OptiWolf
Product
A/B testingTest ideas, prove winners PersonalizationRight message, right visitor Popups & lead captureTurn visitors into leads The whole suite →
PricingFree scanCRO Academy
Sign in Start free
Terms of ServicePrivacy PolicyCookies & StorageData Processing AgreementAcceptable Use

OptiWolf Data Processing Agreement

Effective date: July 2, 2026 · OptiWolf is operated by UniBreeze Kft. (Budapest, Hungary)

This Data Processing Agreement ("DPA") is entered into between the customer accepting the OptiWolf Terms of Service (the "Customer", acting as controller) and UniBreeze Kft. (1141 Budapest, Paskál utca 48. fszt. 1., Hungary; reg. no. 01-09-281663) ("OptiWolf", acting as processor). It is incorporated into and forms part of the Terms of Service for all plans, including the Free plan, and applies whenever OptiWolf processes personal data on the Customer's behalf. In case of conflict regarding data protection, this DPA prevails over the Terms.

1. Roles and scope

  1. For personal data of the Customer's website visitors processed via the OptiWolf Snippet and related APIs ("Customer Personal Data", detailed in Annex I), the Customer is the controller and OptiWolf is the processor within the meaning of Art. 4 GDPR.
  2. For US state privacy laws (including the CCPA/CPRA), OptiWolf acts as the Customer's service provider/processor: it processes Customer Personal Data only to provide the service, does not sell or share it, does not retain, use, or disclose it outside the business relationship, and certifies that it understands these restrictions.
  3. This DPA does not cover data OptiWolf processes as a controller (the Customer's own account and billing data); the Privacy Policy covers that.

2. Processing on documented instructions

OptiWolf processes Customer Personal Data only on the Customer's documented instructions, namely: the Terms, this DPA, and the configuration the Customer makes in the product (experiments, campaigns, goals, retention settings, webhook endpoints). OptiWolf informs the Customer if, in its opinion, an instruction infringes data protection law.

3. Confidentiality

Persons authorized to process Customer Personal Data (today: the founder-operator; in future, any personnel or contractors) are committed to confidentiality by contract or statute.

4. Security (Art. 32)

OptiWolf implements and maintains the technical and organizational measures in Annex II. It may update them, provided security is not materially reduced.

5. Subprocessors

  1. The Customer grants general authorization for the subprocessors in Annex III, published at optiwolf.com/dpa.
  2. OptiWolf will update Annex III at least 30 days before a new subprocessor processes Customer Personal Data, and will additionally notify account holders by email or in-app notice. The Customer may object on reasonable data-protection grounds within that period; if the objection cannot be resolved, the Customer may terminate the affected service and receives a pro-rata refund of prepaid fees.
  3. OptiWolf imposes data-protection obligations on each subprocessor equivalent to this DPA and remains liable for their performance.
  4. Not subprocessors: recipients the Customer instructs OptiWolf to send data to, including the Customer's own webhook endpoints, the Customer's email inbox for lead notifications, and the Customer's own analytics tools (such as Google Analytics, whose events the Snippet reads on the Customer's site but which remains the Customer's own vendor).

6. Assistance

  1. Data subject requests. Taking into account the nature of the processing, OptiWolf assists the Customer with appropriate measures to fulfil data subject requests. The product provides self-serve tooling: lead search and CSV export (access/portability), per-lead deletion, and deletion by email address across campaigns (erasure). Requests OptiWolf receives directly from data subjects are forwarded to the Customer without undue delay.
  2. DPIA and consultation. OptiWolf provides reasonable assistance with data protection impact assessments and prior consultations under Arts. 35 and 36, with respect to processing by OptiWolf.

7. Personal data breach

OptiWolf notifies the Customer without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data, providing the information reasonably required by Art. 33(3) as it becomes available, and cooperates in the Customer's own notification obligations. Notification is not an admission of fault.

8. Deletion and return

Upon termination of the service, OptiWolf deletes Customer Personal Data after the 30-day export window in the Terms, unless EU or Member State law requires longer storage. During the term, the Customer controls retention directly: leads honor the Customer's configured retention window and the in-product deletion tools; experiment event data is deleted with the experiment or the account. Backups containing deleted data rotate out within the backup retention window (up to 35 days).

9. Audits

OptiWolf makes available the information reasonably necessary to demonstrate compliance with Art. 28, including this DPA, Annex II, and answers to reasonable written security questionnaires (at most once per 12 months). Where this is insufficient, the Customer may conduct or mandate an audit at its own cost, on at least 30 days' notice, during business hours, no more than once per year, without access to other customers' data.

10. International transfers

Customer Personal Data is hosted in Germany (EU). Where a subprocessor processes personal data in a third country (see Annex III), the transfer relies on an adequacy decision (including the EU-US Data Privacy Framework where the subprocessor is certified) or on the European Commission's Standard Contractual Clauses concluded between OptiWolf and that subprocessor. Where the Customer is itself outside the EEA in a jurisdiction requiring a transfer mechanism from the Customer to OptiWolf, the parties agree the SCCs (module four or the applicable module) are deemed incorporated by reference.

11. Liability

Liability under this DPA is subject to the limitations of liability in the Terms of Service, except where mandatory data protection law provides otherwise.


Annex I: Description of processing

ItemDescription
Subject matterOperation of the OptiWolf conversion-optimization and lead-generation service on the Customer's websites: A/B testing, personalization, popup campaigns, and measurement
DurationThe term of the Customer's account, plus the 30-day export window, plus backup rotation (up to 35 days)
Nature and purposeDelivering page variants and campaigns in visitors' browsers; recording pseudonymous exposure, conversion, and campaign events for statistical reporting; storing and delivering leads submitted by visitors to the Customer
Categories of data subjectsVisitors and users of the Customer's websites
Categories of personal dataPseudonymous first-party visitor and session identifiers; experiment assignment; exposure/conversion/campaign events with page URLs and timestamps; revenue amounts, currency, and order references for revenue goals; leads: email address, consent flag, submission page, and any additional form fields the Customer configures (e.g. name). IP addresses are processed transiently for delivery and abuse prevention and are not stored with events or leads. Deliberately kept on-device and never received by OptiWolf: the behavioral visitor profile used for targeting and all merge-tag personalization values
Special categoriesNone. The Customer must not collect special-category data (Art. 9), payment-card data, or government identifiers through the service (see the Acceptable Use Policy)
FrequencyContinuous, while the Snippet is installed and campaigns/experiments run

Annex II: Technical and organizational measures

AreaMeasure
HostingSingle-tenant-operated infrastructure in Germany (EU); Cloudflare edge in front (DDoS mitigation, TLS)
Encryption in transitTLS on all public endpoints; edge-to-origin encrypted
Access controlServer access by key-based SSH restricted to the operator; application access session-based; passwords stored only as bcrypt hashes
Tenant isolationEvery query is scoped to the owning account; parameterized statements throughout (SQL-injection safe)
Data minimization by designBehavioral profiles and personalization values are computed and stored client-side only; the server receives outcome events, not browsing history; no advertising or cross-site identifiers
Input hardeningLead endpoint: honeypot, minimum-time gate, per-IP rate limiting, field whitelisting to the configured form schema; campaign content sanitized server-side; widget rendering uses text-only DOM writes in a shadow root
Integrity of deliveryWebhooks signed with HMAC-SHA256 per-account secrets; retries with backoff and delivery-state visibility
Backups and recoveryNightly database backups to offsite storage (encrypted at rest at the storage provider), retained up to 35 days; restore procedure documented in the operations runbook
Breach handlingIncident response per Section 7; operational runbook maintained in the operations documentation
PersonnelSolo-operated at the effective date; any future personnel/contractors bound to confidentiality and least-privilege access

Annex III: Subprocessors

Current subprocessors of Customer Personal Data:

SubprocessorPurposeLocation / transfer basis
Cloudflare, Inc.Content delivery network, DNS, DDoS protection in front of all service traffic (data in transit)Global edge; US parent, EU-US Data Privacy Framework certified
DigitalOcean, LLCCloud infrastructure hosting the application and databaseData center in Germany (EU); US parent, SCCs/DPF

Pending subprocessors, disclosed for transparency; each will be named here with its location before it processes any Customer Personal Data, with the Section 5 notice:

FunctionStatus
Offsite backup storage (planned: Backblaze, EU region preferred)Engaged before backup processing begins
Transactional email delivery (lead notification emails contain lead data; candidates: Resend, Amazon SES, Brevo)Engaged before email notifications go live
Error monitoring (planned: Sentry; request metadata may appear in error reports)Engaged before production use

Contact: [email protected]

OptiWolf

CRO & lead generation, all in one. A/B testing, personalization, and popups for marketers. Convert more, guess less.

Product
A/B testingPersonalizationPopups & lead capturePricingStart free
Resources
Free CRO scanCRO AcademyPlaybooksHow it works
Company
Why OptiWolfPlansSign in
© 2026 OptiWolf · operated by UniBreeze Kft. All rights reserved.Privacy · Terms · Cookies · DPA · Acceptable use