Data Processing Agreement
Last updated: 16 July 2026
1.Scope and roles
This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service between Revealu (“Processor”) and the customer (“Controller”) and governs the processing of personal data of the Controller's website visitors within the meaning of art. 28 GDPR. It applies automatically from the moment an account is created; using the Service constitutes acceptance.
2.Nature, purpose and duration of the processing
- Subject matter: identification, at company level, of organisations visiting the Controller's website(s).
- Nature: collection of technical visit data via a tracking script, server-side lookup of the organisation behind an IP address, storage and presentation of the results.
- Purpose: B2B lead generation and website analytics for the Controller.
- Duration: for as long as the Controller's account exists.
3.Categories of data and data subjects
- Data subjects: visitors of the Controller's website(s).
- Personal data: IP address (stored only as a salted hash after company resolution), technical browser/device context, pages visited, referrer, country, and — where the Controller uses the identify function — the domain part of a business email address. No special categories of data are processed.
4.Processor obligations
Revealu shall:
- process the data only for the purposes above and on the Controller's documented instructions, unless EU or member-state law requires otherwise;
- ensure persons authorised to process the data are bound by confidentiality;
- implement appropriate technical and organisational measures (art. 32 GDPR) — see section 6;
- assist the Controller, insofar as reasonably possible, with data-subject requests (art. 12–23 GDPR) and with the Controller's own compliance obligations (art. 32–36 GDPR);
- notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data;
- delete the data at the end of the agreement (section 8);
- make available the information reasonably necessary to demonstrate compliance with this DPA.
5.Subprocessors
The Controller grants general authorisation for the following subprocessors. Revealu will give notice of intended changes (via this page) so the Controller can object.
- Vercel — application hosting;
- Supabase — database hosting (EU region);
- IP-intelligence and public-registry services (e.g. ipapi.is, RDAP/RIPE, DNS, Chamber of Commerce, geocoding) — receive an IP address or company name solely to perform a lookup.
6.Security measures
- encryption in transit (HTTPS/TLS) for all traffic, including the tracking beacon;
- IP addresses stored only as salted hashes; no data stored on visitors' devices (cookieless);
- passwords hashed with bcrypt; sessions via signed tokens;
- access to production systems restricted to authorised administrators;
- rate limiting and payload validation on data-ingestion endpoints.
7.International transfers
Data is stored in the EU (database region). Where a subprocessor processes data outside the EEA, transfer takes place under an adequacy decision or standard contractual clauses.
8.Deletion and return
When the account ends, all associated visitor data is deleted. The Controller can delete leads (including underlying visits) at any time from the dashboard and can export data as CSV beforehand. Backups expire on their regular rotation schedule.
9.Liability and precedence
The limitation of liability from the Terms of Service applies equally to this DPA. In case of conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.
