iTracker360

Data Processing Agreement

Last updated: June 21, 2026 (v2026-06-21)

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you and Infusion Extreme LLC (“iTracker360”, “we”, “us”) and governs our processing of the visitor data captured on your sites. It applies only to the extent we process personal data on your behalf in connection with the service.

1. Definitions

  • “Personal data”, “controller”, “processor”, “processing”, and “data subject” have the meanings given to them under applicable data-protection law (and include the equivalent terms under the CCPA, such as “business,” “service provider,” and “consumer”).
  • “Data-protection law” means all privacy and data-protection laws that apply to the processing, including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA (“CCPA”).
  • “Visitor data” means the personal data the tracker captures from visitors to your sites and that we process on your behalf.
  • “Subprocessor” means a third party we engage to process visitor data in providing the service.
  • “Security incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, visitor data.

2. Roles of the parties

For the visitor data captured by the tracker on your sites, you are the controller and iTracker360 is the processor (your service provider). You decide why and how that data is collected; we process it on your behalf to provide the service.

3. Scope and instructions

We process visitor data only to provide and support the service and only on your documented instructions, which include these Terms and your configuration of the service. As your service provider, we do not sell or share visitor data, and we do not retain, use, or disclose it for any purpose other than providing the service to you (or as permitted or required by applicable law). We may also process visitor data to detect and prevent security incidents, protect against fraud or illegal activity, debug and repair the service, and maintain and improve the service.

4. Your obligations

You are responsible for ensuring you have a lawful basis to collect visitor data, for posting the privacy notices required on your sites, and for obtaining any consent required from your visitors before the tracker captures their data. You must not configure the service to capture special categories of sensitive data or payment-card data.

5. Confidentiality and security

We maintain appropriate technical and organizational measures designed to protect visitor data against a security incident, taking into account the nature of the data and the risks involved (described in Section 6). We ensure that personnel authorized to process visitor data are bound by confidentiality and are made aware of their data-protection responsibilities.

6. Technical and organizational security measures

Our measures include, as applicable:

  • Encryption in transit. Data moving between visitors, the service, and your CRM is protected with industry-standard TLS encryption, and we use encryption at rest where supported by our infrastructure.
  • Access control and least privilege. Access to systems that process visitor data is restricted to authorized personnel on a need-to-know basis, using individual accounts and authentication; we do not permit shared credentials.
  • Network protection. Production systems run on Amazon Web Services (United States, us-east-1) behind network security controls such as firewalls and security groups.
  • Logging and monitoring. We log and monitor access to systems that process visitor data to help detect and investigate security incidents.
  • Resilience and deletion. We maintain regular backups in protected environments and securely delete visitor data that is no longer required.
  • Incident response. We maintain a documented process for responding to security incidents.
  • Vetted infrastructure. Our hosting and infrastructure providers maintain their own recognized security certifications (for example, SOC 2 and ISO 27001) for the underlying platforms on which the service runs.

7. Subprocessors

You authorize us to engage the subprocessors listed on our Subprocessors page to help us provide the service. We enter into written terms with each subprocessor that are no less protective than this DPA, and we remain responsible for their performance. We will give at least 30 days’ notice before adding a new subprocessor, and you may object on reasonable data-protection grounds.

8. CRMs are not our subprocessors

A CRM you connect (such as Keap or GoHighLevel) is a customer-directed destination, not our subprocessor. When you connect a CRM, you instruct us to send data to it, and your use of it is governed by that CRM’s own terms.

9. Data subject requests

Taking into account the nature of the processing, we will provide reasonable assistance to help you respond to requests from data subjects to exercise their rights under applicable data-protection law. If a data subject contacts us directly about visitor data, we will not respond substantively except to acknowledge the request and, where appropriate, direct them to you as the controller, and we will forward the request to you without undue delay.

10. Government and legal requests

If we receive a legally binding request from a government, law-enforcement, or regulatory authority for visitor data we process on your behalf, we will, unless legally prohibited, notify you without undue delay so that you may seek a protective order or other appropriate remedy. We will disclose only the data we are legally required to disclose.

11. Breach notification

We will notify you without undue delay after becoming aware of a security incident affecting visitor data we process on your behalf, and will provide the information reasonably available to help you meet your own notification obligations.

12. Deletion

On termination of the service, we will delete the captured and CRM-synced visitor data associated with your account within 180 days, except where retention is required by law. For any visitor data we retain after termination, this DPA continues to apply.

13. International transfers

Visitor data is stored in the United States. Where the processing involves a transfer of personal data from the EEA, the United Kingdom, or Switzerland that requires a transfer mechanism, the parties incorporate by reference the applicable European Commission Standard Contractual Clauses (together with the UK International Data Transfer Addendum or the Swiss amendments, as applicable). If a transfer mechanism we rely on is invalidated, the parties will work together in good faith to put a suitable alternative in place.

14. Conflict and changes

If there is a conflict between this DPA and the rest of the Terms with respect to the processing of visitor data, this DPA controls. We may update this DPA from time to time; for material changes we will provide at least 30 days’ notice.

15. Contact

Questions about this DPA? Contact us at support@itracker360.com.