected information within any list, at any time while your account is active.


The Data Processor may use third parties for the processing of personal data for the Data Controller to the extent that this is stated in:

  • Appendix 3 of this Data Processing Agreement, or
  • Instructions from the Data Processor.

The Third Party Data Processor must provide the same data protection obligations as the Data Processor (including those under the Data Processing Agreement).

The Third Party Data Processor only acts specifically in line with, and in relation to, the Instructions agreed with the Data Controller. Unless otherwise specifically agreed, all communications with the Third Party Data Processor are handled by the Data Processor. Any changes or clarifications to the Instructions from the Data Controller shall be immediately passed onto by the Data Processor to the Third Party Data Processor.

The Data Processor is directly responsible for ensuring the Third Party Data Processor’s processing of personal data in the same manner as if it were processed by the Data Processor itself.

Appendix 1 – Main Services

By the current addendum, the Beneficiary empowers the Data Processor (Service Provider) to: Identify, Collect, Aggregate, Process and host personal data, mentioned in this Agreement, received directly from the Controller through technical systems integrations of the codes provided by the Controller (Vibetrace) or manual import through Controller Platform or using API’s provided by the Controller and use this data with the purpose of analyzing Controller’s users (Data Subjects) behaviour and delivery of the services.

Delivery of services include but are not limited to communicate in the name of Data Controller with his users, according to the rules setup by the Controller

  • Sending of emails or text messages on mobile numbers
  • Sending of personal push notification to Subject device
  • Personalize website content according to each Subject profile
  • Collect data using surveys and polls
  • Delivery of personalized ads via Facebook, Instagram, Google and Bing ad networks

Appendix 2 – Data Types and Categories

Data that is being processed by Data Processor can be one of the following but not limited to:

  • Email address, first & last name of Subjects or addresses
  • Phone numbers
  • Browser Push notifications Tokens
  • Device IP address (stored in anonymized format)
  • Device screen resolution, operating system, browser type
  • Geographic location
  • Pages visited, orders
  • Referring URL’s and domains

Appendix 3 – Subprocessors

The following list might be updated in the future if other sub-processors are used. if you object to any sub-processor addition when added, you may cancel your account within 5 days of the notification provided that such objection is based on reasonable grounds relating to data protection.


Appendix 4 – List of items for DPA

We recommend for our clients to add the following list of items to their Terms and Conditions page, respectively Data Processing Agreement.

  • In order to improve our services, we do monitor, track and create unique profiles of our visitors and customers using Vibetrace Marketing Automation platform (
  • Those activities are not required in order to create an order or use our website, and do not have any legal binding effect. Users can choose not to be tracked and not to receive our marketing communications.
  • In order for Vibetrace services to work and create the marketing data platform, that acts as a base for the marketing automation services they offer, the following information is collected: email, phone numbers, ip address, location, browser information, interaction with site pages, as well as timestamp of those actions.
  • The list of subprocessors used by Vibetrace to deliver the services mentioned above can be always found at
  • Data retention is up to 2 years for identified visitors (those that have an email address) and up to 6 months for visitors that do not have an associated email address and/or phone number