1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Tractn ("Processor", "we", "us") and the customer using the Tractn platform ("Controller", "you").

This DPA applies to the processing of personal data that you, as the Data Controller, instruct Tractn to process on your behalf through your use of the platform — including lead data, conversion events, and email automation.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws (GDPR, FADP, etc.)
"Data Controller" means you, the Tractn customer, who determines the purposes and means of processing personal data
"Data Processor" means Tractn, which processes personal data on behalf of the Controller
"Sub-Processor" means a third-party service provider engaged by Tractn to assist in processing personal data
"Data Subject" means the individual whose personal data is being processed (e.g., your leads, contacts, website visitors)

3. Scope of Processing

3.1 Categories of Data Subjects

Your website visitors (tracked via Tractn Pixel)
Your leads and contacts (stored in Tractn CRM)
Your email recipients (managed through Tractn email automation)

3.2 Types of Personal Data

Contact information: email address, name, phone number
Attribution data: UTM parameters, referrer URL, landing page, source, medium, campaign
Behavioral data: conversion events (event type, value, timestamp)
Technical data: device type, anonymous session identifier
Engagement data: email open timestamps, click-through data, delivery status
Segmentation data: lead score, segment labels, lead status

3.3 Purpose of Processing

Tracking conversion events on the Controller's website
Storing and managing lead/contact records
Sending automated email sequences on behalf of the Controller
Providing analytics and reporting on marketing performance
Generating AI-powered marketing insights (using anonymized, company-level data only)

4. Obligations of the Processor

Tractn shall:

Process personal data only on the Controller's documented instructions, as described in this DPA, the Terms of Service, and through the Controller's use of the platform
Ensure that persons authorized to process the data have committed to confidentiality
Implement appropriate technical and organizational security measures, including:
- AES-256-GCM encryption for OAuth tokens at rest
- TLS 1.3 encryption for all data in transit
- Row-level security (RLS) on the database
- Access controls ensuring users can only access their own data
Not engage any Sub-Processor without providing the Controller with an updated list (see Sub-Processor List)
Assist the Controller in responding to data subject requests (access, deletion, portability)
Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach
Delete or return all personal data upon termination of the service, at the Controller's choice, within 30 days
Make available to the Controller all information necessary to demonstrate compliance with this DPA

5. Obligations of the Controller

You, as the Data Controller, shall:

Ensure you have a lawful basis for collecting and processing personal data through Tractn
Provide appropriate privacy notices to your data subjects disclosing the use of Tractn and its sub-processors
Obtain necessary consent where required (e.g., for email marketing, cookie/pixel tracking in the EU)
Not provide Tractn with personal data for which you do not have a lawful basis to process
Respond to data subject requests directed to you in a timely manner

6. Sub-Processors

Tractn engages trusted sub-processors to provide the service. The current list of sub-processors is available at tractn.io/sub-processors.

We will notify you of any changes to our sub-processor list by updating the page and, for material changes, by posting a notice on the platform. You may object to a new sub-processor by contacting us within 30 days of the notification.

7. International Data Transfers

Tractn's infrastructure involves data transfers to the United States. For transfers of personal data from the EEA, UK, or Switzerland to countries without an adequate level of data protection, Tractn relies on:

Standard Contractual Clauses (SCCs) as adopted by the European Commission
Data Processing Agreements with each sub-processor that include appropriate transfer safeguards

8. Data Breach Notification

In the event of a personal data breach affecting your data, Tractn will:

Notify you within 72 hours of becoming aware of the breach
Provide details about the nature of the breach, the categories and approximate number of data subjects affected, and the likely consequences
Describe the measures taken or proposed to address the breach and mitigate its effects
Cooperate with you in notifying the relevant supervisory authority and affected data subjects, as required by law

9. Data Retention and Deletion

Tractn retains personal data for as long as your account is active and as necessary to provide the service
You can delete individual leads, conversion events, and campaigns at any time through the platform
Upon account termination, Tractn will delete all personal data within 30 days, unless retention is required by law
Anonymized, aggregated data that cannot be linked to any individual may be retained for analytics purposes

10. Audits

Tractn will make available to the Controller, on request, all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, directly or through an appointed third-party auditor (subject to reasonable confidentiality obligations), with at least 30 days' written notice.

11. Contact

For questions about this Data Processing Agreement:

Email: privacy@tractn.io
Website: app.tractn.io