Illumino
Pricing FAQ
/
Sign in

Data Processing Agreement

Version 1.0 · Effective July 7, 2026

This Data Processing Agreement ("DPA") forms part of the Illumino Terms of Service and is entered into between the customer identified on the Illumino account (the "Controller") and Illumino, a web analytics service operated as a sole proprietorship from Québec, Canada (the "Processor"). The operator's legal name is provided on countersigned copies on request, and this DPA will be re-issued under the incorporated entity's name upon incorporation. It takes effect automatically when the Controller creates an account or places the Illumino snippet on a website; no signature exchange is required. Retain a copy of this page for your records. If your organisation requires a countersigned copy, use the contact form (topic "Privacy and compliance"), mention "DPA countersignature", and include your legal entity name.

1. Definitions

"Personal data", "processing", "data subject", "controller", "processor", "supervisory authority", and "personal data breach" have the meanings given in the EU General Data Protection Regulation (GDPR). "Personal information" has the meaning given in Quebec's Act respecting the protection of personal information in the private sector (Law 25) and PIPEDA; the two are treated interchangeably in this DPA. "Applicable data protection law" means Law 25, PIPEDA, and, where they apply to the Controller, the GDPR and UK GDPR/PECR.

2. Subject matter, duration, nature and purpose

Subject matter: provision of the Illumino web analytics service described in the Privacy Policy. Duration: the term of the Controller's account, plus the 30-day post-termination export window. Nature and purpose: collection and aggregation of anonymised website usage statistics for the Controller's own audience-measurement purposes; hosting and operating the Controller's account.

3. Categories of data subjects and data

  • Website visitors (the Controller's end users). No personal data is stored. The service is designed so that visitor analytics contains no identifiers: no cookies, no IP address storage (the IP is used transiently, in memory, to derive a country code, then discarded), no fingerprints, hour-precision timestamps, and a k≥5 city threshold. Aggregate counts are not personal data once produced; the transient in-memory handling of the connection IP is the only processing of visitor personal data, and it is never recorded.
  • Account holders and authorised users. Email address, hashed credentials, site domains and configuration, and payment-provider customer/subscription references. No full card numbers.

4. Processor obligations

  • Process personal data only on the Controller's documented instructions (the Terms of Service and the Controller's dashboard configuration), unless required otherwise by law, in which case the Processor informs the Controller unless legally prohibited.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement and maintain the technical and organisational measures in Annex 1.
  • Never sell, rent, or share service data with third parties for their own purposes; no advertising networks or data brokers.
  • Assist the Controller, insofar as possible, in responding to data subject requests and in meeting its security, breach-notification, and impact-assessment obligations.
  • Notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, with information reasonably required for the Controller to meet its own notification obligations (including the 72-hour clocks under GDPR Article 33 and Law 25).
  • At termination, delete the Controller's data after the 30-day export window described in the Terms of Service, unless law requires longer retention.
  • Make available information reasonably necessary to demonstrate compliance with this DPA, including this document, Annex 1, and the sub-processor register.

5. Sub-processors

The Controller grants general authorisation for the sub-processors listed at illumino.app/subprocessors (incorporated into this DPA by reference). The Processor gives account holders at least 30 days' notice by email before adding a sub-processor. If the Controller objects, it may terminate the account before the change takes effect.

6. International transfers

Service data is processed and stored in Québec, Canada. Canada holds a European Commission adequacy decision covering commercial organisations subject to PIPEDA, so transfers of personal data from the EEA to the Processor do not require Standard Contractual Clauses. If that adequacy decision ceases to apply, the parties agree that the EU Standard Contractual Clauses (module two, controller to processor) are deemed incorporated into this DPA with the Annexes populated from this document.

7. Liability, precedence, and changes

Liability under this DPA is subject to the limitations in the Terms of Service. If this DPA conflicts with the Terms of Service on data protection matters, this DPA prevails. Material changes to this DPA are announced to account holders by email at least 14 days before taking effect; the version table below records every revision.

8. Governing law

This DPA is governed by the laws of the Province of Quebec, Canada, without prejudice to mandatory rights under the Controller's applicable data protection law.

Annex 1: Technical and organisational measures

  • Encryption in transit: TLS 1.2 or higher on all endpoints.
  • Data minimisation by design: no cookies, no visitor identifiers or fingerprints, no visitor IP storage (transient in-memory country lookup only), no screen resolution, referrer stored as domain only, URL paths stored without query strings.
  • Aggregation safeguards: hour-precision timestamps; city-level geography only at k≥5 distinct daily visits.
  • Retention: raw anonymous hit records deleted after 7 days; only anonymous daily aggregates kept long-term.
  • Infrastructure: dedicated server hosted by OVHcloud in Québec, Canada; database access restricted to the service operator; no shared multi-tenant database exposure.
  • Access control: operator-only production access over key-based SSH; secrets held in root-restricted environment files, never in the code repository.
  • Incident response: documented procedure naming the 72-hour notification clocks (CAI under Law 25; lead EU supervisory authority where GDPR applies).
  • Transparency: the tracking snippet is served unminified for public inspection; it sets no cookies and reads no browser storage.

Annex 2: Sub-processors

The current register at illumino.app/subprocessors forms Annex 2 of this DPA.

Version history

VersionDateChange
1.0July 7, 2026Initial publication.

🍁 Proudly Canadian from the start.

© 2026 Illumino · A Quicker.tools Company · QC, Canada
Privacy · Terms · Compliance · Help · Contact