Data Processing Agreement

1. Parties

Processor:
Christopher Arm, trading as Adopture
Rennbaumer Straße 44
42349 Wuppertal
Germany
(hereinafter “Processor”)

Controller:
The customer who has an active Adopture account
(hereinafter “Controller”)

Together referred to as “the Parties”.

2. Subject Matter & Duration

This Data Processing Agreement (DPA) governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of the Adopture analytics platform.

Duration: For the term of the service agreement between the Parties (i.e., as long as the Controller has an active Adopture account).

This DPA supplements the Terms of Service at /terms.

3. Nature & Purpose of Processing

• Collection, storage, aggregation, statistical analysis, and display of mobile application analytics events
• Providing the Controller with dashboards, reports, retention cohorts, and API access to their analytics data
• Geographic enrichment of events using IP-based geolocation (IP addresses are used transiently and never stored)

4. Types of Personal Data

• Hashed user identifiers (SHA256, pseudonymized, not reversible)
• Device metadata: operating system, OS version, app version, screen dimensions, locale
• Geographic data: country and region (derived from IP, IP immediately discarded)
• Session identifiers (random UUIDs)
• Event data: type, name, timestamp, custom properties (as defined by Controller)

Note: IP addresses are processed transiently for geo-enrichment only and are never persisted.

5. Categories of Data Subjects

End users of the Controller’s mobile applications.

6. Processor Obligations (Art. 28(3) GDPR)

The Processor shall:

1. Process personal data only on documented instructions from the Controller, unless required by EU or member state law.
2. Ensure that persons authorized to process the data have committed themselves to confidentiality.
3. Implement appropriate technical and organizational measures (see Section 8).
4. Not engage another processor without prior written authorization from the Controller (see Section 7 for current sub-processors).
5. Assist the Controller in responding to data subject requests (Art. 15–22 GDPR).
6. Assist the Controller in ensuring compliance with Art. 32–36 GDPR (security, breach notification, DPIA).
7. At the Controller’s choice, delete or return all personal data after the end of the service, and delete existing copies unless EU or member state law requires storage.
8. Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for audits.

7. Sub-processors

The Controller grants general authorization for sub-processors. Current sub-processors:

The Processor shall:

• Inform the Controller of any intended changes to sub-processors at least 30 days in advance via email.
• The Controller may object to the change within 14 days. If the objection is not resolved, the Controller may terminate the service.
• Ensure that sub-processors are bound by the same data protection obligations.

8. Technical & Organizational Measures (Art. 32 GDPR)

The Processor implements the following measures:

Confidentiality

• Access controls: authentication required for all systems
• Role-based access: customers can only access their own apps’ data
• API key authentication with permission scoping

Integrity

• TLS encryption for all data in transit
• Input validation on all API endpoints
• Webhook signature verification (Stripe, RevenueCat)

Availability

• Automated health checks and monitoring
• Zero-downtime deployments
• Automated rollback on failure

Privacy by Design

• IP addresses are never stored — used only for geographic lookup, then discarded
• User identifiers are SHA256 hashed before storage (irreversible)
• No cookies in the mobile SDK
• No fingerprinting or cross-app tracking
• Data isolation: each customer’s data is logically separated

Data Hosting

• All analytics data stored on Hetzner servers in Falkenstein/Nuremberg, Germany
• Data does not leave the European Union

9. Data Subject Requests

• The Processor shall assist the Controller in fulfilling data subject requests under Art. 15–22 GDPR.
• The Processor shall promptly forward any data subject request received directly to the Controller.
• Due to the pseudonymized nature of the data (hashed IDs), identification of individual data subjects may not be possible without additional information from the Controller.

10. Data Breach Notification

• The Processor shall notify the Controller without undue delay, and no later than 48 hours, after becoming aware of a personal data breach.
• The notification shall include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
• The 48-hour timeframe allows the Controller sufficient time to meet the 72-hour notification obligation to the supervisory authority under Art. 33 GDPR.

11. Data Deletion

• Analytics data is subject to automatic time-based deletion (ClickHouse TTL).
• Default retention: 2 years; configurable by the Controller (1–730 days) via app settings.
• Upon termination of the service agreement, the Processor shall delete all personal data within 30 days, unless retention is required by law.
• The Controller may request early deletion at any time by contacting chris@adopture.com.

12. Audit Rights

• The Controller has the right to conduct audits, including inspections, to verify compliance with this DPA.
• The Processor shall cooperate with such audits and provide all necessary information.
• Audits shall be conducted during normal business hours with reasonable advance notice (at least 14 days).
• The Controller shall bear the costs of any audit unless the audit reveals material non-compliance.

13. Governing Law

• This DPA is governed by the laws of the Federal Republic of Germany.
• Place of jurisdiction: Wuppertal, Germany (for B2B relationships).
• In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with regard to data protection matters.