Skip to content
TrueMetriks TrueMetriks TrueMetriks TrueMetriks
Overview Pricing Demo Testimonials Chrome Extension Docs Blog GDPR & CCPA
Login
Overview Pricing Demo Testimonials Chrome Extension Docs Blog GDPR & CCPA
Legal

Data Processing Agreement

Last updated: 2026-06-03

1. Introduction

This Data Processing Agreement (“DPA”) governs the processing of personal data by True Metriks on behalf of its customers in connection with the True Metriks Service.

About the Processor. True Metriks is a service operated by Game Dev Pro LLC, a Wyoming limited liability company, with its registered office at 30 N Gould St Ste R, Sheridan, WY 82801, United States (“True Metriks”, “Processor”, “we”, “us”, or “our”). For DPA-related inquiries, contact [email protected].

The Controller. The customer who has accepted True Metriks’ Terms of Service and is using the True Metriks Service is the data Controller (“Controller” or “you”) for purposes of this DPA.

Incorporation. This DPA forms part of, and is incorporated by reference into, the customer’s agreement to use the True Metriks Service (the “Service Agreement”). By accepting the Service Agreement, the Controller also accepts the terms of this DPA. Where there is a conflict between this DPA and the Service Agreement with respect to the processing of personal data, this DPA controls to the extent of the conflict.

Purpose. The parties enter into this DPA to comply with the requirements of Applicable Data Protection Laws (as defined below) and to ensure appropriate safeguards are in place wherever True Metriks processes personal data on behalf of the Controller.

2. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Service Agreement.

  • “Applicable Data Protection Laws” means any applicable privacy or data protection law or regulation, including: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and, following its departure from the EU, the UK GDPR (as defined in the UK Data Protection Act 2018); (b) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”); and (c) any equivalent national or state law that applies to the processing of personal data described in this DPA.
  • “Controller” means the entity that determines the purposes and means of processing personal data - in this context, the True Metriks customer.
  • “Data Subject” means an identified or identifiable natural person to whom personal data relates.
  • “Personal Data” (or “Personal Information” as used under CCPA/CPRA) means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
  • “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, retrieval, use, disclosure, restriction, erasure, or destruction.
  • “Processor” means the entity that processes Personal Data on behalf of the Controller - in this context, True Metriks / Game Dev Pro LLC.
  • “Service” means the True Metriks edge tracking and conversion attribution platform and associated features as described in the Service Agreement.
  • “Sub-processor” means any third party engaged by the Processor to process Personal Data on the Processor’s behalf in connection with providing the Service.

3. Subject Matter and Duration of Processing

Subject matter. True Metriks processes Personal Data in order to deliver the Service to the Controller. This includes: collecting and storing event-level conversion data generated by the Controller’s website visitors; retrieving ad-account performance metrics via authorized API connections the Controller establishes with third-party advertising platforms; and processing identifiers needed for attribution and reporting.

Duration. True Metriks processes Personal Data for the duration of the Controller’s active subscription to the Service. Following termination or expiry of the Service Agreement, True Metriks will delete or return Personal Data in accordance with Section 7.8 of this DPA, subject to any retention required by applicable law or the Service Agreement.

Retention window. Unless the Controller requests earlier deletion or a shorter retention period is specified in the Service Agreement, True Metriks retains Personal Data processed under this DPA for a period not exceeding twelve (12) months from the date of collection, plus up to ninety (90) additional days in backup systems before final deletion.

4. Nature and Purpose of Processing

Purpose. True Metriks processes Personal Data solely to provide and improve the Service, including: (a) recording and attributing conversion events on the Controller’s properties; (b) retrieving and aggregating ad-platform performance data that the Controller has authorized True Metriks to access; (c) generating reports, dashboards, and analytics outputs for the Controller; and (d) maintaining the technical infrastructure required to deliver the foregoing.

Instructions. True Metriks processes Personal Data only in accordance with the documented instructions of the Controller. The Controller’s use of the Service - including its configuration of tracking parameters, authorized API connections, and dashboard settings - constitutes its documented instructions for these purposes. If the Processor is required to process Personal Data for any other purpose under applicable law, it will inform the Controller before doing so (unless such law prohibits it).

No sale or independent use. True Metriks does not sell, rent, or otherwise make available Personal Data processed under this DPA to any third party for that party’s own purposes. True Metriks does not use Personal Data processed under this DPA for its own advertising, marketing profiling, or any purpose unrelated to delivering the Service.

5. Categories of Personal Data and Data Subjects

5.1 Categories of Personal Data

The categories of Personal Data that True Metriks processes on behalf of the Controller may include:

  • Identifiers: cookie IDs, device IDs, session identifiers, IP addresses (may be truncated or hashed), and hashed email addresses where the Controller supplies them as conversion signals.
  • Event data: page visit timestamps, URL paths, referral sources, conversion events (such as form submissions, purchases, or other goal completions as configured by the Controller), and associated metadata.
  • Ad-platform metrics: campaign performance data (spend, impressions, clicks, conversions, reach) retrieved from advertising platforms (such as Meta Ads) via API connections authorized by the Controller. This data relates to the Controller’s own ad accounts, not to individual end-users in a directly identifiable form.
  • Access credentials: OAuth tokens and API keys provided by the Controller to enable authorized integrations. These are stored encrypted at rest and are not themselves Personal Data, but their loss could affect data subject rights.

5.2 Categories of Data Subjects

The Data Subjects whose Personal Data may be processed under this DPA are:

  • End-users and website visitors of the Controller’s websites and digital properties where the Controller has deployed the True Metriks tracking script.
  • The Controller’s own personnel to the limited extent that they are associated with access tokens or API credentials used to connect the Controller’s advertising accounts to the Service.

6. Controller Obligations and Warranties

By entering into this DPA and using the Service, the Controller represents, warrants, and undertakes that it will:

  • Lawful basis. Ensure that it has, and will maintain throughout the term, a valid lawful basis under Applicable Data Protection Laws for any processing of Personal Data it instructs the Processor to carry out. Where required, this includes obtaining valid consent from Data Subjects (for example, for the placement of tracking cookies on its website visitors’ devices).
  • Notices. Provide all required notices and disclosures to Data Subjects about the collection and processing of their Personal Data, including disclosures about the use of third-party processors such as True Metriks.
  • Lawful instructions. Ensure that all instructions given to the Processor are consistent with Applicable Data Protection Laws. The Controller acknowledges that True Metriks has no obligation to follow instructions that would cause it to violate any applicable law.
  • Access security. Maintain the security of any access credentials (login details, API keys) issued to it in connection with the Service, and promptly notify True Metriks at [email protected] if it suspects unauthorized access.
  • Accuracy. Take reasonable steps to ensure that the Personal Data it causes to be processed through the Service is accurate, adequate, and not excessive for the stated purpose.

7. Processor Obligations

7.1 Processing on documented instructions only

True Metriks will process Personal Data only on the documented instructions of the Controller, except where processing is required by applicable law. Where processing is required by law, True Metriks will inform the Controller of that requirement before processing, unless such law prohibits disclosure.

7.2 Confidentiality of processing

True Metriks will ensure that individuals authorized to process Personal Data on its behalf are subject to appropriate obligations of confidentiality, whether by contract, professional duty, or applicable law.

7.3 Technical and organizational measures

True Metriks will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure, as further described in Annex 1 of this DPA. True Metriks will review and update these measures as the threat landscape evolves.

7.4 Assistance with data subject rights

Taking into account the nature of the processing, True Metriks will provide reasonable assistance to the Controller - by appropriate technical and organizational measures - to fulfill the Controller’s obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection). The Controller may submit such requests to [email protected].

7.5 Security incident notification

True Metriks will notify the Controller without undue delay, and where feasible within 72 hours of becoming aware, of a Personal Data Breach affecting Personal Data processed under this DPA. Notification will be sent to the contact details on file for the Controller’s account and will include, to the extent then known: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate volume of Personal Data records affected; (d) likely consequences of the breach; and (e) measures taken or proposed to address the breach. True Metriks will cooperate with the Controller and provide further information as it becomes available to assist the Controller in meeting its own notification obligations under Applicable Data Protection Laws.

7.6 Assistance with DPIAs and supervisory authority consultations

True Metriks will provide reasonable assistance to the Controller in carrying out Data Protection Impact Assessments (“DPIAs”) and any prior consultations with supervisory authorities that may be required under Applicable Data Protection Laws, taking into account the nature of the processing and information available to True Metriks.

7.7 Sub-processing

True Metriks is authorized to engage Sub-processors in accordance with Section 8 of this DPA.

7.8 Deletion or return of Personal Data

At the Controller’s written request, or upon termination or expiry of the Service Agreement (whichever is earlier), True Metriks will, at the Controller’s choice, either: (a) return to the Controller a copy of all Personal Data processed under this DPA in a commonly used, machine-readable format; or (b) securely delete Personal Data processed under this DPA, and certify in writing that it has done so. This obligation is subject to any retention required by applicable law or the Service Agreement. Residual copies held in backup systems will be purged within ninety (90) days of the deletion trigger.

7.9 Audit and information rights

True Metriks will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and with Applicable Data Protection Laws. The Controller may, on reasonable advance written notice (not less than 30 days) and no more than once per calendar year, carry out (or commission a qualified third party to carry out) an audit of True Metriks’ compliance with this DPA. More frequent audits may be requested only where required by Applicable Data Protection Laws or following a confirmed Personal Data Breach. True Metriks may satisfy this obligation by making available relevant third-party audit reports or certifications where these are reasonable substitutes, subject to appropriate confidentiality protections. All audit activities must be conducted during business hours in a manner that minimizes disruption to True Metriks’ operations.

8. Sub-processors

General authorization. The Controller provides a general authorization for True Metriks to engage the Sub-processors listed in Annex 2 of this DPA. True Metriks will not engage any new Sub-processor that will process Personal Data under this DPA without prior notice to the Controller.

Notice of changes. True Metriks will give the Controller reasonable prior notice (not less than 14 days where practicable) of any intended addition or replacement of Sub-processors, by updating Annex 2 and notifying the Controller via the contact email on file or through a notice on this page. If the Controller has a reasonable, documented objection to a new Sub-processor on data protection grounds, the Controller should notify True Metriks at [email protected] within 14 days of the notice. The parties will work in good faith to address the objection. If no resolution is reached within a further 30 days, either party may terminate the affected portion of the Service Agreement with written notice, without penalty.

Sub-processor obligations. True Metriks will impose data protection obligations on Sub-processors by contract that are materially equivalent to those in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures. True Metriks remains responsible to the Controller for the performance of Sub-processors’ obligations to the extent True Metriks is liable for its own acts under this DPA.

The current list of authorized Sub-processors is set out in Annex 2 below.

9. International Transfers

The Sub-processors listed in Annex 2 are located in the United States and Germany. Some processing of Personal Data may therefore involve transfers of Personal Data outside the European Economic Area (“EEA”) or United Kingdom (“UK”).

Where such transfers are subject to the transfer-restriction provisions of Applicable Data Protection Laws (for example, Chapter V of the GDPR), True Metriks will ensure that an appropriate transfer mechanism is in place before making the transfer. Such mechanisms may include:

  • Standard Contractual Clauses issued by the European Commission (Commission Implementing Decision (EU) 2021/914), specifically Module 2 (Controller-to-Processor), which are deemed incorporated by reference into this DPA to the extent required by applicable law; or
  • The UK International Data Transfer Agreement (“IDTA”) or equivalent UK addendum to the EU SCCs, as required for transfers subject to the UK GDPR; or
  • Any other transfer mechanism recognized as adequate under Applicable Data Protection Laws.

The parties agree that execution of this DPA constitutes execution of the applicable Standard Contractual Clauses and any required annexes to the extent those clauses apply to the processing described herein. True Metriks will maintain records of the transfer mechanisms in use and make them available to the Controller on request.

10. Security Incident Notification

The obligations set out in Section 7.5 of this DPA apply. For the avoidance of doubt:

  • True Metriks will maintain a documented incident response capability and will test and update it as appropriate.
  • Notification will be sent to the email address associated with the Controller’s account. The Controller is responsible for keeping that address current and for forwarding notifications internally as required.
  • The 72-hour target runs from the point at which True Metriks becomes aware that a Personal Data Breach has occurred. Where full information is not available within that window, True Metriks will provide an initial notification and follow up with additional details as they become known.
  • Notification to the Controller does not constitute an admission of fault or liability.

11. Audit Rights

The audit rights set out in Section 7.9 apply. The parties agree that:

  • Any third party conducting an audit on behalf of the Controller must be bound by a written confidentiality obligation at least as protective as the Service Agreement.
  • The Controller will bear the cost of any audit it commissions unless the audit reveals a material breach of this DPA by True Metriks.
  • True Metriks will not be required to disclose information that would compromise the security or privacy of other customers, or that is protected by attorney-client privilege or applicable law.

12. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Service Agreement, including any cap on total liability, except where and to the extent that Applicable Data Protection Laws prohibit such limitation (for example, where fines imposed by a supervisory authority cannot be contractually excluded).

Where both the Controller and True Metriks contribute to a loss suffered by a Data Subject, liability shall be apportioned between them in accordance with the degree to which each party is responsible for the damage, as determined by a competent court or regulatory authority.

13. Term, Termination, and Survival

Term. This DPA is effective on the date the Controller accepts the Service Agreement and remains in force for as long as True Metriks processes Personal Data on behalf of the Controller.

Termination. This DPA terminates automatically upon the termination or expiry of the Service Agreement. Either party may terminate this DPA immediately on written notice if the other party commits a material and unremedied breach of its obligations under this DPA.

Survival. The following provisions survive termination of this DPA for as long as the relevant obligations remain relevant: Section 7.2 (confidentiality), Section 7.8 (deletion or return), Section 7.9 (audit and information rights, for a period of two years post-termination), Section 12 (liability), and this Section 13.

14. Governing Law and Dispute Resolution

This DPA is governed by and construed in accordance with the laws of the State of Wyoming, United States, being the same jurisdiction as the Service Agreement, without regard to conflict-of-law principles.

To the extent that Applicable Data Protection Laws require a specific governing law or jurisdiction for this DPA (for example, for the EU Standard Contractual Clauses, which may specify a Member State court and law), that mandatory requirement prevails over this Section to the extent of the conflict, and only for the portions of this DPA subject to those requirements.

Any dispute arising out of or in connection with this DPA that cannot be resolved by good-faith negotiation within 30 days will be resolved in accordance with the dispute resolution provisions of the Service Agreement.

15. Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Service Agreement, the DPA prevails over the Service Agreement to the extent of the conflict, but only with respect to the processing of Personal Data governed by this DPA. For all other matters, the Service Agreement controls.

Annex 1 - Technical and Organizational Measures (TOMs)

This Annex describes the technical and organizational measures that True Metriks maintains to protect Personal Data processed under this DPA. These measures reflect the current state of the platform and will be updated as the platform evolves. The latest version may be requested at any time from [email protected].

Honest note: True Metriks is an early-stage service. The measures listed below are real and in place. True Metriks does not currently hold SOC 2, ISO 27001, ISO 27701, HIPAA, PCI DSS, or any other third-party security certification. Obtaining appropriate certifications is on the long-term roadmap.

Access controls

  • Server access is restricted to authorized personnel using SSH key-based authentication. Password-based SSH login is disabled on production servers.
  • No shared credentials or shared service accounts are used for server administration.
  • The principle of least privilege is applied: personnel have access only to the systems and data necessary for their role.
  • Customer access tokens (OAuth tokens, API keys) are stored encrypted at rest and are not logged in plaintext.

Encryption

  • All data in transit between clients and True Metriks infrastructure is encrypted using TLS (Transport Layer Security).
  • Access tokens and sensitive credentials held on behalf of customers are encrypted at rest.
  • True Metriks’ edge processing layer operates over HTTPS by default.

Infrastructure security

  • Production servers are hosted on Hetzner Online GmbH infrastructure in Germany, behind firewall rules limiting inbound access to required ports only.
  • Edge processing runs on True Metriks’ own globally distributed network, protected by physical and logical security controls maintained as part of our infrastructure.

Secure software development

  • Code changes go through internal review before deployment to production.
  • Dependencies are reviewed and updated on an ongoing basis to address known vulnerabilities.
  • Application-level input validation is applied to reduce injection and parsing risks.

Incident response

  • True Metriks maintains a documented procedure for identifying, containing, and notifying affected parties of Personal Data Breaches, aligned with the obligations in Section 10 of this DPA.
  • Logs are maintained to support incident investigation. Log retention is limited to what is necessary for operational and security purposes.

Sub-processor security review

  • True Metriks reviews the security documentation (including published security pages, DPAs, and any available audit reports) of Sub-processors before onboarding them and on a periodic basis thereafter.
  • Sub-processors are required to maintain technical and organizational measures at least equivalent to those described in this Annex.

Organizational measures

  • Personnel with access to Personal Data are made aware of their data protection obligations as part of onboarding.
  • Access to production systems is reviewed and revoked promptly when personnel change roles or leave the organization.

Annex 2 - Authorized Sub-processors

The following Sub-processors are authorized as of the “Last updated” date shown at the top of this page. True Metriks will provide notice of any material additions or replacements in accordance with Section 8 of this DPA.

  • Hetzner Online GmbH
    Location: Germany (EU)
    Service: Primary application hosting and storage. True Metriks’ backend services and databases run on Hetzner dedicated and cloud servers. Personal Data processed under this DPA is stored on Hetzner infrastructure.
    Hetzner privacy information: hetzner.com/legal/privacy-policy
  • Google LLC
    Location: United States
    Service: Google Sheets API and related Google Workspace APIs. Where the Controller has configured a Google Sheets output integration, True Metriks uses authorized Google APIs to write data to a Google Sheet owned and controlled by the Controller. Personal Data may be transmitted to Google’s infrastructure solely for the purpose of writing to the Controller’s designated spreadsheet.
    Google DPA and privacy information: cloud.google.com/terms/data-processing-addendum

18. Contact

For any questions or concerns about this DPA, or to exercise any rights or make any requests described herein, please contact:

  • Email: [email protected]
  • Company: Game Dev Pro LLC (operating as True Metriks)
  • Address: 30 N Gould St Ste R, Sheridan, WY 82801, United States

For information about how True Metriks handles personal data in general (including on this marketing website), please review our Privacy Policy.

TrueMetriks

Server-side analytics and conversion attribution.

Product

  • Features
  • Pricing
  • Docs
  • Demo
  • Chrome extension
  • Restricted categories
  • Custom integrations
  • Debugging services

Company

  • What is TrueMetriks?
  • About
  • Contact
  • FAQ
  • Blog
  • Testimonials

Legal

  • Privacy
  • Terms
  • Cookies
  • DPA
  • Data Deletion
  • Refund
  • Compliance
© 2026 TrueMetriks. All rights reserved.