This Data Processing Agreement ("DPA") is entered into between you, or the legal entity you represent, as the Controller, and Yeloy Tecnologia LTDA (CNPJ No. 67.197.218/0001-59), operator of the Himetrica platform ("Himetrica," "we"), as the Processor. It governs the processing of personal data that Himetrica carries out on behalf of and under the instructions of the Controller when you use the Service, in accordance with Brazilian Law No. 13,709/2018 (the General Data Protection Law, "LGPD").

This DPA forms part of and supplements Himetrica's Terms of Service and Privacy Policy. By accepting the Terms of Service and using the Service, you also accept this DPA, with no physical signature required. In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA prevails.

This English version is provided for convenience. This DPA is governed by Brazilian law, and in the event of any conflict the Portuguese version, available at himetrica.com/pt/legal/dpa, prevails.

1. Definitions

The terms below have the meaning assigned to them by the LGPD:

Personal data: information relating to an identified or identifiable natural person.
Data subject: the natural person to whom the personal data relates, in this case the visitors and end users of the Controller's website or application.
Controller: you (or your company), to whom the decisions regarding the processing of personal data belong.
Processor: Himetrica, which carries out the processing on behalf of the Controller.
Sub-processor: a third party engaged by the Processor to process personal data on its behalf in performance of this DPA.
Processing: any operation carried out with personal data, such as collection, storage, use, and deletion.
Security incident: an event that may give rise to relevant risk or harm to data subjects, such as unauthorized access, loss, alteration, or improper disclosure of personal data.

2. Roles of the Parties

With respect to the personal data of data subjects (visitors and end users) that you send to, or cause to be collected by, Himetrica, you act as the Controller and Himetrica as the Processor. You determine the purposes and means of the processing; Himetrica processes such data solely in accordance with your instructions and this DPA.

With respect to your own account data (for example, the registration name and email and billing data), Himetrica acts as the Controller, as described in the Privacy Policy. That data is not the subject of this DPA.

3. Subject Matter, Purpose, and Scope of Processing

Himetrica processes personal data for the sole purpose of providing the analytics Service to the Controller: audience measurement, page and event statistics, visitor identification when the Controller uses the identify API, traffic-source and revenue attribution, and the other contracted features. The detail of the categories of data, of data subjects, and of duration is set out in Annex I.

Himetrica does not use the Controller's personal data for its own purposes, does not sell it, and does not share it, except with the sub-processors in Annex II and where the Controller expressly enables a third-party integration (such as the Meta Conversions API).

4. Controller's Instructions

Himetrica processes personal data only in accordance with the Controller's documented instructions. Documented instructions consist of this DPA, the Terms of Service, the settings you define in the dashboard, and your use of the Service's APIs. Himetrica will inform the Controller if, in its assessment, an instruction infringes the LGPD, and may suspend performance of the instruction in question.

5. Processor's Obligations

Himetrica undertakes to:

process personal data only in accordance with the Controller's instructions and the purpose in Section 3;
ensure that the persons authorized to process the data are subject to a duty of confidentiality;
adopt the security measures in Section 7;
comply with the conditions for engaging sub-processors in Section 8;
assist the Controller in responding to data subject rights (Section 10);
report security incidents under Section 11;
delete or return the data at the end of the processing (Section 12);
keep a record of the processing operations it carries out, pursuant to art. 37 of the LGPD; and
make available the information necessary to demonstrate compliance (Section 13).

6. Confidentiality

Himetrica keeps the Controller's personal data confidential and limits access to it to the employees and providers who need to know it in order to provide the Service, all bound by confidentiality obligations. This duty survives termination of the contractual relationship.

7. Information Security

Himetrica adopts technical and organizational measures suitable to protect personal data, taking into account the nature of the processing and the risks involved. Among them:

encryption in transit (TLS/HTTPS) and storage with providers that offer encryption at rest;
encryption of the integration credentials provided by the Controller;
least-privilege access control and authentication of internal systems;
HTTP security header policies and logical isolation of data per project and organization;
logging and monitoring of operational events; and
retention of detailed data according to the contracted plan, with deletion of data exceeding the retention period.

8. Sub-processors

The Controller authorizes Himetrica to engage the sub-processors listed in Annex II to process personal data in performance of this DPA. Himetrica imposes on sub-processors data-protection obligations equivalent to those of this DPA and remains responsible to the Controller for their compliance.

Himetrica may add or replace sub-processors on at least 30 (thirty) days' prior notice to the Controller. If the Controller reasonably objects to a new sub-processor, it may notify Himetrica within 30 (thirty) days; if no solution is possible, the Controller may terminate the affected Service. The payment and tax-invoicing processors used to bill your subscription process your account data under the Privacy Policy and not as sub-processors under this DPA.

9. International Data Transfers

The Controller acknowledges and authorizes that part of the processing takes place outside Brazil, primarily in the United States, where the infrastructure providers in Annex II are hosted (edge network, database, analytics storage, cache, logs, and hosting). Such transfers comply with articles 33 to 36 of the LGPD.

For countries not subject to an adequacy decision by the Brazilian National Data Protection Authority (ANPD), the transfer is based on contractual clauses, adopting the Standard Contractual Clauses approved by the ANPD (Resolution CD/ANPD No. 19/2024), which are deemed incorporated into this DPA by reference and prevail, as regards international transfers, in the event of a conflict with the other provisions. Where applicable, Himetrica may base the transfer on another ground permitted by article 33 of the LGPD, such as an adequacy decision or specific safeguards recognized by the ANPD.

In addition, the infrastructure sub-processors in Annex II maintain their own data processing agreements and international-transfer contractual clauses, to which Himetrica adheres, reinforcing the safeguards applicable to the transfers.

10. Data Subject Rights

Himetrica assists the Controller in responding to data subjects' requests for access, correction, deletion, portability, and the other rights provided for in the LGPD. The Service's dashboard and APIs allow the Controller to access, export, and delete visitor data.

In particular, Himetrica provides a server-to-server API endpoint for deleting a data subject's personal data (anonymization of name, email, identifiers, and precise location, and removal of the associated revenue records), preserving only pseudonymized and aggregated data. If Himetrica receives a request directly from a data subject, it will forward it to the Controller and will not respond on its own, except as required by law.

11. Security Incidents

Himetrica will notify the Controller, without undue delay after confirming a security incident affecting the personal data processed on its behalf. The notification will describe, to the extent of the information then available, the nature of the incident, the data and data subjects potentially affected, and the measures taken, and may be supplemented as further information is ascertained. Himetrica will provide reasonable cooperation to the Controller, with the decision and responsibility for notifying the incident to the Brazilian National Data Protection Authority (ANPD) and to data subjects resting with the Controller, in its capacity as controller. Himetrica's notification of an incident does not, in itself, constitute an admission of fault or liability.

12. Deletion or Return of Data

Upon termination of the Service, or at the Controller's request, Himetrica will delete or return the personal data processed on the Controller's behalf, except where retention is required by a legal or regulatory obligation. When an account is closed, the associated analytics data is permanently deleted within 30 days.

13. Audit and Accountability

Himetrica will make available to the Controller the information reasonably necessary to demonstrate compliance with this DPA. Audits will be conducted on reasonable prior notice, during business hours, without compromising the security and confidentiality of other customers, and may be satisfied by means of relevant documentation and reports.

14. Liability and Controller's Warranties

To the maximum extent permitted by applicable law, Himetrica's liability arising out of or relating to this DPA is subject to all of the limits, exclusions, and caps on liability set out in the Terms of Service, which apply jointly to this DPA. Himetrica's aggregate liability to the Controller, under this DPA and the Terms taken together, will not exceed the amount actually paid by the Controller to Himetrica in the 12 (twelve) months preceding the event giving rise to the liability.

To the maximum extent permitted by applicable law, Himetrica will not be liable for indirect damages, lost profits, loss of data, loss of revenue, or incidental, special, or consequential damages, even if advised of their possibility.

Himetrica processes the data solely in accordance with the Controller's instructions and is not responsible for the lawfulness of the instructions, the purposes, the legal basis, the consent, or the data that the Controller collects or transmits to the platform. The Controller represents and warrants that: (i) it has a legal basis and, where required, valid consent for the processing; (ii) it complies with its transparency and information duties toward data subjects; (iii) it does not send Himetrica sensitive personal data or data of children and adolescents in breach of the law; and (iv) it is solely responsible for any third-party integration it enables (such as the Meta Conversions API and revenue integrations) and for the resulting data flow.

Each Party is responsible for the administrative sanctions individually imposed on it; Himetrica is not liable for sanctions, fines, or awards imposed on the Controller as a result of the Controller's own acts, omissions, or instructions. The Controller (and not Himetrica) will indemnify and hold Himetrica harmless from any losses, expenses, and costs, including legal fees, arising from claims by data subjects, third parties, or authorities relating to the Controller's breach of this DPA, the Terms, or applicable law, or to unlawful instructions provided by it.

Nothing in this DPA excludes or limits liabilities that cannot be excluded under applicable law, in particular liability toward data subjects under article 42 of the LGPD and liability for willful misconduct or bad faith.

15. Term, Acceptance, and Relationship to the Terms

This DPA remains in effect for as long as Himetrica processes personal data on behalf of the Controller and throughout the contractual relationship. It is accepted through acceptance of the Terms of Service and use of the Service. Himetrica may update this DPA, updating the version number and effective date at the top of this page, and communicating material changes.

16. Governing Law and Venue

This DPA is governed by the laws of the Federative Republic of Brazil, in particular the LGPD. The courts of the judicial district of the registered office of Yeloy Tecnologia LTDA are elected to resolve disputes arising from this DPA, waiving any other, however privileged.

17. Data Protection Officer (DPO) and Contact

For questions about this DPA or about data protection, contact Himetrica's Data Protection Officer (Encarregado) at privacy@himetrica.com. Contractual matters may be handled at legal@himetrica.com.

Annex I: Details of Processing

Subject matter: processing of visitor and end-user data to provide the analytics Service.
Nature and purpose: collection, storage, organization, statistical analysis, attribution, and deletion, for the purpose of providing metrics and reports to the Controller.
Categories of data subjects: visitors and end users of the Controller's website or application.
Categories of data: pseudonymous visitor and session identifier, page and referrer (URL), campaign parameters (UTM), screen size, and user agent; approximate location derived from the IP (country, region, city); custom events, performance metrics, and error reports, when enabled; and name, email, and other attributes when the Controller provides them through the identify API. When the Controller connects a revenue integration, this includes customer and charge data imported by it.
Sensitive data: the Service is not intended for the processing of sensitive personal data; the Controller must not send such data.
Duration: for the term of the Service, subject to the retention periods of the contracted plan.

Annex II: Sub-processors

Himetrica uses the following sub-processors to process personal data in performance of this DPA. The location indicates the predominant region of processing.

Supabase: database and file storage. United States.
ClickHouse Cloud: analytics event storage. United States.
Redis Cloud: cache and processing queues. United States.
Axiom: operational log processing. United States.
Resend: transactional email delivery (verification, password reset, reports, and alerts). United States.
OpenAI: generation of analytics insights and automated classification of traffic sources and content. United States.
Cloudflare: content delivery network, reverse proxy, and application firewall in front of the API and the collection endpoints, through which visitor traffic transits (including the IP address); and page rendering and capture for the Controller's website audit. Global network.
Vercel: web application hosting. United States and global network.
IP geolocation services: resolution of approximate location from the IP address, via a local database (MaxMind) and, residually, by querying external services (ip-api.com, ipwho.is). The IP address is not retained in the analytics database after resolution.
Meta Platforms (only when enabled by the Controller): Conversions API, to which Himetrica forwards the events configured by the Controller. This integration is disabled by default. Global.

The list may be updated as set out in Section 8. The version in force is the one published on this page.