Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Bütçe Gardiyanı ("Processor", "we") and the customer ("Controller", "you", "Client") who uses our click fraud protection services.
This DPA reflects the parties' agreement regarding the processing of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Scope and Purpose of Processing
1.1 Subject Matter
The Processor will process personal data on behalf of the Controller for the following purposes:
- Collecting and analyzing visitor data from Controller's websites
- Detecting fraudulent clicks and suspicious activity
- Blocking malicious IP addresses
- Managing Google Ads IP exclusion lists
1.2 Categories of Data Subjects
- Visitors to Controller's websites
- Users who click on Controller's advertisements
- Users who register for an account
1.3 Types of Personal Data
| Data | Description |
|---|---|
| IP Address | Visitor IP address |
| Browser and Device Information | Browser type, operating system, device model |
| Traffic Source | Where the visitor came from |
| Timestamp | Visit date and time |
| Page Address | Visited page |
| Campaign Information | Google Ads campaign parameters |
| Bot Signals | Automation detection data |
| Email Address | Used for account registration and verification |
| Email Verification Codes | One-time codes sent during registration, stored in hashed form |
| Phone Number | Stored in our systems for recurring payment processing; also transmitted to payment service provider |
| Payment Card Token Data | Card last 4 digits and card type are stored; recurring payment tokens are stored encrypted; full card numbers are not stored |
| Billing Information | Optional (identity number, address, city, postal code); transmitted to payment service provider, not stored in our systems |
| Agreement Acceptance Records | Content copy of Pre-Information Form and Distance Sales Contract at acceptance, acceptance date, IP address, and browser information |
2. Processor Obligations
2.1 Instructions
We will process personal data only on documented instructions from the Controller.
2.2 Confidentiality
We will ensure persons authorized to process personal data are under confidentiality obligations.
2.3 Security
We will implement appropriate technical and organizational security measures as required by GDPR Article 32.
2.4 Data Breach Notification
We will notify the Controller within 48 hours of becoming aware of a personal data breach.
The notification will include:
- The nature of the breach and categories of affected data subjects
- Estimated number of affected individuals
- Possible consequences
- Measures taken or proposed to be taken
- Processor contact person details
Note: This 48-hour period is the notification window from the Processor to the Controller. For the Controller's notification to the supervisory authority, the 72-hour period under GDPR Art. 33 applies.
2.5 Deletion
At the end of services, we will delete or return all personal data at the Controller's choice.
3. Audit Rights
The Controller (Client) has the right to conduct an audit once per year, or to appoint an independent auditor, in order to verify the Processor's (Bütçe Gardiyanı) compliance with this DPA and GDPR obligations.
- Audit requests must be submitted in writing at least 30 days in advance
- Audits are conducted during normal business hours
- Audit costs are borne by the Controller
- A maximum of 1 audit per year may be requested, except in emergencies
The Processor will share independent security audit reports upon request.
4. Technical and Organizational Measures (TOM)
The Processor implements the following technical and organizational measures under GDPR Article 32:
Technical Measures
- Encryption: Industry-standard encryption (storage and transit)
- Password security: Passwords protected with strong encryption standards
- Session security: Secure session management and cookie policies
- Email verification: One-time codes stored in hashed form; automatically deleted upon verification or expiry
- Form security: Security verification for all form submissions
- Rate limiting: Automated brute-force prevention on authentication and verification endpoints
- Network security: Automated attack detection and prevention systems
Organizational Measures
- Role-based access control (admin/customer)
- Privacy policy and business processes
- Log management and monitoring (14-day rotation)
- Incident response procedure
- Automated data deletion scheduling (daily)
- Automated deletion of unverified accounts and expired verification codes
5. Sub-processors
The Processor engages certain sub-processors for the provision of services. The current list of sub-processors is available on the Sub-processors page.
Sub-processor Change Notification: The Processor will notify the Controller by email at least 30 days before making changes to the sub-processor list. If the Controller does not object in writing within 15 days of receiving the notification, the change is deemed accepted. If the Controller objects and the parties cannot reach a resolution, the Controller has the right to terminate the service.
6. Data Subject Requests
Requests from data subjects (the customer's website visitors) for access, rectification, erasure, restriction, or portability are handled according to the following procedure:
- The data subject submits their request to the Controller (Client)
- The Controller forwards the request to the Processor (Bütçe Gardiyanı)
- The Processor carries out the technically required operations (data extraction, deletion, etc.)
- The Processor notifies the Controller that the operation is complete
- The Controller informs the data subject
The Processor redirects requests received directly from data subjects to the Controller and does not respond without the Controller's instructions.
Processing Timeframes
- Data access requests: 5 business days
- Deletion requests: 10 business days
- Data portability requests: 10 business days (in JSON or CSV format)
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Visitor logs | 90 days |
| Blocked IP records | Until block is removed; maximum 90 days after block is lifted |
| Email verification codes | Until verification is completed; unverified accounts automatically deleted after 48 hours |
8. International Data Transfers
For data transfers outside the EU/EEA, the Standard Contractual Clauses (SCCs) adopted by the European Commission's Implementing Decision of 4 June 2021 (2021/914/EU) are applied.
- Standard Contractual Clauses: EU Commission-approved SCCs apply to all non-EEA data transfers
- EEA-based Providers: No additional safeguards are required for providers located within the EEA
9. DPA Acceptance Mechanism
This DPA is deemed automatically accepted upon acceptance of the Terms of Service. No separate signature is required.
10. Processing Duration
This DPA is effective for as long as the Client uses the Services.
Upon termination of the Services:
- Personal data being processed will be deleted or returned within 30 days
- Data subject to legal retention obligations will be retained for the applicable periods
- The Controller will be notified in writing once deletion is complete