This Data Processing Agreement ("DPA") forms part of the Terms of Service between ServerTrack (operated by Onecodesoft, hereinafter "Processor") and the user/company signing up for the service (hereinafter "Controller").

1. Definitions

"Customer Data" means any Personal Data that ServerTrack processes on behalf of the Customer via the Service, as more particularly described in this DPA.

"Data Protection Laws" means all applicable laws and regulations, including GDPR, CCPA, and applicable local laws in Bangladesh.

2. Purpose and Scope of Processing

The Processor shall process Customer Data only for the purposes described in this Agreement and only in accordance with the Controller’s documented lawful instructions.

1. Service Provision: To provide server-side tracking, event forwarding (Facebook CAPI, TikTok API, GA4), and analytics dashboards.
2. Data Optimization: To clean, hash, and format data to ensure higher match rates with advertising platforms.
3. Research & Improvement (Important): The Controller agrees that the Processor may de-identify and aggregate Customer Data ("Anonymized Data") to create benchmarks, improve the tracking algorithm, and conduct internal research. The Processor guarantees that Anonymized Data will never identify the Controller or any individual user.

3. Confidentiality

The Processor ensures that all personnel authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

We do not sell, rent, or trade your raw data to third parties. Data is only shared with the destinations configured by you (e.g., Meta, Google) for the purpose of your marketing activities.

4. Security Measures

The Processor implements appropriate technical and organizational measures to protect Customer Data, including:

• Encryption of data in transit (TLS 1.3) and at rest.
• Strict role-based access control (RBAC) for Onecodesoft employees.
• Regular automated backups with 7 to 30-day retention policies (depending on plan).
• Automatic hashing of PII (Personally Identifiable Information) such as emails and phone numbers before transmission to ad platforms.

5. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors to provide the Service:

• Digital Ocean: Cloud Infrastructure & Hosting (Germany/Finland).
• Cloudflare, Inc.: DNS, SSL Management & CDN.
• Redis Ltd: Data caching and queue management.

6. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor relies on Standard Contractual Clauses (SCCs) as the transfer mechanism to ensure adequate protection.

7. Data Retention & Deletion

Upon termination of the Service, the Processor shall delete all Customer Data within 30 days, unless applicable law requires storage. The Controller may request data deletion at any time via the dashboard.

Appendix 1: Details of Processing

Subject Matter: Processing of website visitor events (PageViews, Purchases, Leads) for marketing attribution.

Nature of Processing: Collection, hashing, storage, and forwarding via API.

Types of Personal Data: IP addresses, User Agents, Hashed Emails, Click IDs (fbc/fbp), Browser Cookies.