Effective as of: May 29, 2026

These Terms of Use (the “Terms”) shall govern relationships between Algopine s.r.o. with registered office at: Klincová 37, Slovak Republic, Business ID no: 51 983 702, registered in the Commercial Register, kept by Municipal Court Bratislava III, Section Sro, File no. 132248/B, (the “Company””, “Tinyvisits””, collectively “we”, “us”, “our”) and Clients (hereinafter “Client” or “you”, “your”) with regard to the tinyvisits.com services (hereinafter “Services”) and usage of our website provided by the Company where there are no other agreements in place.

By visiting this website, purchasing our Services, you agree to be bound by the following Terms. Notwithstanding provisions of other agreements you can enter into with us, these Terms shall prevail with respect to issues not addressed by such other agreements. If you disagree with these Terms or any part of these Terms, you must not use this website and our Services.

The following terms used in these Terms have the following meanings:

"Applicable Law" means any statute, statutory instrument, bye-law, order, directive, treaty, decree or law; and legally binding rule, policy, guidance or recommendation issued by any governmental or statutory body, which relates to these Terms;

“Applicable Privacy and Data Protection Law” means the EU GDPR, e-Privacy directive No. 2002/58/EC, e-Privacy regulation when and adopted, any applicable EU Member State data protection and privacy laws or implementations, the Swiss Federal Data Protection Act of 19 June 1992, if applicable, UK GDPR and Data Protection Act 2018 if applicable, the California Consumer Privacy Act and US Children’s Online Privacy Protection Act; if applicable, and any amendments thereof;

“Fees” or “Fee” means the financial remuneration for the Services provided to the Client and paid to us in the amount and in accordance with the payment terms agreed under these Terms;

“Client” means a subject that uses the Services, typically a business or an organization that runs a website for which the Services are ordered;

“Client Account” means the dedicated access account created by the Client within the Platform for the purpose of using the Services;

“Platform Data” means all data (including Client Personal Data), (e.g. IP address, cookie ID, user browser agent, website) or non-personal data (aggregated statistics, approximate geographical location, e.g. city, state, etc.) that the Client entrusts for our processing by uploading it to the Platform or by providing it to us via use of our Services under the Data Processing Agreement;

“Data Processing Agreement” or “DPA” means data processing agreement concluded between the parties as per Schedule no. 1;

"GDPR" means the General Data Protection Regulation adopted at the level of the European Union;

“Intellectual Property Rights” or “IPR” means any work, information, patent, database, trademark, code, source code, graphic, software, its documentation, name, mark, image, text, meta-tag or other item protected or eligible for protection under applicable intellectual property or copyright laws that belongs to the Company or rights to whose belong to the Company;

“Privacy Policy” means the Company's Platform Privacy Policy available and updated from time to time at: tinyvisits.com/privacy-policy;

”Platform” means the platform tinyvisits.com owned and operated by the Company as a strictly privacy respectful website analytics SaaS; SaaS;

"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;

“SaaS” means Software as a Service; it is a cloud-based model for delivering software applications involved in Platform to Client´s website.

“Services” are “software-as-a-service” type of online services that the Company provides via the Platform to its Clients.

1.1 Client agrees and accepts these Terms via the functionality of the Platform by clicking “Accept Terms” (or similar command referring to these Terms), by using the Services and the Platform or by accepting or approving any offer of Services or Platform by the Company that incorporates these Terms by reference. These Terms are concluded by electronic means only and form the entire agreement between the Parties.

1.2 Services are available to the Client upon acceptance of these Terms and after a completed registration of the Client Account on the Platform. Client represents and warrants that person completing the Client Account is an authorized representative of the Client.

1.3 The Client agrees to use the Services for the purpose intended by and in accordance with these Terms, in accordance with applicable laws and any other rules that may apply to the Client. Any use of the Services that is contrary to the rules so defined shall be deemed to be a material breach of the Terms.

1.4 The Company uses reasonable efforts to maintain the continuous availability of Services. However, Client acknowledges and agrees that Services may not be available at any time without breach of these Terms.

1.5 The Company reserves the right to immediately stop providing any Services and remove any Client Account that is being used or is reasonably deemed to be used in violation of these Terms or applicable laws.

1.6 The Client hereby declares that the Client has been duly instructed and acknowledges that the Services are made up of electronic content not delivered on a tangible medium, and that the use of the Services has been commenced with the Client's express consent, whereby, at the same time, the Client ceases to have the right to withdraw from the Terms in accordance with the relevant legislation applicable to the consumer protection in the sale of goods or provision of services under a distance contract.

2.1 Unless otherwise agreed by the Parties, the Client shall select and implement the Services in one of the following two modes:

1. Full analytics mode, which comprises of: (i) preparation of analytics insights and dashboards; (ii) evaluation of website traffic allowing understanding of all core Client’s website visitor metrics – e.g. page views, uniques, popular pages, sources; (iii) Consent management platform (CMP) allowing granting and withdrawal of consent with cookies and similar technologies; and (iv) tracking of the visitor browsing strictly and only after obtaining valid visitor consent via the CMP. For the avoidance of doubt, this mode does not utilize any “consent-less pings” or any form of data collection or access to the visitor’s device prior to obtaining consent;
   
   
2. Minimalistic analytics mode, which comprises of: (i) preparation of analytics insights and dashboards; and (ii) processing of visitor page views without user consent for the purpose of aggregate statistical website traffic measurement. This mode is specifically designed to meet the requirements for consent exemption by utilizing immediate anonymization of identifiers in the volatile memory (RAM) and producing only anonymous aggregate statistics that do not allow the identification of individual visitors.
   
   

2.2 For each specific website (domain) owned or operated by the Client, only one mode, (either a) Full analytics mode or b) Minimalistic analytics mode), may be active at any given time. If the Client uses the Services for multiple websites, the Client may choose a different mode for each individual website; however, a single website cannot utilize both modes simultaneously.

2.3 The Company shall duly provide the Services in accordance with the selected mode and these Terms. The Client is solely responsible for: (i) the choice of the mode; (ii) ensuring that the selected mode and its implementation on the Client's website comply with the Applicable Privacy and Data Protection Law in the relevant jurisdiction; and (iii) providing any necessary transparency information to its visitors regarding the chosen mode of analytics.

3.1 Ownership. The Platform is operated and remains fully and exclusively owned by the Company. The Client is allowed to use the Platform only to the extent provided for in the these Terms on a strictly non-exclusive basis.

3.2 SaaS. The Platform is operated and provided by the Company on a “software as a service” basis as part of the Services, it is a cloud-based model for delivering software applications involved in Platform to Client´s website. The Client acknowledges that the Company continuously develops the Platform and that the list of individual software solutions, tools, engines or components of the Platform comprises of as well as their in-house names or designations continuously changes without the need to amend the Terms or notify the Client.

3.3 3rd party downtime. Client agrees that unavailability of third-party systems (i) may affect the availability of the Platform and/or the Services, (ii) is beyond the control of the Company, (iii) will not be part of computations regarding the uptime guarantee, and (iv) will result in no refunds to Client.

3.4 Force Majeure Event. The Company shall not be responsible for delays or failures in performance of these Terms resulting from a Force Majeure Event. The Company will make commercially reasonable efforts to re-establish Services as soon as possible in the event of a Force Majeure Event.

3.5 Beta and Beta Testing Program. Some, or all parts of Services may from time to time be available for selected Clients in Beta version format. Such features or parts of Service are marked as "Beta", or otherwise similarly marked as Beta on Service website. Beta version is provided on an "as is" basis without warranty of any kind, whether express or implied, including without limitation, the implied warranties of merchantability, non-infringement, accuracy, completeness, performance and fitness for a particular purpose. Beta version may contain bugs, errors, may not work properly and contain other problems. Notwithstanding anything to the contrary, Company shall not be responsible for any indirect, exemplary, incidental, special or consequential damages, for error or interruption of use or for loss or inaccuracy or corruption of data or cost of procurement of substitute goods, services or technology or loss of business.

4.1 Fees. Services are provided for monthly Fees to be paid by the Client. Fees for the provided Services are determined based on the number of page views from the previous calendar month recorded by the Platform. Fees are divided into the following categories:

Number of Page Views per Month / Number of Websites	Monthly Fee
Up to 5,000 Page Views / 1 Website	6 EUR
Up to 10,000 Page Views / Up to 2 Websites	10 EUR
Up to 25,000 Page Views / Up to 4 Websites	19 EUR
Up to 100,000 Page Views / Up to 10 Websites	59 EUR
Up to 500,000 Page Views / Up to 20 Websites	119 EUR
Over 500,000 Page Views / 21+ Websites	Contact us - custom pricing

4.2 Fees are the only remuneration for the Service, there is no other subscription, license fee or similar payment. If the mode monthly number of page views in a given 3-month period exceeds the limit of the relevant price category, the Fee for the following month will be automatically adjusted according to the updated number of page views and it will remain so for the following months.

4.3 Invoicing. Client will be invoiced on a monthly basis and in electronic form only, using invoicing details provided by the Client via the Platform with due date of 7 days. The Client remains responsible for updating correct invoicing details to the Company. The invoice will be delivered to the Client via the functionality of the Platform or via email, at the Company’s discretion. The invoice date will be moved one month forward from the date of the first payment for the Service. Payment and invoicing will be carried out automatically through a 3rd party payment service provider (e.g., Frisbii).

4.4 VAT. The Fees are exclusive of any applicable VAT or any sales tax which shall be added to such amounts pursuant to any local and international tax legislations. The Client shall pay all applicable taxes if invoiced or as may be applicable in accordance with this clause.

4.5 Non-payment. If the Client fails to pay any Fees on time, the Company may (without prejudice to its other rights or remedies) charge the Client later interest payment on such owed due sums at the rate of 10% per annum above the base statutory late payment fee and terminate provision of the Services in accordance with Section 7.2 below.

5.1 The Client or its licensors shall retain all right, title and interest in and to the Client IPR and Platform Data and the Company or its licensors shall retain all right, title and interest in and to the Company IPR.

5.2 The Company may use Client IPR and Platform Data only to provide the Services to the Client and to perform other rights and obligations under these Terms save that the Company may further use the Platform Data for: (i) improving the quality and reliability of the Platform; and, (ii) maintaining the security and operational integrity of the Platform or Services, including for security monitoring and incident management, managing the performance and stability of the Platform.

5.3 The Client agrees not to remove, suppress or modify in any way any proprietary marking on the Platform or Services (including any trademark or copyright notice).

5.4 Compliance Materials and Limited License. The Company provides certain specialized documents, including but not limited to, the Privacy Policy excerpts, LIA templates, and DPIA pre-assessments (the "Compliance materials"). The Client acknowledges that all right, title, and interest in and to the Compliance materials, including the specific legal-technical argumentation, structure, and underlying know-how regarding the Platform’s data processing methods, remain the exclusive property of the Company. The Company grants the Client a non-exclusive, non-transferable, and revocable license to access and use the Compliance materials solely for the Client’s internal regulatory compliance related to the use of the Services and for the duration of the Client’s active, paid subscription. This license is strictly limited to the domains/websites covered by the subscription. Access to Compliance materials is provided exclusively through the Platform dashboard. The Client is prohibited from downloading, copying, or using the Compliance materials for any purpose after the termination of the subscription or sharing or sub-licensing the materials to third parties. The Compliance materials are provided for guidance purposes only and do not constitute legal advice. The Client remains solely responsible for ensuring its own legal compliance and for any final adjustments to the materials based on their specific legal and business context.

Nothing in these Terms shall limit or exclude a party's liability for (i) death or personal injury caused by its negligence; (ii) fraud; or (ii) any other liability which cannot be excluded by applicable law. Subject to previous sentence, neither party shall be liable to the other for any: loss of profit, revenue, goodwill, anticipated savings, corruption of data or account of profits (in each case whether direct or indirect); or indirect loss, arising out of or in connection with these Terms or any breach or non-performance of it no matter how fundamental (including by reason of that party’s negligence). Subject to the above, each party’s maximum aggregate liability arising out of or in connection with these Terms or any breach or non-performance of them no matter how fundamental (including by reason of that party’s negligence) will be limited to 100% of the total Fees actually paid in the 3 months prior to the date on which the first claim was made by the other party.

7.1 The Services are provided for indefinite period, until terminated by any party. The Services may be terminated by the Client at any time upon serving the Company 1 month prior written notice submitted by e-mail or by clicking a "Cancel service", "Cancel plan" or similar link inside Platform dashboard. If the Client materially breaches Terms, the Company may unilaterally terminate all Services and Client´s Account.

7.2 Upon termination, suspension or expiry of the Services for any reason: (i) the Client shall immediately cease using the Services, and the Company IPR, the Client will remove all Tinyvisit’s consent banner and page view tracking logic and code snippets from Client’s websites and the Client shall pay all outstanding Fees and payments due under the Terms; (ii) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any breach of these Terms that existed at or before the date of termination or expiry, shall not be affected or prejudiced and unless expressly agreed otherwise, all licences and access rights granted shall immediately terminate; (iii) the Company suspends and deactivates the Client Account; and (iv) the Company deletes the Platform Data provided the Client had already downloaded the Platform Data and informed the Company it does not need the Platform Data or had at least 1-month prior notice and opportunity to download such data before their permanent deletion.

Parties shall treat all Platform Data and other sensitive information labelled by other party as confidential as confidential information and shall only disclose such confidential information in the manner and to the extent expressly permitted by this section. A party may disclose confidential information: (i) if and to the extent required by law or order of the courts, or by any securities exchange or regulatory or governmental body to which such party is subject, wherever situated; (ii) on a necessary basis and under conditions of confidentiality to the professional advisers, auditors and bankers of such party; (iii) if such confidential information has come into the public domain other than by a breach of any obligation of confidentiality; or (iv) with the prior written approval of the other party. The Company may disclose confidential information to any of its employees or contractors who need access to that confidential information for the Company’s obligations to be performed or to defend any claim.

9.1 For any processing of personal data by virtue of providing the Services, the parties will comply with the Data Processing Agreement set out in Schedule No. 1 to the Terms under which the Company acts as the Client’s data processor.

9.2 With regard to confidentiality, the parties acknowledge that the Company, as part of providing, testing, load testing and improving the Services creates aggregated, irreversibely anonymised and completely de-linked data by way of patterns, trends, knowledge, metadata or other insights: (i) by aggregating Platform Data with other data in a de-identified and fully and irreversibely anonymised manner; and/or (ii) comprising anonymous learnings, logs and data regarding the use by the Client of the Services (jointly as the “Anonymised Data”). The parties agree that the Company may use such Anonymised Data for any lawful business purpose during or after the relevant Term (including without limitation to develop, provide, operate, maintain, and improve the Company products and services and to create and distribute reports and other materials). For avoidance of doubts, the Company shall not use the Anonymized Data (nor Platform Data) for any direct marketing purposes, communicating with end users or singling out any devices or individuals on its basis.

9.3 Page View Tracking End-User Consent. The Service collects page views on Client’s website based on the mode selected by the Client. The Client may choose and implement only one mode per specific website (domain) at any given time. If the Client operates multiple websites, a different mode may be selected for each individual website:

(a) Full analytics mode: Page views and visitor metrics are collected and tracked for example by placing and activating a short JavaScript (JS) or similar snippet, strictly and only after obtaining valid prior end-user consent.

(b) Minimalistic analytics mode: Page views are processed for aggregate statistical website traffic measurement without the need for individual end-user consent, utilizing immediate and irreversible anonymization of identifiers in the volatile memory (RAM) before any data is stored.

9.3.2 The Client, acting as the sole controller, is always obliged to verify with its legal counsel whether to obtain end-user consent under Article 5(3) of the ePrivacy Directive (as implemented in the relevant jurisdiction), or under similar Applicable Data Protection Law (including jurisdictions outside the EU/EEA), before starting the page view collection by Tinyvisits. This obligation applies regardless of the selected mode.

9.3.3 For the Full analytics mode, it is necessary to use end-user consent, which can for example be obtained by using one of the industry-standard cookie banner consent platforms (CMP), or by using a JS or similar snippet provided by the Company to the Client through our integration and setup pages. For the Minimalistic analytics mode, while designed to meet certain consent-exemption criteria, the Client remains responsible for ensuring this approach is compliant with the laws applicable to their specific users and territory.

9.3.4 If the Client or its end-users are located outside the EU/EEA, the Client is solely responsible for ensuring that the chosen mode and the method of data collection comply with all local privacy regulations (e.g., CCPA/CPRA, LGPD, etc.).

9.3.5 The Client expressly agrees that the Company has no liability for complying with or breaching any legal requirements regarding end-user consent. The Company provides the technical infrastructure, but the decision on how to use it and whether to trigger tracking remains the sole responsibility and at the sole risk of the Client.

9.3.6. The utilization of Minimalistic analytics mode without end-user consent is strictly conditioned upon the Client’s commitment to transparency. To ensure maximum legal compliance and alignment with the principles of privacy-by-design, the Client is obliged to align its own website’s Privacy Policy (or similar transparency notice) with the “Compliance package” provided by the Company as Schedule No. 2 to these Terms. The Client hereby expressly acknowledges and accepts the legal warnings, jurisdictional risk assessments, and strict conditions for use set forth in the Compliance package. While the Company provides the Compliance Package as a recommendation and a technical guide, the Client remains solely responsible for the actual implementation, accuracy, and legality of its privacy notices under the laws applicable to the Client and its end-users.

9.4 Children. The Client remains solely responsible to comply with Applicable Data Protection Laws specifically addressing processing personal data or information about children (for example COPPA), including the need to obtain parental consents or approvals. Nature of the Services does not allow the Company to verify age of end-users which the Client accepts. The Client agrees the Company has no liability for complying with or breaching the above legal requirement.

The Client will not, directly or indirectly: interfere with the Services to cause any disruption or limitation of proper functioning of the Services; attempt to gain unauthorized access to any part of the Services; engage in any hacking activities directed against the Services; initiate or participate in any DoS / DDoS or similar attacks directed against the Services.

11.1 Publicity. The Client hereby agrees that the Company can publish general information about collaboration with the Client on its websites, social media and marketing materials including using the Client’s business name and trademarks as well as company name, logos, marks.

11.2 Severance. If any term under these Terms is or becomes invalid, illegal or unenforceable, the parties shall negotiate in good faith to amend such provision so that, as amended, it is valid, legal and enforceable, and, to the greatest extent possible, achieves the intended commercial result of the original provision. Any modification to or deletion of a term shall not affect the validity and enforceability of the rest of the terms.

11.3 Governing law and jurisdiction. The Terms and any disputes or claims arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with laws of Slovak Republic. The Parties agree that the Slovak courts shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with these Terms.

11.4 Amendments. These Terms may be updated and amended unilaterally by the Company from time to time with the effect as of their publishing at Platform or at different domain determined the Company. New version of the Terms is effective as of their publishing or as of the later effective date specified therein.

Schedule 1 – Data Processing Agreement

This Data Processing Agreement is an integral part of the Terms by and between the Client as the data controller and the Company as its data processor with regards to the processing of personal data by the Company on behalf of the Client within the context of provision of Services. Terms used in this Data Processing Agreement shall be interpreted in line with Article 4 of the GDPR.

The Client hereby appoints the Company as its data processor to process the personal data on its behalf. Each party shall comply with its obligations under the Applicable Privacy and Data Protection Law. For the purposes of the GDPR and other Applicable Privacy and Data Protection Laws, although the Company is a separate legal entity, it acts strictly as a Processor (and not as a “third party” as defined in Article 4(10) of the GDPR) in relation to the Platform Data. The Company processes data solely under the instructions and within the legal sphere of the Client.

This DPA forms an inseparable part of the Terms. The Client acknowledges that it might be impossible to provide Services in accordance with the Terms without processing the personal data pursuant to this DPA. Therefore, this DPA can only be terminated by termination of the Terms as a whole. Upon termination of the Terms, the Company shall at the choice of the Client either return or securely delete all personal data processed under such Terms, unless there is a requirement or entitlement to store such data longer under the EU law or the EU member state law or any Slovak law that applies to the Company or in respect of personal data which is archived on back-up systems, in which event the Company shall securely isolate and protect from any further processing except to the extent required by such law until deletion is possible.

The nature of personal data processing under this DPA is determined by the nature of Services mode provided by the Company and selected by the Client with the following characteristics:

a) Full analytics mode: The Company processes personal data (including online identifiers) to provide comprehensive traffic analysis, triggered strictly only after valid visitor consent is obtained

b) Minimalistic analytics mode: The Company performs technical operations (short, technically necessary processing of the visitor’s “ping”) to achieve immediate and irreversible anonymization of identifiers in the volatile memory (RAM). The stored output consists of aggregate statistical information which does not allow for the identification of individuals as: (i) processing of personal data shall only be made as far as necessary to provide the Services; (ii) the processing should generally appear as done by the Client as the principal / data controller; (iii) the Company does not have access to all data held by the Client or third party, which can be used for the potential identification of Clients pursuant to the recital 26 of the GDPR. This processing is a transient technical step required to generate aggregate statistical information for the Client. No persistent storage of personal data occurs during this technical "ping" processing.

The Client appoints the Company to process the personal data for the following purposes of processing undertaken by the Client: (i) using of marketing analytics tools; (ii) targeting and personalization of Ads; (iii) fulfilling of the legal obligations (related to GDPR consent); (iv) statistical purposes.

Parties do not foresee processing of special categories of personal data pursuant to the Article 9 of the GDPR or personal data about criminal convictions pursuant to the Article 10 of the GDPR. Parties foresee processing of the Platform Data as explained in the Platform Privacy Policy. Parties will apply this DPA to any Platform Data irrespective if it constitutes personal data or not.

The parties foresee processing of the Platform Data as explained in the Privacy Policy. This includes:

a) Full analytics mode: IP addresses, cookie IDs, User-Agent, referrer, and approximate geographical location.

b) Minimalistic analytics mode: Temporary IP addresses (processed only for immediate anonymization), truncated User-Agent, and truncated referrer.

The personal data processed by the Company will primarily relate to end-users or visitors of Client’s websites on which the Company’s tools are integrated by virtue of the Services.

The Client grants the Company a general authorization to engage further processors (sub-processors) to support the performance of the services. A current list of sub-processors engaged by the Company with access to personal data is set out in Annex 2 of this Agreement.

The Company shall ensure that it has entered into a written agreement with each sub-processor that imposes data protection obligations no less protective than those set out in this Agreement. The Company remains fully liable to the Client for the performance of the sub-processor’s obligations.

The Company shall inform the Client of any intended changes concerning the addition or replacement of sub-processors. The Client may object to such changes on reasonable grounds. For the sake of transparency and accessibility, the Company may also maintain an up-to-date list of sub-processors at a dedicated URL: https://tinyvisits.com/terms/#dpa

The Client acknowledges that the Company might use services and sub-processors established outside the European Economic Area. The Company shall ensure that Articles 44-50 of the GDPR are complied with in respect of such cross-border transfers. Under these conditions, the Client hereby gives consent the Company to transfer personal data from the European Economic Area to other third countries where approved Sub-processors are located, provided that, where this amounts to a restricted transfer, it takes such measures as are necessary to ensure that such restricted transfer is in compliance with Applicable Privacy and Data Protection Law.

The Company shall process the personal data only in accordance with documented instructions by the Client. The Client’s selection of Full analytics mode or Minimalistic analytics mode within the Platform settings constitutes a specific documented instruction. Certain general authorizations and documented instructions are already contained in these Terms and this DPA which are hereby given by the Client to the Company. Any other general authorizations or documented instructions of the Client can be given to the Company in writing, orally, by email, by post, by telephone or by similar means, provided such means can be documented. It remains the responsibility of the Client to record or document such instructions. The Company is obliged to inform the Client if it believes that the Client´s instruction would infringe the GDPR or other law.

Notwithstanding the instructions provided by the Client, the Client acknowledges and agrees that the Company may process raw Platform data (including full IP addresses) for the purposes of ensuring network and information security, operating firewalls, detecting and mitigating DDoS attacks, or conducting forensic incident analysis. For these specific security-related purposes, the Company acts as an independent data controller (and not as a Processor), relying on its legitimate interests as a cloud service provider pursuant to Article 6(1)(f) of the GDPR. The Client hereby grants the Company a permitted deviation from the Client’s documented instructions and purposes to the extent necessary to fulfill these security and platform-integrity objectives.

The Client shall inform the Company about any local deviances or country specific provisions of the Applicable Privacy and Data Protection Laws where such provisions do not explicitly stem, are contrary or are different to those in the GDPR. Unless the Company receives such information from the Client sufficiently upfront, it shall not be obliged to comply with such a requirement.

According to Article 28(3)(e) of the GDPR, the Company acting as a data processor shall insofar as this is possible and taking into account the nature of the processing, assist the Client as a data controller, with the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights under the GDPR. The Company will comply with this obligation by providing supporting information available to it upon request of the Client. Such supporting information may include an updated list of sub-processors, recipients and respective third countries. However, the Company shall not be obliged or requested to handle or respond to the data subject request regarding the Client’s purposes of processing, such requests should be handled and responded to exclusively by the Client. Should the Company receive a data subject request that is related to this DPA, the Company will forward such request to the Client without undue delay.

The legal grounds for processing of the personal data pursuant to this DPA are determined by the Client and are subject to change mainly due to a possibility of a different regulatory approach by different EU supervisory authorities. The legal grounds for processing are determined by the Client. For Full analytics mode, the Client typically relies on data subject's consent under Article 6(1)(a) of the GDPR. For Minimalistic analytics mode, the Client may rely on legitimate interest under Article 6(1)(f) of the GDPR or, where applicable, on the performance of a contract with the data subject under Article 6(1)(b) of the GDPR (e.g., if the analytics are a strictly necessary part of a service requested by the user, or the "strictly necessary" exemption under e-Privacy). It remains the sole responsibility of the Client to comply with Article 6 GDPR and to obtain consent of the data subjects, where required. The Company relies on the Client to have sufficient legal grounds to undertake processing via the Company foreseen by this DPA.

Every data controller has a general obligation to provide certain information to data subjects pursuant to Article 13 or Article 14 of the GDPR. The Client is responsible for providing this information in respect to the purposes of processing contemplated herein as well as for complying with any transparency principles and obligations towards data subjects under Applicable Privacy and Data Protection Law. The Privacy Policy does not serve this purpose and is not intended to the data subjects and end-users but rather to the Client.

The Company shall implement such organizational measures that ensure that ensure all the Company personnel is committed to the confidentiality in respect to the personal data processed under this DPA either mutually, by law or by internal policies.

The Company will maintain, implement and enforce safety and security procedures in performing the Services that are compliant with Article 32 of the GDPR.

If it becomes aware of a confirmed security incident, the Company shall inform the Client without undue delay and shall provide reasonable information and cooperation to the Client so that the Client can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Privacy and Data Protection Laws. The Company shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the security incident and shall keep the Client informed of all material developments in connection with the security incident.

The Company shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and the Client may request, upon 3-month prior written notice to the Company auditing the Company’s compliance with its obligations under this DPA and the GDPR , no more than once per calendar year. Audits shall be subject to all applicable confidentiality obligations agreed to by the Client and the Company and shall be conducted in a manner that minimizes any disruption of the Company’s performance of Services and its normal business operations. Audits shall not uncover or lead to disclosing any Confidential Information. Any costs for undertaking audits or making available to the Client all information necessary to demonstrate compliance with Article 28 of the GDPR shall be borne by the Client including reasonable attorney fees expended by the Company.

Client remains solely responsible for conducting the data protection impact assessment pursuant to Article 35 of the GDPR and prior consultation pursuant to Article 36 of the GDPR with respect to its own purposes of processing. The Company agrees to reasonably assist the Client when conducting its own DPIA.

The Company does not sell Platform Data to others within the meaning of the California Consumer Privacy Act of 2018.

The Company shall structure its internal organisation to satisfy the specific requirements of data protection. Appropriate technical and organisational measures shall be implemented to protect the Client´s data in accordance with Art. 32 GDPR. These measures are designed to ensure the continuous confidentiality, integrity, availability, and resilience of the processing systems and services.

The specific technical and organisational measures are detailed in Annex No. 1 of this Agreement. The Client acknowledges these measures and confirms that they provide an adequate level of protection relative to the risks associated with the data being processed.

The technical and organisational measures are subject to ongoing technical advancement and development. The Company is permitted to implement alternative adequate measures, provided that the overall security level is not diminished. Any significant changes to these measures shall be documented.

Area / Category of measure	Specific implementation and parameters of tinyvisits
1. Physical access control	Processing takes place in ISO 27001 certified data centres within the EU.
	Entry to data centres is protected by electronic access control, 24/7 security staff, and surveillance.
	Access to office premises is restricted via physical locks and the building is monitored by a CCTV system in common areas.
	Strict "clean desk" policy and secure disposal of any physical documents.
2. Electronic access control	All administrative access is strictly restricted to authorized personnel and requires individual user accounts. Authentication is enforced through strong credentials combined with multi-layered verification methods.
	Access to servers is limited to a strictly defined range of IP addresses (IP whitelisting).
	Remote access for maintenance is performed exclusively via encrypted and authenticated connection.
	Remote access to company systems is strictly controlled and secured via strong multi-layered authentication and encrypted connections and all laptops used for home office are equipped with full-disk encryption and firewalls.
3. Internal access control (rights)	Differentiated access rights (e.g., Support vs. Admin).
	Regular quarterly reviews of all granted user rights and immediate revocation upon termination of employment.
	Logging of obtaining priviliged acces in production environment.
4. Transfer and disclosure control	All data in transit is encrypted using industry-standard protocols (HTTPS).
	Use of state-of-the-art cipher suites to prevent interception.
	No sharing of identifiable data with third-party networks or data brokers.
	Direct database access is blocked for all external traffic and restricted to the application layer.
5. Input and integrity control	Input validation and sanitization on the software level to prevent SQL injection or cross-site scripting.
	Use of version control systems (Git) for all infrastructure-as-code and software changes.
6. Availability and resilience control	Geo-redundant server failover architecture within the EU.
	The Platform infrastructure is subject to continuous automated monitoring of performance, availability, and resource utilization.
	DDoS protection to manage traffic spikes.
	Regular automated backups with periodic recovery testing.
7. Separation and deletion control	Development, staging, and production environments are physically or logically isolated.
	Analytics data is stored in separate databases from billing/customer account data.
	Identifiable technical data exists only in volatile memory (RAM) and is deleted immediately after the anonymization process.
8. Pseudonymization & Privacy-by-design	No storage of persistent identifiers on the user's device.1
	IP addresses are processed in RAM and discarded after being converted to approximate geographical location.
9. Job control (outsourcing)	Careful selection of sub-processors (cloud providers) based on GDPR compliance (Art. 28).
	Mandatory Data processing agreements (DPA) with all technical service providers.
	Regular monitoring of sub-processor compliance and security certifications.
10. Evaluation and review procedures	Regular vulnerability scanning and periodic penetration testing by qualified personnel.
	Continuous training of employees regarding data protection and information security.

Entity Name		Function / Service Provided	Location	Legal Basis
Hetzner Online GmbH	https://www.hetzner.com/legal/privacy-policy	Data hosting (Server provider)	Germany (EU) / Finland (EU)	DPA based on Art. 28 GDPR
Worldstream B.V.	https://www.worldstream.com/media/uploads/2025/05/Worldstream-Personal-Data-Processing-Policy-EN.pdf	Data hosting (Server provider)	Netherlands (EU)	DPA based on Art. 28 GDPR
OVH Hosting Limited	https://www.ovhcloud.com/en-ie/terms-and-conditions/privacy-policy/	Data hosting (Server provider)	Ireland (EU) / France (EU)	DPA based on Art. 28 GDPR
Myra Security GmbH	https://www.myrasecurity.com/en/privacy-policy/	Bot protection	Germany (EU)	DPA based on Art. 28 GDPR
Frisbii Germany GmbH	https://frisbii.com/data-protection-notice/	Payment processor	Germany (EU)	DPA / Financial Regulations

This compliance package is designed to assist the Client in meeting transparency requirements when utilizing Minimalistic analytics mode. To achieve maximum compliance, the Client is advised to incorporate the following information into their website’s Privacy policy or Cookie notice.

(The Client may copy and adapt the following text for their own transparency documents. These provisions are intended to amend and supplement the Client’s existing Privacy policy in a proportionate manner regarding the use of privacy-friendly analytics):

The following provisions describe the technical and legal framework for the audience measurement and website analytics performed by the Controller. These terms supplement and, where applicable, amend the Controller's general Privacy Policy. In the event of any conflict between these specific provisions and the general Privacy Policy regarding the processing of technical identifiers for analytical purposes, these provisions shall prevail as lex specialis.

We use Tinyvisits platform, a privacy-respecting analytics service, to understand how visitors interact with our website. To protect your privacy, we have configured this service in its "Minimalistic mode," which operates without the use of cookies or persistent tracking identifiers.

We process data strictly for analytical and statistical purposes, which consist primarily of the following processing operations:

• Measuring website traffic and audience reach.

• Identifying which pages are most popular and which sources (referrers) bring visitors to our site.

• Technical optimization of our website performance and error detection. We do not use this data for profiling, behavioral advertising, or cross-site tracking.

Access to your device information is limited to what is "strictly necessary" to provide the web service you requested and to perform anonymous aggregate measurements (in line with guidelines from European regulators such as CNIL).

The processing of temporary data for anonymization is based on our Legitimate interest (Art. 6(1)(f) GDPR) to improve our website’s efficiency and user experience in a non-intrusive manner.

In accordance with applicable electronic communications laws (ePrivacy), the storage of information or gaining of access to information already stored in your terminal equipment is lawful without your prior consent if it is strictly necessary for the following purpose:
The creation of aggregate information about the use of an online service for measuring the audience of such service, provided that this is carried out by the provider of the online service solely for its own use.

Our use of Tinyvisits in Minimalistic mode fulfills these criteria because it is used exclusively by us to measure our own website reach and performance, without creating individual user profiles or sharing data with third parties for their own purposes.

• No personal identifiers (such as your full IP address) are ever stored on a permanent disk.

• Statistical aggregate data (which does not identify individuals) is retained for a period of up to 13 months for historical comparison.

To ensure this measurement is non-intrusive:

• Your IP address is processed only in the server's volatile memory (RAM) and is immediately and irreversibly anonymized. No raw personal identifiers are ever stored on a disk or in a database.

• This mode does not use cookies or persistent identifiers to track your behavior across different websites (no cross-site tracking).

• We do not use the data for profiling, automated decision-making, or behavioral advertising.

Even though we do not identify you, you have the right to object to this measurement. You can prevent being counted in our aggregate statistics by clicking here: [Link to Client’s Opt-out / toggle].

The "consent-less" Minimalistic analytics mode is engineered based on a specific legal interpretation of Article 5(3) of the e-Privacy Directive, which allows an exemption from consent for technical storage or access that is "strictly necessary" for a service explicitly requested by the user, or for the sole purpose of carrying out the transmission of a communication.

• This mode is primarily modeled after the guidelines of the French data protection authority (CNIL), which recognizes that certain first-party analytical tools, if strictly limited and anonymous, do not require prior consent.

• The Client is hereby notified that legal interpretations vary across the EU/EEA and globally. Some National supervisory authorities may apply a more restrictive definition of "strictly necessary."

• The use of Minimalistic analytics mode without a consent banner is at the Client’s sole risk and discretion. Tinyvisits provides the technical capability for anonymization, but the Client must determine if this setup is sufficient to meet their local regulatory requirements.

To maintain the legal argument for the consent exemption, Minimalistic analytics mode must be used exclusively for the internal management of the website. The Client is strictly prohibited from:

• Attempting to identify individual visitors through any technical means.

• Combining Tinyvisits data with other data sets (e.g., CRM, Sales data, or 3rd party databases) to create user profiles.

• Using any data from Minimalistic analytics mode for behavioural advertising or sharing it with third parties for their marketing purposes.

• Attempting to track a visitor across different domains not owned by the Client.

The legal defense for the Minimalistic analytics mode relies on the fact that no personal data is ever "stored" on a persistent medium. The Client may present this technical flow to regulators as evidence of Privacy-by-Design:

1. When a page view occurs, the visitor’s IP address and User-Agent are ingested into the server's RAM.
   
   
2. The original, raw IP address is purged from the RAM instantly. It is never written to a disk, log file, or database.
   
   
3. Only the result (e.g., "aggregate visitor“) is saved to the database. At this point, the data is legally considered anonymous and falls outside the scope of the GDPR.
   
   

• Personal data retention Raw personal identifiers are discarded immediately upon the hashing process in the RAM.

• Statistical data - Aggregate, anonymous statistics are retained for 13 to 25 months for the Client’s historical reporting. Since this data is truly anonymous, it is not subject to GDPR retention limits; however, the Client should still include these periods in their Privacy Policy for transparency.

Even if the Client determines that consent is not required (based on legitimate interest or e-Privacy exemptions), the Right to object (Art. 21 GDPR) remains.

• The Client must provide a clearly visible "Opt-out" link or toggle within their Privacy Policy or Footer.

• Tinyvisits provides a specific JS-snippet for this purpose. When a visitor clicks "Opt-out," a technical flag is set, and the Tinyvisits script will be disabled for that visitor. Failure by the Client to provide this opt-out mechanism may result in a breach of the "strictly necessary" exemption criteria.

For Clients operating outside the EU (e.g., USA, Brazil, California), this "Compliance package" serves as a baseline. The Client is solely responsible for ensuring that the "Minimalistic mode" satisfies the specific requirements of the CCPA/CPRA, LGPD, or other local laws, which may have different definitions of "sale/sharing" of data and required "Opt-out" links.

The Client acknowledges that the use of Minimalistic analytics mode is primarily based on the legal ground of Legitimate interest pursuant to Article 6(1)(f) of the GDPR. To ensure full compliance with the principle of accountability (Article 5(2) GDPR), the Client is obliged to apply the fundamental principles of legality, necessity, and proportionality.

To assist the Client in documenting this compliance, the Company has provided aTemplate of LIA test as part of the Compliance package for the Client’s internal records. This assessment serves to demonstrate that the Client’s legitimate interest in measuring website performance is not overridden by the interests or fundamental rights and freedoms of the website visitors, especially given the privacy-by-design safeguards implemented in Minimalistic analytics mode. The Client is solely responsible for finalizing, updating, and maintaining the LIA test based on its specific business context and jurisdiction. The Template provided by the Company is for guidance purposes only and does not constitute legal advice. The Client must be prepared to present the completed LIA to a relevant Supervisory Authority upon request to prove the overriding nature of their legitimate interest.

The Client as the controller, by utilizing the Tinyvisits infrastructure, operates within a strictly defined EU-only data perimeter. This section serves as a formal assurance and a "Transfer Impact Assessment (TIA) Pre-assessment," confirming that no personal data is transferred to, or processed in, any third country that does not provide an adequate level of protection as defined by the GDPR.

The processing is managed by Algopine s.r.o. (the "primary processor"), an entity incorporated and operating under the laws of a European union member state. Algopine s.r.o. maintains full control over the data processing chain and ensures that:

• The processor does not engage any sub-processors located outside the EU/EEA.

• All sub-processing agreements are governed by EU law, ensuring full enforceability of GDPR standards across the entire technical infrastructure.

All platform data and temporary technical identifiers are stored and processed exclusively on servers physically located within the European union and the European economic area (EEA). The primary processor and its partners maintain a policy of "zero-transfer" to non-EU jurisdictions, ensuring that:

• All data centers are situated in EU member states (Germany, Netherlands – see platform privacy policy).

• All sub-processors are entities incorporated under the laws of EU Member States, shielding the data from the extraterritorial reach of foreign intelligence laws (e.g., US Cloud Act, FISA 702).

Since the processing chain managed by Algopine s.r.o. does not involve any transfer of personal data to a third country (specifically the USA or other non-EEA jurisdictions), the complex requirements for TIA and "Standard contractual clauses" (SCC) for third-country transfers are not applicable. This ensures a streamlined, low-risk compliance profile for the controller.

Based on a comprehensive screening of the processing operations within tinyvisits Minimalistic mode, the following was demonstrated:

• The processing does not meet the criteria for "high risk" under Article 35(1) of the GDPR. It avoids all high-risk triggers such as systematic profiling, large-scale processing of sensitive data, or monitoring of publicly accessible areas.

• By implementing a cookie-less architecture with immediate cryptographic hashing in volatile memory (RAM), the potential impact on the rights and freedoms of data subjects is reduced to a minimum.

• The processing is restricted to ephemeral technical metadata for aggregate statistical purposes only, without cross-site tracking or the creation of persistent user profiles.

• All data remains within the EU/EEA, eliminating the risks associated with third-country transfers.

• The implementation of the tinyvisits cookie-less solution does not trigger the obligation for the Controller to conduct a full DPIA. The processing remains a low-risk analytical activity, and this pre-assessment serves as sufficient documentation of the Controller's compliance with the risk-assessment requirements under the GDPR.

---

1. (1) By default (Minimalistic mode), the Platform does not store any persistent identifiers or cookies on the user's device, except for a technical opt-out cookie if the user explicitly requests to be excluded from aggregate statistics. Persistent identifiers (cookies) are strictly limited to the Full analytics mode and are deployed only upon the data subject's valid consent, in accordance with the privacy-by-default principle.↩︎