Data Processing Addendum
Last updated: May 25, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between you ("you", "Customer") and MyPrivacyBack ("we", "Processor") under our Terms of Service. It governs the processing of personal data relating to the household members ("Data Subjects") you add to your account so that we can submit deletion requests on their behalf.
This DPA is offered to all subscribers automatically; no signature is required. If you need a counter-signed copy for your records, email privacy@myprivacyback.com.
1. Definitions
Capitalized terms not defined here have the meaning given in the EU General Data Protection Regulation 2016/679 ("GDPR"). "Applicable Data Protection Law" means GDPR, UK GDPR, CCPA/CPRA, and any equivalent law applicable to the processing.
2. Roles
- You are the Controller of personal data relating to household members you register on the Service.
- We act as the Processor for that data, processing it only on your documented instructions for the purpose of providing the Service.
- For your own account information (email, billing, support correspondence) we act as an independent Controller, as described in our Privacy Policy.
3. Subject matter, duration, nature and purpose
- Subject matter: processing personal data of household members in order to draft, send, track, and re-send data-deletion requests to data brokers.
- Duration: for the term of your subscription, plus the deletion window described in our Privacy Policy.
- Nature and purpose: automated submission of CCPA, GDPR, UK GDPR, and similar deletion requests, including handling of identity verification challenges from data brokers.
- Categories of personal data: names and aliases, current and prior addresses, email addresses, phone numbers, date of birth, country and state of residence.
- Categories of Data Subjects: the account holder and up to four other household members on the Family plan.
4. Our obligations as Processor
We will:
- Process personal data only on your documented instructions, including instructions regarding international transfers
- Ensure that personnel authorized to process personal data are bound by confidentiality
- Implement appropriate technical and organizational measures (see Section 7)
- Use subprocessors only on the terms in Section 5
- Assist you with responding to Data Subject requests, to the extent reasonably required
- Notify you without undue delay of any personal data breach affecting your data
- On termination, delete or return all personal data as instructed, subject to retention required by law
- Make available all information reasonably necessary to demonstrate compliance with this DPA
5. Subprocessors
You authorize us to engage the following subprocessors. By using the Service you accept this list. We may update it; we will notify subscribers by email at least 14 days before adding a new subprocessor, and you may object on legitimate data protection grounds.
| Subprocessor | Service | Location |
|---|---|---|
| Vercel Inc. | Web app hosting | United States |
| Neon Inc. | Database hosting (Postgres) | United States (AWS us-east-1) |
| Amazon Web Services, Inc. | Worker compute, object storage, transactional email (SES) | United States (us-east-1) |
| Stripe, Inc. | Payment processing | United States |
| Prighter GmbH | EU Art. 27 representative | Austria (EU) |
We have signed a Data Processing Addendum or equivalent contractual protections with each subprocessor that include the safeguards in GDPR Art. 28.
6. International transfers
Personal data may be transferred outside the European Economic Area or the United Kingdom, principally to the United States. Transfers rely on:
- The European Commission's Standard Contractual Clauses (Module 2: Controller to Processor)
- The UK International Data Transfer Addendum where the source country is the UK
- The EU-US Data Privacy Framework where the receiving entity is certified
On request we will provide a copy of the executed SCCs with each subprocessor. Email privacy@myprivacyback.com.
7. Technical and organizational measures
- Encryption in transit: TLS 1.2 or higher for all connections
- Encryption at rest: AES-256 for database and object storage
- Access control: least-privilege IAM roles, MFA on admin accounts, audited password hashing
- Network segmentation: internal services not exposed publicly
- Logging and monitoring: security events centralized, retained 30 days, reviewed for anomalies
- Backups: daily database snapshots, retained 7 days
- Personnel: background checks and confidentiality agreements for everyone with production access
- Incident response: documented breach response plan with notification within 72 hours under GDPR Art. 33
- Vulnerability management: dependency scanning, prompt patching of critical vulnerabilities
8. Data Subject rights
We will assist you with responding to Data Subject requests under GDPR Art. 15–22 or CCPA / CPRA equivalents. To the extent technically possible, our dashboard lets you export, correct, or delete a household member's data directly. For requests we cannot fulfill through self-service, email privacy@myprivacyback.com and we will respond within 30 days.
9. Breach notification
If we become aware of a personal data breach affecting your data, we will notify you without undue delay and in any case within 72 hours. The notification will include the nature of the breach, categories of data and Data Subjects affected, likely consequences, and the measures taken or proposed to address it.
10. Audits
On reasonable prior notice and no more than once per twelve-month period, you may request information necessary to demonstrate our compliance with this DPA. For audits beyond what is reasonable to provide remotely, you may appoint an independent auditor at your own cost, subject to confidentiality, scope, and scheduling we mutually agree.
11. Return and deletion
On expiry or termination of your subscription, we will delete the personal data of household members within 30 days, except where storage is required by Applicable Data Protection Law. On written request we will instead return the data to you in a structured, commonly used, machine-readable format before deletion.
12. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in our Terms of Service, except where that limitation is not permitted under Applicable Data Protection Law.
13. Order of precedence
If there is any conflict between this DPA and our Terms of Service or Privacy Policy as it relates to the processing of household members' personal data, this DPA prevails.
14. Contact
MyPrivacyBack
Privacy: privacy@myprivacyback.com
EU representative (Art. 27): Prighter — see prighter.com