Agentlens
Data Processing Addendum
Effective date: June 12, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer") and One Infinity Labs, Inc. ("Agentlens", "we") whenever Agentlens processes personal data on your behalf. You do not need to sign anything: by using Agentlens to measure a site, you accept this DPA as written here, and it applies automatically. If your compliance team needs a countersigned copy, email privacy@agentlens.1labs.ai.
Roles
For traffic measured on your sites, you are the controller and we are the processor. We process measurement data only on your documented instructions — which are: provide the analytics service as described in the product and the Privacy Policy — and for no other purpose. We never sell measurement data, never share it with advertisers, and never use it to train models.
For your Agentlens account itself (email, password hash, billing status), we are an independent controller; that processing is covered by the Privacy Policy, not this DPA.
What personal data is processed
Deliberately little. Agentlens is cookieless by design and counts visits, not people. The categories of data processed for a measured site are:
- Page paths and referrer hostnames
- User-agent strings (truncated, used for agent classification)
- IP addresses — transiently: used once to classify the request, stored only as a salted SHA-256 hash with a per-site salt, raw value discarded. Hashes cannot be correlated across sites.
- Aggregate human pageview counts (no identifiers, no sessions)
No data subject categories beyond "visitors to Customer's website". No special categories of data. If you find a way to send us special-category data through a page path, the Acceptable Use Policy asks you not to.
Subprocessors
We use a short list of subprocessors to run the service. Each is bound by a data processing agreement at least as protective as this one.
| Subprocessor | Purpose | Region |
|---|---|---|
| Neon, Inc. | Database (event storage, account data) | USA |
| Vercel, Inc. | Hosting, CDN, edge ingestion | USA |
| Resend | Transactional email (alerts, weekly reports) | USA |
| Polar Software, Inc. | Billing — merchant of record | USA |
We will update this page at least 14 days before adding or replacing a subprocessor that touches measurement data. If you object to a change on reasonable data-protection grounds and we cannot resolve it, you may terminate the affected service and receive a pro-rata refund per the refund policy.
International transfers
Our subprocessors are US companies. Where measurement data about EEA, UK, or Swiss visitors is transferred to the United States, the transfer is covered by the EU Standard Contractual Clauses (Module 2, controller-to-processor), the UK Addendum, and/or the subprocessor's participation in the EU–US Data Privacy Framework, as applicable. Given what we actually store (paths, hostnames, salted hashes, aggregates), the residual transfer risk is intentionally minimal.
Security measures
The technical and organizational measures we maintain are described on the Security page, which forms part of this DPA. In summary: encryption in transit and at rest, salted IP hashing at ingest, least-privilege access, and a no-PII-by-design data model.
Data subject requests
If a visitor to your site sends us a request under GDPR, UK GDPR, CCPA, or similar law, we will forward it to you without undue delay and assist you in responding — though in practice measurement data contains nothing that identifies an individual visitor, which makes most requests short to answer. We will not respond directly unless legally required.
Confidentiality, personnel, and audits
- Personnel with access to customer data are bound by confidentiality obligations and given the minimum access their role requires.
- We notify you of a personal data breach affecting your data without undue delay, and no later than 72 hours after we become aware of it.
- Once per year, on reasonable notice, you may request the information necessary to demonstrate our compliance with this DPA — security documentation first; audits where the law requires them.
Deletion and return
On termination of your account, measurement data is deleted within 30 days. While the account is active, raw events expire per your plan's retention window (30 days Free, 12 months Pro/Agency). You can export report data at any time before deletion.
Order of precedence
If this DPA conflicts with the Terms of Service, this DPA wins for anything about personal data. If a mandatory law conflicts with both, the law wins, and we will tell you when that happens.
Contact
privacy@agentlens.1labs.ai · Contact page. Agentlens is a product of One Infinity Labs, Inc.