Public paid beta
Data Processing Addendum
Data processing terms for customer-controlled personal data processed through Metricanic's public paid beta service.
- Effective date
- May 1, 2026
- Last updated
- May 1, 2026
Scope
Metricanic is offered as a public paid beta. Beta features may change, have limited support or SLA commitments, and may be unavailable or incomplete. No production-grade SLA applies unless separately agreed in writing. Some integrations or advanced features may require configuration, approval, or plan eligibility. This Data Processing Addendum applies where Metricanic processes personal data as a processor or service provider on behalf of a customer in connection with the Metricanic service.
This DPA forms part of the Terms when a customer creates an account, signs up for the service, buys a plan, starts a trial, accepts the Terms, or otherwise uses Metricanic in a way that causes Metricanic to process Customer Tracking Data on the customer's behalf. Terms: https://metricanic.com/terms
Parties and Roles
The customer is the controller or business for customer campaign, tracking, attribution, reporting, routing, postback, and integration data processed through Metricanic, unless the customer itself acts as a processor or service provider for a third-party controller or business.
Metricanic is the processor or service provider for Customer Tracking Data. Metricanic processes that data to provide, secure, support, maintain, troubleshoot, and improve the service, to perform customer instructions, and as otherwise required by law.
Metricanic is a controller or business for its own account, billing, product security, support, website or panel analytics, and legal compliance data, as described in the Privacy Policy.
Metricanic provides tools for tracking, attribution, routing, reporting, postbacks, and integrations. The customer controls how those tools are configured and used.
Processing Activities
- Collection and receipt of click, visit, event, conversion, cost, revenue, and value data.
- Attribution, reporting, aggregation, enrichment, routing, and filtering.
- Campaign and entity configuration.
- Postback delivery and integration execution.
- Google Ads conversion uploads when enabled.
- OpenAI or ChatGPT MCP workspace access when enabled, designed to exclude raw IPs, raw user agents, raw URLs, secrets, and write access.
- Storage, retrieval, export, security monitoring, troubleshooting, and request-based deletion assistance.
Categories of Data
- Visitor request metadata such as IP address, user agent, referrer, country, region, city, timezone, language, device, operating system, browser, ASN, ISP, connection type, and bot or threat signals.
- Identifiers such as tenant ID, user ID, visit ID, click ID, external ID, tokens, subids, pubids, placement IDs, creative IDs, and source-specific IDs.
- Event, conversion, cost, revenue, value, goal, postback, lander, offer, rotator, campaign, and reporting data.
Customer Obligations
Customer, not Metricanic, determines campaigns, audiences, offers, landing pages, traffic sources, redirects, postbacks, integrations, tracking domains, cookies and scripts deployment, whether and how visitors are tracked, legal bases, consent flows, opt-outs, privacy notices, and ad platform compliance.
Customer represents and warrants that it has all rights, permissions, consents, opt-outs, notices, lawful bases, platform permissions, and contractual permissions needed to use Metricanic and provide Customer Data to Metricanic.
Customer is solely responsible for lawful collection and use of Customer Data, all required privacy notices, cookie notices, consents, opt-outs, Do Not Sell or Share handling where applicable, GDPR, ePrivacy, PECR, CPRA, PIPEDA, Quebec Law 25, traffic source, affiliate network, publisher, advertiser, app store, and Google Ads obligations that apply to its campaigns, legality of landers, offers, funnels, and content, and the accuracy and legality of data submitted to Metricanic.
Metricanic does not determine customer campaign purposes, audiences, offers, legal bases, consent requirements, opt-outs, or whether a visitor may lawfully be tracked.
Metricanic does not provide legal, privacy, advertising compliance, platform compliance, tax, or regulatory advice. Customer must obtain its own professional advice.
- Provide lawful collection and use instructions.
- Provide valid privacy notices, cookie notices, and consent where required.
- Honor data subject rights and opt-outs.
- Ensure traffic sources, ad platforms, publishers, advertisers, and networks permit the intended use.
- Avoid sending sensitive data in URLs, tokens, subids, pubids, click IDs, visit IDs, external IDs, campaign names, lander names, offer names, postbacks, API payloads, integration payloads, custom fields, entity names, or similar fields unless Metricanic separately approves the use case in writing.
- Configure Metricanic to match the customer's legal and platform obligations.
Security Measures
| Control area | Measures |
|---|---|
| Encryption in transit | HTTPS/TLS for public service endpoints and provider connections where supported. |
| Tenant isolation | Tenant-scoped access patterns designed for workspace data and authorization checks. |
| Access control | Production access restrictions for authorized personnel with business need, where implemented. |
| Authentication | Supabase-based authentication and session controls for panel users. |
| Secrets handling | Secrets stored in managed secret stores or encrypted provider systems where supported. |
| OAuth tokens | Google OAuth refresh tokens designed to be stored encrypted where supported. |
| Edge security | Cloudflare edge, routing, abuse-prevention, and security controls. |
Subprocessors
Metricanic may use subprocessors to provide the service. The current subprocessor list is available at https://metricanic.com/subprocessors.
Metricanic will impose written data protection obligations on subprocessors that are materially consistent with this DPA for the relevant processing. Metricanic remains responsible to the customer for subprocessor performance as required by applicable data protection law.
Metricanic will provide notice before authorizing a new subprocessor that will process customer personal data where required by applicable law or the applicable agreement.
Requests, Deletion, and Export
Metricanic will provide reasonable assistance for access, export, deletion, correction, opt-out, and similar requests related to customer-controlled tracking data, taking into account the nature of the processing and information available to Metricanic.
Deletion and export assistance is request-based unless a specific product workflow states otherwise. Deletion may be limited by legal retention, security, fraud-prevention, audit, billing, tax, accounting, backup, log, provider, or customer-instruction requirements.
Metricanic may delete, quarantine, restrict, suspend, or require remediation if customer submits prohibited sensitive data or creates unacceptable legal, security, or platform risk.
Privacy and deletion request details are available at https://metricanic.com/data-deletion.
International Transfers
Metricanic and its subprocessors may process information in Canada, the United States, the European Economic Area, the United Kingdom, and other locations where infrastructure or support operations are provided.
Metricanic will rely on legally available mechanisms applicable to the relevant data flow.
Contact
Contact Metricanic at [email protected].