1. Scope of Processing
This Data Processing Agreement ("DPA") applies when Onboardics LLC ("Processor"), a Delaware limited liability company with its registered address at 8 The Green, Suite B, Dover, DE 19901, processes personal data on behalf of a customer ("Controller") through the Onboardics tracking snippet and dashboard services.
Onboardics LLC processes data solely for the purpose of providing onboarding analytics, drop-off diagnosis, and behavior-triggered messaging services as described in our Terms of Service.
2. Data Categories
Behavioral Event Data (collected automatically)
- Page views, clicks, form interactions, and time-on-page metrics
- URL paths and page titles
- Anonymous session identifiers (randomly generated UUIDs)
- Anonymous user identifiers (randomly generated UUIDs, stored in localStorage)
- Browser viewport coordinates for click events
- Rage click detection data (click frequency and location)
Identity Data (collected only when Controller calls identify())
- Email address
- User ID (Controller-defined)
- Display name
- Plan/tier information
- Signup date
- Any additional custom fields passed by the Controller
Data NOT Collected
- Form field values (passwords, credit card numbers, personal messages)
- Cookies (Onboardics uses sessionStorage and localStorage only)
- IP addresses (not stored in events table)
- Device fingerprints
3. Data Retention
| Plan | Retention Period |
|---|---|
| Free | 30 days |
| Starter | 30 days |
| Growth | 90 days |
| Scale | Unlimited |
| Business | Unlimited |
Data beyond the retention window is permanently deleted via automated daily cleanup processes. AI diagnosis cache is retained for 30 days regardless of plan.
4. Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database storage, authentication | United States |
| Vercel | Application hosting, serverless functions, cron jobs | United States (global edge) |
| Anthropic | AI drop-off diagnosis (funnel data analysis only, no PII sent) | United States |
| Resend | Transactional email delivery (behavior-triggered emails) | United States |
| Brevo | Waitlist/marketing email (onboardics.com subscribers only) | European Union |
We will notify customers at least 30 days in advance before adding new sub-processors.
5. Data Subject Rights
Onboardics LLC supports the following data subject rights under GDPR and equivalent regulations:
- Right of Access: Controllers can export all event data for their project via the dashboard or API.
- Right to Erasure: Contact tyler@onboardics.com to request deletion of all data associated with a specific user identifier or email address. Deletion will be completed within 30 days.
- Right to Portability: Event data can be exported in JSON format via the API.
- Right to Restriction: Controllers can disable data collection at any time by removing the tracking snippet.
6. Deletion Procedures
- Account deletion: Upon account termination, all project data (events, diagnosis cache, trigger rules, email logs) is permanently deleted within 30 days.
- Retention-based deletion: Events older than the plan's retention window are automatically deleted daily.
- On-demand deletion: Controllers may request immediate deletion of specific user data by contacting tyler@onboardics.com.
7. Security Measures
- All data transmitted via HTTPS/TLS 1.2+
- Supabase Row Level Security (RLS) policies restrict data access to authenticated project owners
- API keys validated on every request; rate limiting enforced (100 req/min per key)
- Service role keys and API secrets stored as encrypted Vercel environment variables, never in client-side code
- Security headers enforced: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Authentication via Supabase Auth magic links (no passwords stored)
- AI diagnosis sends only aggregated funnel metrics to Anthropic — no individual user PII is included in AI prompts
- Payload size limits (50KB) prevent abuse of the events API
8. Data Breach Notification
In the event of a personal data breach, Onboardics LLC will notify affected Controllers without undue delay and no later than 72 hours after becoming aware of the breach, providing details of the breach, data affected, and remediation steps taken.
9. Contact
For questions about this DPA, data processing, or to exercise data subject rights:
Tyler Allen, Founder
Email: tyler@onboardics.com
Website: onboardics.com