Data Processing Agreement (DPA)

Effective Date: 25.9.2025

Parties:

  • Data Processor: Kreechr s.r.o., Vrútocká 35, 82104 Bratislava, Slovakia (trading as “Cookifi”)
  • Data Controller: The legal entity (customer) who has entered into a service agreement with Cookifi to use its Consent Management Platform (CMP)

1. Background

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written or electronic agreement between the Data Controller and Cookifi for the provision of the CMP services (the “Agreement”). The DPA reflects the parties’ agreement with respect to the processing of personal data in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

2. Subject Matter and Duration

2.1. This DPA governs the processing of personal data by Cookifi on behalf of the Controller during the term of the Agreement.

2.2. The duration of this DPA is the same as the duration of the Agreement, unless otherwise required by law.

3. Nature and Purpose of Processing

Cookifi provides a CMP which helps the Controller:

  • Display consent notices to end-users
  • Collect, store, and manage user consent preferences
  • Emit consent-based triggers for tools such as Google Tag Manager
  • Retain proof of consent (timestamp of consent, consent choice, page path where consent was given, country of the visitor, pseudonymous user identifier - Cookifi ID)

4. Categories of Data Subjects

The personal data processed by Cookifi concerns the following categories of data subjects:

  • End-users, defined as individuals who visit the Controller’s websites or digital properties

5. Categories of Personal Data

The categories of personal data processed include:

  • A pseudonymous Cookifi ID
  • Timestamp of consent
  • Consent choices
  • Page path where consent was given
  • Country (derived from IP address)

Note: Cookifi does not collect or store end-users’ names or email addresses. IP addresses are processed temporarily at runtime solely to determine the visitor’s location for region-specific consent behaviour and to derive the country stored in the consent log. IP addresses are not retained.

6. Obligations of the Controller

The Controller agrees to:

  • Use Cookifi in a manner that complies with all applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR), where relevant.
  • Ensure that any data collection, storage, or processing performed based on user consent signals managed by Cookifi (e.g. via Google Tag Manager or other tools) is done lawfully, transparently, and in accordance with the applicable legal basis under the relevant jurisdiction.
  • Clearly inform its users about the use of Cookifi and its role in the consent process
  • Implement Cookifi correctly (e.g. configure cookie blocking, consent triggers, etc.)

7. Obligations of the Processor

Cookifi shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure confidentiality and security of data through technical and organisational measures
  • Assist the Controller in fulfilling their obligations (e.g. data deletion requests)
  • Notify the Controller without undue delay in case of a personal data breach
  • Maintain a record of processing activities
  • Provide upon request reasonable information and cooperation for audits, subject to confidentiality

8. Sub-processors

Cookifi uses the following sub-processors to support its services:

  • Amazon Web Services (AWS) - Hosting provider, located in Frankfurt, Germany
  • Stripe, Inc - Payment processing and billing information, USA
  • Google LLC (OAuth) - Authentication service used during sign-in, USA
  • PostHog, Inc - Product analytics related to user interactions within the Cookifi platform, EU
  • Microsoft Clarity - Session replay and heatmap analytics (for product usage insights)
Cookifi shall inform the Controller of any intended changes to the list of sub-processors and allow the Controller to object on reasonable grounds.

9. International Transfers

All data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA — for example, to sub-processors such as Google LLC or Stripe Inc. — such transfers are safeguarded using Standard Contractual Clauses (SCCs) or other appropriate legal mechanisms as required under the GDPR.

10. Data Retention and Deletion

  • Data is retained for as long as the Controller maintains an active subscription.
  • Upon termination of the Agreement or upon request, Cookifi shall delete all personal data unless EU law requires retention.

11. Liability

Each party’s liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

12. Governing Law and Jurisdiction

This DPA shall be governed by the laws of Slovakia, and disputes shall be resolved by the courts of Bratislava, Slovakia.

IN WITNESS WHEREOF, by using Cookifi, the Controller is deemed to have accepted this DPA. For custom arrangements, a separately signed version may be requested.