PinAppAI

Data Processing Agreement

Last updated: 2026-05-03

This Data Processing Agreement (“DPA”) is incorporated automatically into our Terms of Service for all customers who use the PinAppAI widget on a website they control. No countersignature is required. By continuing to use the Service after the publication date above, you accept this DPA.

If your organisation requires a signed DPA on its own paper, contact [email protected].

1. Subject matter and duration

PinAppAI (“Processor”) processes personal data on behalf of the customer (“Controller”) to provide the PinAppAI Service for the duration of the customer’s subscription, plus a 30-day post-termination data retrieval window.

2. Nature and purpose of processing

Collection, storage, organisation, retrieval, analysis (where customer enables AI features), display, and deletion of feedback data submitted to PinAppAI widgets installed on the Controller’s sites.

3. Categories of data subjects

End users of the Controller’s websites who interact with the PinAppAI widget.

4. Categories of personal data

  • Optional author email address and display name (only if the end user provides them);
  • Comment text submitted by the end user;
  • Page URL and path where feedback was left;
  • Viewport dimensions and CSS selector for the pin position;
  • User-agent string;
  • Optional screenshot images of page regions (only if end user opts in);
  • Transient IP addresses for rate-limiting and abuse detection (not stored beyond the rate-limit window).

5. Controller instructions

  • 5.1. Processor processes personal data only on documented instructions from the Controller. The Controller’s instructions are documented in the Terms of Service, the configuration of the Controller’s account (allowed origins, retention settings, AI feature opt-in), and any subsequent written instructions agreed by the parties.
  • 5.2. Processor will inform the Controller if, in its opinion, an instruction infringes GDPR or other applicable data protection law.
  • 5.3. Processor will not process personal data for its own purposes, except as needed for the security, performance, and legitimate operation of the Service (e.g. fraud prevention, abuse detection).
  • 5.4. Processor will not transfer personal data to a third country except as set out in Clause 13 (International transfers).

6. Confidentiality

Processor ensures that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. Security measures

Processor implements appropriate technical and organisational measures, having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk to data subjects. Measures include:

  • In transit: TLS 1.2 or higher for all connections.
  • At rest: AES-256 encryption provided by Cloudflare for D1 (database) and R2 (object storage).
  • Access control: least-privilege role-based access; multi-factor authentication enforced for production access.
  • Audit logging: immutable log of privileged actions retained 7 years.
  • Authentication: short-lived bearer tokens; per-row edit tokens for end-user erasure rights.
  • Incident detection: anomaly detection on rate limits, error rates, and unusual access patterns.
  • Backup and recovery: automated daily snapshots; documented recovery procedures with RTO ≤ 4 hours, RPO ≤ 24 hours.
  • Vulnerability management: automated dependency scanning on every code change; secret scanning in CI; periodic penetration testing.

8. Sub-processor authorisation

Controller authorises Processor to engage the sub-processors listed at /sub-processors/, which maintains two tiers:

  • Active sub-processors — currently processing personal data on Controller’s behalf.
  • Approved sub-processors — pre-cleared by Controller for future activation. Processor may move an Approved sub-processor to Active, or add a new vendor to either list, by giving Controller advance written notice with sufficient time to evaluate and raise reasonable objections.

Where Controller objects on reasonable grounds during the notice window, the parties will discuss in good faith. If no alternative is feasible, Controller may terminate the affected service without penalty.

In exceptional circumstances — including a security incident requiring urgent vendor replacement, urgent regulatory compliance, or termination of a sub-processor’s service outside Processor’s control — Processor may engage a sub-processor with shorter notice or after-the-fact, with prompt notification to Controller and documentation in the public change log.

Processor enters into a written agreement with each sub-processor that imposes data protection obligations no less protective than those in this DPA.

9. Data subject requests

Processor assists Controller in fulfilling Controller’s obligations to respond to data subject requests under GDPR Articles 15 to 22. If a data subject contacts Processor directly with a request relating to Controller’s data, Processor will forward the request to Controller within 5 business days and will not respond directly except to acknowledge receipt and direct the data subject to the Controller.

10. Audit and inspection rights

Processor will make available to Controller all information necessary to demonstrate compliance with this DPA. Controller may, no more than once per calendar year and upon 30 days’ written notice, conduct an audit of Processor’s relevant facilities and records, at Controller’s expense and subject to a mutually-agreed non-disclosure agreement. Controller may rely on third-party audit reports (such as Processor’s SOC 2 report, when available) in lieu of conducting its own audit.

11. Personal data breach notification

Processor will notify Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Controller’s data. The notification will include, to the extent known, the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed.

12. Deletion or return of personal data on termination

On termination of the Controller’s subscription, Processor will:

  • Make personal data available for export by Controller for 30 days after termination via the existing export tools in the admin dashboard;
  • Delete all personal data from production systems within 30 days after the export window ends;
  • Delete personal data from backups within the next backup rotation cycle (no longer than 90 days after termination);
  • On Controller’s written request, provide a certificate of deletion.

13. International transfers

Where personal data is transferred outside the EU/EEA/UK to a country without an adequacy decision, the parties incorporate by reference the European Commission’s Standard Contractual Clauses for processor-to-processor and controller-to-processor transfers (Module Two and Module Three respectively, as applicable), and the UK International Data Transfer Addendum where Controller is established in the UK. The current versions are available at commission.europa.eu.

14. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitation of liability set out in our Terms of Service, except that nothing in this DPA limits liability for: (a) gross negligence, willful misconduct, or fraud; (b) liability that cannot be limited under applicable law; or (c) statutory penalties imposed by a supervisory authority.

15. Acceptance and changes

By using the Service after the publication date above, Controller accepts this DPA. Material changes will be communicated by email to account holders at least 30 days before they take effect. Controller may terminate the affected service without penalty during the notice period if Controller cannot reasonably accommodate the change.

Contact

[email protected]