Data Processing Agreement
Seline is operated from the European Union. Our infrastructure is hosted in Germany and subject to EU data protection law. Processing and storing data in a secure, fair, and transparent way is central to how we build the product.
This Data Processing Agreement ("DPA") is an addendum to the Terms & conditions between Seline and the customer.
If you accept this DPA on behalf of your customer, you warrant that: (a) you have full legal authority to bind your customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of your customer, to this DPA.
This DPA applies to visitor data processed by Seline on behalf of the customer in connection with use of the service.
Definitions
"You" or "customer" means the company or organization that signs up to use Seline to analyze website visitors.
In providing the Seline service under the agreement, Seline may process visitor data on behalf of the customer.
"Data Protection Legislation" means the General Data Protection Regulation (Regulation (EU) 2016/679) and all other applicable laws relating to the processing of visitor data and privacy in any relevant jurisdiction.
"data controller", "data processor", "data subject", "personal data", and "processing" have the meanings given in applicable Data Protection Legislation.
The parties agree that the customer is the data controller and that Seline is its data processor in relation to visitor data processed while providing the service.
Privacy and security of your visitor data
We take measures to protect your data through backups, redundancy, and encryption. When you use Seline to measure your website, we process information about your visitors as described in our privacy policy.
You entrust us with your site data and we treat that seriously. You agree that Seline may process your data as described in our privacy policy and only for the purpose of providing the analytics service.
You retain ownership and control of your website data. We obtain no rights to your website data. We do not sell visitor data and only share client account data with trusted service providers where necessary to operate the service.
With default settings, Seline does not track, collect, or store personal data that can identify individuals, does not set cookies on visitors' browsers, and is designed to respect visitor privacy.
We minimize collection. We store only what is needed for aggregate analytics: daily unique visitors, country, parsed browser/OS/device, referrer, UTM parameters, and page views.
We do not attempt to build a persistent cross-site identifier. By default we do not use cookies, browser cache, or local storage on visitor devices.
Every HTTP request includes an IP address and User-Agent. We compute a daily unique identifier using a hash function with a rotating salt:
hash(domain, ipAddress, userAgent, dailySalt)
The salt is unique per domain and rotated every 24 hours. Raw IP addresses and full User-Agent strings are not stored in logs, databases, or on disk. Previous salts are deleted after rotation so visitor information cannot be linked across days or reconstructed from stored hashes.
Country is derived from the Cloudflare CF-IPCountry header when available. IP addresses are not used for geolocation lookups and are not written to our databases.
The group of data subjects affected includes end-users of the controller's websites that use the service.
If you enable optional features (such as visitor identification or cookie-based tracking), you remain responsible as controller for the lawfulness of that processing. More detail is in our privacy policy and GDPR statement.
Organizational and technical security measures
Visitor data is encrypted in transit (HTTPS) and hosted in the European Union. Application servers, ClickHouse, and Postgres databases run on Hetzner infrastructure in Germany.
We apply firewall rules, private networking, and secure backups. Account passwords are hashed using industry-standard methods.
Further detail is in our privacy policy and GDPR statement.
Processor obligations
Seline processes visitor data only in accordance with documented instructions from the customer through use of the service and applicable product settings.
Seline will notify the customer without undue delay if an instruction appears to infringe applicable Data Protection Legislation.
Seline ensures confidentiality of visitor data. Authorized personnel may access visitor data only where necessary to provide support, maintain the service, or ensure security.
Seline implements appropriate technical and organisational measures to protect visitor data.
Seline uses sub-processors where necessary. Sub-processors are bound by data protection obligations and may process data only to provide services Seline has engaged them for.
Seline will notify the customer of material changes to sub-processors via email, in-app notice, or a public update. The customer may object and, if the objection cannot be resolved, terminate the agreement as set out in the Terms & conditions.
Seline will notify the customer of any personal data breach without undue delay (no later than 48 hours where feasible) and take appropriate mitigation steps.
Seline processes data on documented instructions and does not modify or delete customer data except as instructed, as required by the product, or as required by law.
Seline assists the customer with data protection obligations where reasonable and forwards data subject requests received directly by Seline to the customer.
Sub-processors
Current sub-processors used to provide the service:
| Service | Purpose | Location / notes |
|---|---|---|
| Hetzner | Hosting and databases | EU (Germany) |
| Stripe | Payment processing | GDPR-compliant; see Stripe's GDPR documentation |
| Postmark | Transactional email | GDPR-compliant; see Postmark's EU privacy information |
Delete instructions
You can delete site data and your account at any time from the Seline application or by contacting us.
Data is permanently deleted without undue delay upon deletion, subject to backup retention described in our GDPR statement (deleted data is removed from backups within 30 days). Account deletion is irreversible.
Customer undertakings and Seline assistance
The customer warrants that it has the necessary rights and legal basis to provide visitor data for processing.
The customer is responsible for:
- determining the lawfulness of processing
- providing privacy notices to visitors
- implementing appropriate safeguards
- notifying supervisory authorities where required
- data shared via identify, custom events, or optional tracking features
Seline will provide reasonable assistance with data subject requests and security inquiries related to processing under this DPA.
Liability and indemnity
Each party indemnifies the other against claims arising from that party's breach of this DPA, to the extent permitted by applicable law and subject to the limitations in the Terms & conditions.
Duration and termination
This DPA is effective as of June 2, 2026, replaces any prior data processing agreement between you and Seline for the service, and may be updated from time to time. Material updates will be communicated as described above.
Confidentiality obligations survive termination.
Acceptance
Use of the service constitutes acceptance of this DPA. No separate signature is required.
Contact
Questions about this DPA: privacy@seline.com
Legal entity: KANSTANTSIN NESTSIAROVICH, ul. Łowicka 60, 02-531 Warsaw, Poland. See imprint.