Data Processing Addendum
Last updated: 2026-07-11
This DPA forms part of the Terms of Service between you (the "Controller") and Heatmap IQ (the "Processor"). It applies whenever Heatmap IQ processes Personal Data on behalf of the Controller under the GDPR.
1. Roles
Controller: the customer. Processor: Heatmap IQ. End-user visitors of the customer's website are the data subjects.
2. Subject matter and duration
The Processor processes behavioral analytics (clicks, scrolls, rage clicks) for the duration of the customer's subscription.
3. Sub-processors
- Supabase (database hosting, EU/US)
- Cloudflare (edge runtime, global)
- Lovable AI Gateway (insight generation, on-demand)
4. Security
Row-Level Security per customer, TLS 1.2+ in transit, encryption at rest, least-privilege service roles, and audit logs.
5. Data subject requests
The Controller can delete a website (and all associated events) at any time from the dashboard. We assist with deletion or export within 30 days of a written request.