← Back to Privacy Policy

Data Processing Agreement

Last updated: 29 June 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Customer”, “Controller”) and PunchUp Digital Ltd, trading as TrackingCoder (“TrackingCoder”, “Processor”, “we”), a company registered in England and Wales. It governs our processing of Personal Data on your behalf when you use the TrackingCoder service, and applies where UK GDPR, the EU GDPR, or equivalent data protection law (“Data Protection Law”) applies.

If you require a countersigned copy for your records, email privacy@trackingcoder.com.

1. Roles of the parties

Account data. For data we collect to run your account (your name, email, billing history, the URLs you scan and the tracking configurations you create), TrackingCoder is the Controller. This is covered by our Privacy Policy.

Customer Data processed via the Service. Where the Service processes personal data relating to your end users on your behalf, primarily the events captured by TC Pro Monitor from visitors to your websites, you are the Controller and TrackingCoder is the Processor. This DPA governs that processing.

2. Subject matter and details of processing

  • Subject matter: provision of the TrackingCoder service, in particular TC Pro Monitor (real-time tracking-health monitoring).
  • Duration: for the term of your subscription, subject to the retention and deletion terms in section 8.
  • Nature and purpose: receiving, validating, pseudonymising, aggregating and storing tracking-event signals so we can show you whether your tags are firing and report on event volume and goals.
  • Types of personal data: a salted, daily-rotating one-way hash of the visitor IP address (we never store the raw IP), the page path, coarse device category, traffic source, and the curated event parameters you configure. A server-side denylist removes direct identifiers (for example user IDs, email addresses, phone numbers, names) before storage.
  • Categories of data subjects: visitors to the websites you choose to monitor.

We do not store the raw HTML of scanned pages after analysis, and we do not store raw IP addresses.

3. Our obligations as Processor

We will:

  • process Customer Data only on your documented instructions, including this DPA and your use of the Service, unless required by law (in which case we will inform you unless legally prohibited);
  • ensure personnel authorised to process Customer Data are bound by confidentiality;
  • implement appropriate technical and organisational measures as set out in section 6 (Article 32);
  • assist you, taking into account the nature of processing, in responding to data subject requests and in meeting your obligations under Articles 32 to 36 (security, breach notification, and data protection impact assessments);
  • make available the information needed to demonstrate compliance with Article 28; and
  • at your choice, delete or return Customer Data at the end of the provision of services, as set out in section 8.

4. Sub-processors

You provide general authorisation for us to engage the sub-processors listed below. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will give reasonable notice of any intended addition or replacement of a sub-processor (by updating this page); you may object on reasonable data protection grounds by contacting us within 30 days.

Sub-processorPurposeRegion
NeonDatabase hosting (account data, tracking configs, pseudonymised Monitor events)EU / US
ClerkAuthentication and user account managementUS
StripePayment processing for credits and TC Pro subscriptionsEU / US
VercelApplication hosting and content deliveryEU / US
ResendTransactional and product email deliveryUS

5. International transfers

Where Customer Data is transferred outside the UK or EEA (for example to a US-based sub-processor), we rely on an appropriate transfer mechanism, such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, together with supplementary measures where required. The pseudonymisation described in section 6 is one such measure.

6. Security measures

  • Pseudonymisation: visitor IP addresses are reduced to a salted, daily-rotating one-way HMAC-SHA-256 hash at the point of ingest. The raw IP is never written to storage, and the daily salt rotation prevents linking activity across days.
  • Data minimisation: a denylist at ingest strips known direct identifiers and query strings, drops nested objects and arrays, and caps field lengths before any data is stored.
  • Encryption in transit: all traffic is served over TLS.
  • Encryption at rest: tracking IDs you store in the ID Vault are encrypted with AES-256-GCM using a key held server-side and never sent to the browser.
  • Access control: production data access is restricted to authorised personnel on a need-to-know basis.
  • Retention limits: raw Monitor events are automatically deleted after 90 days (see section 8).

7. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide the information reasonably available to help you meet your own notification obligations.

8. Retention, return and deletion

Raw Monitor events are retained for a rolling 90-day window and then automatically deleted; aggregated, non-identifying counts may be retained to power historical charts. On termination, or on your written request, we will delete or return Customer Data within a reasonable period, unless retention is required by law. You can request account deletion or a data export at any time by contacting privacy@trackingcoder.com.

9. Audit

On reasonable written request, and no more than once per year (unless required by a supervisory authority), we will make available information reasonably necessary to demonstrate compliance with Article 28, subject to confidentiality.

10. Customer responsibilities

You are responsible for establishing a lawful basis for the processing you instruct, for providing any required notices to your end users, and for obtaining any consent required under applicable ePrivacy / cookie rules before tags that read or write to a visitor’s device fire. The generated TrackingCoder tracking code supports Google Consent Mode v2 so it can respect your consent banner.

11. General

This DPA is governed by the laws of England and Wales. In the event of a conflict between this DPA and the Terms of Service in respect of data processing, this DPA prevails. For any data protection enquiry, contact privacy@trackingcoder.com.