Data Processing Addendum (DPA)

Last updated: 25 April 2026

VRCAnalytics is an independent project not affiliated with, endorsed by, or sponsored by VRChat Inc. "VRChat" is a trademark of VRChat Inc.

This Addendum supplements our Terms of Service and forms a binding agreement between you (the "Controller") and Redacted (the "Processor", "we") whenever we process personal data on your behalf in connection with the VRCAnalytics service. It is designed to satisfy Article 28 of Regulation (EU) 2016/679 (GDPR).

1. Scope

This DPA applies to player data we receive from VRChat worlds you have registered on VRCAnalytics (beacon traffic and derived analytics). For data about you as our customer (account email, password, billing) we are an independent controller — see the Privacy Policy.

2. Subject matter and duration

  • Subject matter: processing of personal data from VRChat players visiting your registered world(s).
  • Nature and purpose: aggregation and analysis of session events to provide you with usage analytics.
  • Duration: for as long as you have an active account with us; processing ends on account deletion or termination.
  • Categories of data subjects: VRChat players whose clients fired beacons in your world.
  • Categories of personal data: a synthetic session identifier (salted hash), platform identifier (PC VR / Desktop / Quest), instance-size bucket, FPS bucket, zone enter/exit events for zones you defined, and event timestamps. We do not persist IP addresses, User-Agent strings, VRChat user IDs, display names, or any other player-identifying values.

3. Controller's instructions

You instruct us to process the data for the following purposes only:

  • To deliver and operate the analytics dashboard.
  • To compute aggregate metrics (visit counts, retention, session duration, etc.).
  • To enforce technical safeguards (rate-limiting, abuse detection).
  • To comply with our legal obligations.

We will not process the data for any other purpose without your prior written instruction.

4. Confidentiality

We ensure that personnel authorised to process the data are subject to confidentiality obligations.

5. Security measures

We implement appropriate technical and organisational measures, including:

  • Encryption of secrets at rest (AES-GCM) and bcrypt password hashing (cost 12).
  • HTTPS in transit; HSTS in production.
  • Multi-layer rate-limiting (per-IP global, per-world, per-route).
  • Access control on the database (network rules + IAM).
  • Suspicious-source flagging on beacon traffic.
  • Routine security review of dependencies and code.

6. Sub-processors

You authorise us to engage the following sub-processors:

  • Resend — transactional email (password resets, notifications).
  • Railway, Inc. — managed Postgres in the EU.
  • Cloudflare — CDN, DDoS protection.

We will notify you at least 14 days in advance of changes to this list and give you a chance to object.

7. International transfers

Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission and apply supplementary measures where necessary.

8. Data subject rights

Players may exercise GDPR rights either by contacting you directly or by writing to legal@vrcanalytics.com. We will assist you in responding within 30 days, including providing access, correction, portability, restriction, and erasure where applicable.

9. Personal data breaches

We will notify you without undue delay (and in any event within 72 hours of becoming aware) of any personal-data breach affecting your data, with the information needed for you to meet your own breach-notification obligations under Article 33 GDPR.

10. Audits

On reasonable written notice (no more than once per 12 months unless required by law) you may request audit information sufficient to demonstrate compliance with this DPA. We may satisfy this by providing existing third-party security reports.

11. Return and deletion of data

On termination of the Service, we delete or return all personal data within 30 days, save copies required for legal compliance.

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

13. Governing law

This DPA is governed by the laws of the Czech Republic and forms an integral part of the Terms of Service.

14. Contact

For DPA matters, contact our data-protection contact at legal@vrcanalytics.com.