Data Processing Agreement (DPA)
Effective Date: April 18, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between PinLaunchr, 1209 Mountain Road Place Northeast, Albuquerque, NM 87110, United States ("Processor," "we") and the customer accepting the Terms ("Customer," "you"), and applies where and to the extent PinLaunchr processes Personal Data subject to the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, or similar data protection laws ("Data Protection Laws") on your behalf in providing the Service.
Table of Contents
- Definitions
- Roles and Scope
- Details of Processing
- Processor Obligations
- Confidentiality
- Subprocessors
- Security
- Data Subject Requests
- Personal Data Breach
- Audits and Information
- International Transfers
- Return and Deletion
- CCPA/CPRA Provisions
- Liability and Order of Precedence
1. Definitions
"Personal Data," "Controller," "Processor," "Data Subject," "Processing," "Personal Data Breach," and "Supervisory Authority" have the meanings given in the GDPR. "Customer Data" means Personal Data that you provide to, upload to, or have processed by the Service (e.g., end-user content, images, URLs, Pinterest data you authorize). "SCCs" means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller→processor), and "UK Addendum" means the UK ICO International Data Transfer Addendum.
2. Roles and Scope
- For Customer Data, you are the Controller (or a processor acting for another controller) and PinLaunchr is the Processor.
- For account, billing, usage, and security data we collect for our own purposes, PinLaunchr acts as an independent Controller as described in our Privacy Policy; that processing is outside the scope of this DPA.
- We will process Customer Data only on your documented instructions, including as set out in the Terms, this DPA, and your configuration and use of the Service (e.g., generating content, scheduling and publishing pins), unless required otherwise by law — in which case we will inform you unless legally prohibited.
3. Details of Processing
| Item | Description |
|---|---|
| Subject matter | Provision of the PinLaunchr Service (AI pin/text generation, scheduling, Pinterest board management, analytics, automation) |
| Duration | Term of the Agreement plus the deletion period in Section 12 |
| Nature & purpose | Hosting, storage, transmission to AI providers at your direction, publication to Pinterest at your direction, display, backup, support |
| Categories of Data Subjects | Customer's users and personnel; individuals appearing in content Customer uploads; Customer's audience to the extent contained in analytics |
| Categories of Personal Data | Names, email addresses, account identifiers, images and content uploaded by Customer, URLs, Pinterest account/board/pin identifiers and analytics, scheduling metadata |
| Special categories | None intended; Customer must not submit special-category data |
4. Processor Obligations
We will: (a) process Customer Data only per Section 2; (b) inform you if we believe an instruction violates Data Protection Laws; (c) assist you, taking into account the nature of processing, with data protection impact assessments, prior consultations, and your security and notification obligations under Articles 32–36 GDPR; and (d) maintain records of processing as required by Article 30 GDPR.
5. Confidentiality
We ensure that persons authorized to process Customer Data are bound by confidentiality obligations (contractual or statutory) and access Customer Data only as needed to provide the Service.
6. Subprocessors
- You provide general authorization for our use of subprocessors. Our current subprocessors include:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database, file storage | USA/EU |
| Google (Firebase) | Authentication, infrastructure | USA |
| Stripe | Payment processing | USA |
| OpenAI | Text generation | USA |
| Image-generation model providers (as listed in-product) | Image generation | USA |
| Hosting/CDN provider (as listed in-product) | Application hosting | USA |
- We will maintain an up-to-date subprocessor list (available on request to contact@pinlaunchr.com or at a URL we designate) and will provide at least 14 days' notice of new subprocessors. You may object on reasonable data-protection grounds; if we cannot accommodate the objection, you may terminate the affected services and receive a pro-rata refund of prepaid, unused fees.
- We impose data protection obligations on subprocessors that are no less protective than this DPA and remain liable for their performance.
7. Security
We implement appropriate technical and organizational measures as described in our Security Policy, including encryption in transit, access controls, scoped credentials, and logging, taking into account the state of the art, costs, and the nature, scope, context, and purposes of processing.
8. Data Subject Requests
Taking into account the nature of processing, we will assist you by appropriate technical and organizational measures in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection). If a Data Subject contacts us directly about Customer Data, we will direct them to you and will not respond substantively except as required by law.
9. Personal Data Breach
We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data, and will provide information reasonably required for your notification obligations, including the nature of the breach, categories and approximate numbers affected, likely consequences, and measures taken or proposed.
10. Audits and Information
On written request (no more than once per 12 months, absent a breach or regulator requirement), we will make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party audits/certifications of our infrastructure providers, and will allow audits by you or your mandated auditor, subject to reasonable notice, confidentiality, scope, and timing controls, and conducted at your expense.
11. International Transfers
Where Customer Data subject to the GDPR/UK GDPR/Swiss FADP is transferred to a country without an adequacy decision:
- The SCCs (Module Two) are incorporated by reference, with PinLaunchr as data importer and you as data exporter; Clause 7 (docking) included; Clause 9 Option 2 (general authorization, 14 days); Clause 17 governed by Irish law; Clause 18 courts of Ireland; Annexes I–II are populated by Section 3, Section 6, and the Security Policy.
- For UK transfers, the UK Addendum applies; for Swiss transfers, the SCCs apply as adapted for the FADP.
- Where a subprocessor is certified under the EU-U.S. Data Privacy Framework, transfers may also rely on that mechanism.
12. Return and Deletion
Upon termination of the Agreement, or earlier at your request, we will delete or return Customer Data (at your choice) and delete existing copies within 90 days, unless retention is required by law. Content already published to Pinterest or third-party image hosts at your direction is governed by those platforms.
13. CCPA/CPRA Provisions
To the extent we process Personal Information of California consumers on your behalf, we act as a "service provider." We will not: sell or share the Personal Information; retain, use, or disclose it for any purpose other than providing the Service (or as permitted by the CCPA); or combine it with other data except as permitted. We certify that we understand and will comply with these restrictions, will notify you if we can no longer comply, and grant you rights to take reasonable steps to stop and remediate unauthorized use.
14. Liability and Order of Precedence
Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. In case of conflict: (1) the SCCs/UK Addendum prevail; (2) then this DPA; (3) then the Terms.
Contact for this DPA: contact@pinlaunchr.com PinLaunchr, 1209 Mountain Road Place Northeast, Albuquerque, NM 87110, United States