Data Processing Agreement (DPA)
Last updated: May 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between PriceOtus ("Processor") and the customer entity agreeing to those terms ("Controller").
1. Definitions
"Personal Data", "Processing", "Controller", and "Processor" have the meanings given in Regulation (EU) 2016/679 (GDPR).
"Customer Data" means product catalogues, pricing data, and related business data submitted by the Controller to the Service.
"Account Data" means personal data provided by the Controller when registering or managing an account, specifically: work email address and country.
2. Scope and Role
PriceOtus acts as a Data Processor on behalf of the Controller. The Controller determines the purposes and means of processing. Processing is limited to:
- Account Data — to operate, maintain, and communicate about the Service
- Customer Data — to provide price monitoring, competitor analysis, and automated pricing features
Processing begins at the start of a free trial and continues for the duration of the subscription.
3. Our Obligations
PriceOtus will:
- Process Personal Data only on documented instructions from the Controller (as defined by use of the Service and these Terms)
- Ensure persons authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to data subject rights requests where applicable
- Delete or return all Personal Data upon termination of the Service (see Section 7)
- Notify the Controller without undue delay, and no later than 72 hours, after becoming aware of a Personal Data breach
4. Data Location
All Personal Data is stored and processed on servers located in Paris, France (European Union). No transfer of Personal Data outside the European Economic Area occurs in the course of primary data processing.
5. Sub-processors
The Controller authorizes PriceOtus to engage the following sub-processors:
| Sub-processor | Location | Purpose |
|---|---|---|
| Hosting provider | Paris, France (EU) | Infrastructure and data hosting |
| Paddle | United Kingdom | Payment processing and billing |
| SendGrid (Twilio) | United States | Transactional email delivery |
| Shopify | Canada | E-commerce platform integration for product data retrieval |
Paddle and SendGrid are located outside the EU. Transfers to these sub-processors are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission. Canada benefits from an EU adequacy decision; no additional transfer mechanism is required for Shopify.
PriceOtus will notify the Controller of any intended changes to sub-processors at least 14 days in advance by email or in-app notice. The Controller may object to such changes in writing within 14 days.
6. Data Subject Rights
The Controller is responsible for handling data subject requests from their own end-users. PriceOtus will assist the Controller where technically feasible, at the Controller's reasonable written request.
7. Retention and Deletion
PriceOtus retains Personal Data for the duration of the subscription plus 30 days. Upon termination:
- Account Data is deleted within 30 days
- Customer Data (product catalogues, pricing data) is available for export for 30 days post-termination, after which it is permanently deleted
- The Controller may request earlier deletion by contacting [email protected]
8. Audit Rights
The Controller may request written confirmation of PriceOtus's compliance with this DPA once per calendar year. PriceOtus will respond within 30 days.
9. Governing Law
This DPA is governed by the laws of England and Wales, consistent with the Terms of Service. Where mandatory EU data protection law applies, it takes precedence.
Contact
For any questions regarding this DPA or data processing practices, contact us at:
[email protected] — Attention: Data Protection Officer