Data Processing Agreement (DPA)
The DPA governs Snorklee's role as processor when the service measures audience on a customer site. The customer remains the controller: it decides to use Snorklee, chooses the measured sites, configures the events sent and informs its visitors.
This page explains the DPA in plain language. The operational version, generated and signable from the dashboard Compliance tab, prevails if there is any discrepancy.
Processing purpose
Snorklee processes minimised data to provide the customer with audience statistics, technical reports, exports, aggregate-analysis features and compliance documents.
Processing is limited to providing, securing, maintaining and supporting the service.
Excluded purposes are clear:
- no behavioural advertising;
- no advertising sale or sharing of audience data;
- no cross-site matching;
- no session replay;
- no individual heatmap;
- no visitor CRM import;
- no advertising enrichment;
- no individual visitor timeline.
Data involved
Main categories are viewed pages, authorised events, referrer domains, traffic source, country or region depending on configuration, browser families, device type, operating system, language, technical errors, aggregate scroll or click signals and statistical counters.
Campaign parameters are not used to create cross-site tracking or an advertising profile.
The IP address and User-Agent may be used transiently at ingestion to geolocate, classify the browser or device, detect abuse or recognise some crawlers, but they are not stored raw in analytics events.
The customer must not send sensitive data, names, email addresses, phone numbers, postal addresses, customer IDs, advertising click IDs, secrets, tokens or any directly identifying data in Snorklee events or properties. Custom events must remain technical or business-related.
Security and processors
Snorklee implements technical and organisational measures intended to protect data: TLS, access control, application-level role separation (ingest / read), limited logs, short raw-event retention, site deletion on request and processor documentation.
Main processors are listed in the privacy policy, the DPA and the documents generated from the Compliance tab. They cover hosting, geolocation, transactional email, payment, optional AI on aggregates and some public audits.
The list may change with reasonable notice where the change is significant.
Customer assistance
Snorklee assists the customer with access, erasure, export, processor information, security documentation and, where applicable, response to rights requests.
Because there is no stable visitor identifier, Snorklee cannot always find an individual person in statistics. Depending on the context, a request may be handled by time range, by deleting an event if the customer can otherwise identify it, or by deleting the site.
The customer remains the main contact for the end visitor.
Retention
Raw events are kept for 90 days. Analytics aggregates are kept for up to 25 months. After termination, site data may be kept for 30 days to allow recovery, then deleted under the applicable procedures.
AI
When the customer uses AI features, Snorklee sends only the aggregates needed for the summary or answer: indicators, trends, pages, channels or periods. No raw IP address, visitor identifier, individual event row or directly identifying data should be sent to the AI engine in this context.
AI is triggered at the customer's request, unless a different documented configuration explicitly states otherwise.
If the customer enables the optional AI visibility tracking module, questions built from the public content of their site (never visitor data) are sent to the queried AI assistant providers — OpenAI, Google, Perplexity and Anthropic (United States) — to measure the brand's presence in their answers. This module is disabled by default and chosen by the customer.
CCPA/CPRA addendum
The DPA may include a CCPA/CPRA addendum when the customer enables it from the Compliance tab. This annex documents Snorklee's role as service provider for audience measurement, the absence of advertising sale or sharing of Snorklee audience data, and the limited purpose of processing.
This addendum covers the Snorklee scope only. Other tools present on the customer's site must be assessed separately.
Signature
The operational DPA is generated and signable from the dashboard Compliance tab. This page explains the content in plain language; the signed document prevails if there is any discrepancy.
The dashboard may generate a signature evidence page, including timestamp, signer identity and document fingerprint, depending on available features.