Data Processing Agreement
Last Updated: 1st September 2025
Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA" or "Agreement") is entered into between Titan Ventures Ltd., trading as PixelFlow ("Processor"), and the customer identified in the applicable Terms of Service ("Controller"). This Agreement forms part of the Terms of Service and governs the processing of personal data carried out by PixelFlow on behalf of the Controller.
This Agreement is subject to the exclusive jurisdiction of the courts of Ireland.
Contents
1. Definitions
2. Subject Matter & Purpose
3. Categories of Data Processed
4. Controller Responsibilities
5. Processor Responsibilities
6. Subprocessors
7. International Data Transfers
8. Data Retention & Deletion
9. Security Measures
10. Assistance with Compliance
11. Governing Law and Jurisdiction
Definitions
Controller: The entity which determines the purposes and means of processing personal data.
Processor: The entity which processes personal data on behalf of the Controller.
Subprocessor: Any third party engaged by the Processor to process personal data.
Personal Data: Any information relating to an identified or identifiable natural person.
Applicable Law: All data protection and privacy legislation applicable to the processing, including the GDPR, ePrivacy Directive, and related guidance.
2. Subject Matter and Purpose
PixelFlow provides server-side tracking and analytics services. In connection with these services, PixelFlow processes Personal Data solely as instructed by the Controller. Processing is limited to what is necessary to provide the agreed services, including event forwarding, deduplication, and reporting.
Note: The Controller is solely responsible for ensuring all client-side scripts, pixels, or tracking mechanisms deployed on websites or applications are executed only after obtaining valid end-user consent where required by law.
3. Categories of Data Processed
Depending on configuration by the Controller, PixelFlow may process the following categories of Personal Data:
IP addresses (processed for event transmission and deduplication; anonymized or hashed where possible)
Browser and device information (e.g., user agent, operating system)
Referrer URLs and page activity data
Event metadata (e.g., purchase value, order ID, or other parameters defined by the Controller)
PixelFlow does not process sensitive categories of data and does not use Personal Data for its own marketing, profiling, or resale.
4. Controller Responsibilities
The Controller is responsible for:
Ensuring that Personal Data is collected and processed lawfully, fairly, and transparently.
Providing all required notices and obtaining valid end-user consent (e.g., through a cookie banner or consent management platform) prior to sending data to PixelFlow.
Managing data subject rights requests and compliance obligations.
Ensuring that only necessary Personal Data is transmitted to PixelFlow.
Acknowledging that failure to obtain valid consent or comply with Applicable Law may result in liability for the Controller.
5. Processor Responsibilities
PixelFlow shall:
Process Personal Data solely on the documented instructions of the Controller.
Implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Assist the Controller, within reasonable limits, in fulfilling its obligations regarding data subject rights, security, and breach notifications.
Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
Maintain transparency about subprocessors and provide updates for material changes.
Disclaimer: PixelFlow does not guarantee compliance for client-side implementations; the Controller remains fully responsible for ensuring scripts and tracking mechanisms comply with privacy laws.
6. Subprocessors
PixelFlow engages the following subprocessors:
Amazon Web Services (AWS) – infrastructure and hosting
MongoDB Atlas – database services
Framer – hosting of marketing website
Stripe – payment processing for customer accounts (not visitor tracking)
Meta (Facebook Conversion API) – event forwarding, when configured by the Controller
PixelFlow will maintain an up-to-date list of subprocessors. The Controller will be notified of material changes in accordance with Applicable Law.
7. International Data Transfers
Where Personal Data is transferred outside the EU/EEA, PixelFlow ensures that such transfers are subject to appropriate safeguards, including the use of the European Commission’s Standard Contractual Clauses (SCCs).
8. Data Retention and Deletion
In regards to data retention and deletion of data:
Customer account data is retained until the Controller deletes the account.
Event data is retained only for as long as required to provide analytics and reporting.
Upon termination of services, or upon request, PixelFlow will delete or return all Personal Data, unless retention is required by law.
9. Security Measures
PixelFlow implements industry-standard security measures, including:
Encryption of data in transit (TLS/HTTPS)
Access control and authentication mechanisms
Segregation of customer data within databases
Regular data backups and recovery procedures
Secure hosting with reputable vendors
10. Assistance with Compliance
PixelFlow will provide reasonable assistance to the Controller in demonstrating compliance with Applicable Law, including support with:
Responding to data subject rights requests
Conducting data protection impact assessments (DPIAs)
Managing security incidents and breach notifications
The Controller remains solely responsible for implementing consent mechanisms, ensuring lawful processing, and complying with all applicable privacy and data protection requirements.
11. Governing Law and Jurisdiction
This Agreement is governed by the laws of Ireland. Any disputes arising from or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Ireland.