Data Processing Agreement
Last updated July 5, 2026
This Data Processing Agreement (“DPA”) forms part of the granvl Terms of Service and applies automatically wherever granvl processes personal data on your behalf and data-protection law (such as the GDPR, UK GDPR, or PIPEDA) requires processing terms. It reflects how the platform is actually built — including its zero-PII analytics architecture — and requires no signature to take effect; on request we will countersign a copy for your records.
1. Roles and scope
For personal data relating to visitors of pages you publish through granvl (“Visitor Data”, such as pseudonymous analytics events), you are the controller and granvl is your processor, acting only on your documented instructions as set out in the Terms, this DPA, and your configuration of the Service.
For personal data relating to your own account and workspace — user names, emails, authentication, usage, and (in future) billing — granvl is an independent controller, and that processing is governed by our Privacy Policy rather than this DPA.
Data received from advertising platforms you connect is handled as described in the Privacy Policy (Section 16), including in accordance with the Google API Services User Data Policy (Limited Use) and the Meta Platform Terms.
2. Nature and purpose of processing
granvl processes Visitor Data solely to provide the Service: serving your published pages, measuring visits and conversions, joining page performance with the advertising data of platforms you connect, and producing the analytics shown in your workspace. Categories of data subjects: visitors to your published pages. Duration: the term of your use of the Service, plus the deletion periods below.
3. Zero-PII analytics architecture
The Service is engineered to minimize personal data by design. As of the date above:
- —Form submission content is never stored by granvl — submissions are sent from the visitor’s browser directly to the destination you configure, and no field-content column exists in our schema. We store only the submission event (visitor, session, and variant identifiers plus an IP hash).
- —Visitor IP addresses are stored only as salted hashes; the salt rotates daily, and session identifiers rotate each day.
- —Published pages are cookieless and contain no third-party pixels by default; anything beyond that (e.g. a platform pixel or conversion API) exists only because you configure it.
- —Geolocation is derived from CDN request headers, not from third-party IP-lookup services; user agents are parsed only to device class.
- —Lead-qualification rules evaluate form-field values in memory only; the values are not written to storage.
- —Page previews are cookieless and marked noindex.
Because of this architecture, granvl’s processing of Visitor Data is limited to pseudonymous event data. You remain responsible for the destinations you connect and the data you choose to collect through your forms.
4. Instructions and confidentiality
granvl will process Visitor Data only on your documented instructions, including with regard to international transfers, unless required otherwise by law (in which case we will inform you unless legally prohibited). We will inform you if, in our opinion, an instruction infringes applicable data-protection law.
Personnel authorized to process Visitor Data are bound by confidentiality obligations and receive access on a need-to-know, role-scoped basis.
5. Security (technical and organizational measures)
granvl implements and maintains appropriate technical and organizational measures, including:
- —Encryption in transit (TLS) for all traffic, and encryption at rest for secrets and integration tokens (AES-GCM, failing closed in production if the key is unavailable).
- —Default-deny multi-tenant workspace scoping, role-based permissions, timing-safe token comparison, and capability URLs with 128-bit entropy.
- —Audit logging of security-relevant actions, plus AI-security telemetry including prompt-injection detection and logging.
- —Nightly encrypted backups with automated restore verification, 30-day retention, and a documented restore runbook.
- —Supply-chain controls: dependency scanning, a minimum dependency-age gate, and an install-time firewall.
- —Vendors in the personal-data path hold SOC 2 Type II attestations.
We may update these measures over time provided the overall level of protection is not materially reduced.
6. Subprocessors
You authorize granvl to engage the subprocessors listed at granvl.com/subprocessors, which identifies each vendor, its purpose, the data it touches, and its location. We will update that page and notify workspace owners at least 30 days before adding or replacing a subprocessor whose processing affects Visitor Data. You may object on reasonable data-protection grounds within the notice period; if we cannot offer a workaround, you may terminate the affected service and we will delete your data.
granvl remains responsible for its subprocessors’ performance and imposes data-protection obligations on them no less protective than this DPA.
7. Assistance and data subject requests
Taking into account the nature of the processing, granvl will assist you with your obligations regarding data-subject requests, security, breach notification, and (where required) data-protection impact assessments — in each case as reasonably practicable given the pseudonymous nature of Visitor Data. If a data subject contacts granvl directly about your pages, we will refer them to you without undue delay.
8. Personal data breach
granvl will notify you without undue delay after becoming aware of a personal data breach affecting Visitor Data, and will provide information reasonably required for you to meet your own notification obligations (including the GDPR’s 72-hour controller deadline), followed by timely updates as the investigation progresses.
9. Retention and deletion
- —Raw analytics events are retained while your account is active or per a published retention schedule; rollups are aggregate and non-identifying.
- —OAuth tokens, audit logs, and IP-hash retention are enforced by automated daily jobs; team invitations expire after 14 days; preview links after 7 days.
- —Deleting a funnel or team cascades through its pages, variants, and events; a retention-policy module governs what is soft-archived versus hard-deleted.
Upon termination of the Service, or on your request via granvl.com/delete-my-data, granvl will delete Visitor Data within 30 days, except where retention is required by law (in which case the data remains protected under this DPA until deleted).
10. Aggregated and de-identified data
granvl may create and use aggregated or de-identified data derived from use of the Service — data that does not identify you, your visitors, or any person, and is not reasonably capable of being re-identified — to operate, secure, benchmark, and improve the Service. granvl will not attempt to re-identify such data and will contractually prohibit its recipients from doing so.
11. International transfers
granvl processes data in the United States and Canada (see the subprocessor list for locations). Where Visitor Data subject to the GDPR, UK GDPR, or Swiss FADP is transferred to a country without an adequacy decision, the parties incorporate the European Commission’s Standard Contractual Clauses (Module 2: controller-to-processor), and for UK transfers the UK International Data Transfer Addendum, into this DPA by reference, with granvl as data importer and you as data exporter. Details required by the SCCs are as described in Sections 2, 5, and 6 and the subprocessor list.
12. Audit
On written request no more than once per year, granvl will make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party attestations (such as subprocessor SOC 2 reports) in lieu of on-site audits where they reasonably address your requirements. Audits you conduct must be reasonable in scope, not disrupt the Service, and protect the confidentiality of other customers.
13. Liability, precedence, and term
This DPA is subject to the limitations of liability in the Terms of Service. If this DPA conflicts with the Terms regarding the processing of personal data, this DPA prevails; the SCCs prevail over both where they apply. This DPA takes effect when you first use the Service and remains in force as long as granvl processes Visitor Data on your behalf.
14. Contact
Questions about this DPA, or to request a countersigned copy: privacy@granvl.com.
granvl · British Columbia, Canada