Data Processing Agreement
Effective: February 2, 2025
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Growth Mom and you ("Customer") and governs the processing of personal data.
2. Definitions
- Controller: You, the customer, who determines the purposes and means of processing personal data
- Processor: Growth Mom, which processes data on your behalf
- Subprocessor: Third-party vendors that Growth Mom uses to provide the service
- Personal Data: Any information relating to an identified or identifiable person
3. Scope of Processing
Growth Mom processes the following data on your behalf:
- Website visitor data from Google Analytics (traffic, sessions, page views, UTM parameters)
- Revenue data from Stripe (transactions, subscriptions, customer counts)
- Content attribution data (which content drove which conversions)
Important: We never use your data for our own marketing or profiling. We never sell or share your data with third parties for their own purposes.
4. Data Processing Obligations
Growth Mom commits to:
- Process data only according to your instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject requests
- Delete or return data upon termination of the agreement
- Make available information necessary to demonstrate compliance
5. Your Responsibilities
As the Controller, you are responsible for:
- Ensuring you have a lawful basis for collecting visitor data
- Displaying appropriate cookie consent banners on your website
- Responding to data subject access requests for data you control
- Ensuring the accuracy of data you provide to Growth Mom
6. Subprocessors
We use the following subprocessors to provide our service:
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Database & Authentication | EU |
| Render | Hosting | EU |
| Google Cloud | Analytics API access | EU |
| Stripe | Payment data API access | EU |
We will notify you before adding new subprocessors that process personal data.
7. International Data Transfers
Some of our subprocessors are located outside the European Economic Area (EEA). For transfers to countries without an adequacy decision, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Subprocessor certifications and compliance frameworks
8. Security Measures
We implement the following security measures:
- HTTPS encryption for all data in transit
- Encryption at rest for stored data
- Access controls and authentication requirements
- Regular backups with secure storage
- Row-level security policies in our database
- OAuth token encryption
9. Data Retention
- Active accounts: Data retained while account is active
- Cancelled accounts: Data deleted within 30 days
- Free accounts (not converted): Data deleted within 30 days after account inactivity
10. Data Breach Notification
In the event of a personal data breach, we will notify you without undue delay (and within 72 hours where feasible) after becoming aware of the breach. The notification will include:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken to address the breach
11. Audits
Upon reasonable request and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA.
12. Term and Termination
This DPA remains in effect for the duration of your use of Growth Mom. Upon termination, we will delete your data in accordance with our retention policy unless legally required to retain it.
13. Governing Law
This DPA is governed by the laws of France. For EU customers, nothing in this DPA reduces your rights under GDPR.
14. Contact
For DPA-related inquiries, contact us at:
contact@growthmom.io