Data Processing Addendum

Last updated: 2026-07-11

This DPA forms part of the Terms of Service between you (the "Controller") and Heatmap IQ (the "Processor"). It applies whenever Heatmap IQ processes Personal Data on behalf of the Controller under the GDPR.

1. Roles

Controller: the customer. Processor: Heatmap IQ. End-user visitors of the customer's website are the data subjects.

2. Subject matter and duration

The Processor processes behavioral analytics (clicks, scrolls, rage clicks) for the duration of the customer's subscription.

3. Sub-processors

  • Supabase (database hosting, EU/US)
  • Cloudflare (edge runtime, global)
  • Lovable AI Gateway (insight generation, on-demand)

4. Security

Row-Level Security per customer, TLS 1.2+ in transit, encryption at rest, least-privilege service roles, and audit logs.

5. Data subject requests

The Controller can delete a website (and all associated events) at any time from the dashboard. We assist with deletion or export within 30 days of a written request.

6. Contact

dpa@heatmapiq.com