Data Processing Agreement
How pomela processes your end‑users' data on your behalf. This DPA forms part of, and is governed by, the Terms of Service.
1 · Definitions
"Controller", "Processor", "Sub‑processor", "Data Subject", "Personal Data", and "Processing" have the meanings given in the GDPR. "End‑User Data" means personal data your app collects from your end‑users and stores through pomela (e.g., the rows in app_state). "Your Account Data" means data about you as our customer (your email, plan, prompts), for that, pomela is the controller; see the Privacy Policy.
2 · Roles
- You = Controller. You determine the purposes and means of processing End‑User Data. You are responsible for having a lawful basis, for your own privacy notice to your end‑users, and for honoring their rights.
- pomela = Processor. We process End‑User Data only to host, serve, sync, and secure your app, and only on your instructions (using the service in the ordinary way is an instruction). We will not use End‑User Data for our own purposes, will not sell it, and will not access it except as needed to provide or secure the service or as you direct.
3 · Processing on instructions
We process End‑User Data only as instructed by you and as necessary to provide the service. If we believe an instruction violates data‑protection law, we will tell you. If we are legally compelled to process beyond your instructions, we will notify you first unless the law forbids it.
4 · Users‑of‑users' rights
Your end‑users are your data subjects. You are responsible for responding to their access, rectification, erasure, portability, and objection requests. pomela gives you the tooling to do so:
- Export an app's stored end‑user data (Account → your app → Export data), and end‑users can export their own data from within an app.
- Permanent deletion, scoped strictly to your app, it never touches another creator's data. Deletion is irreversible.
- Tenant isolation is enforced at the database layer (row‑level security), so each app's data is walled off by construction. See Security.
If we receive a request directly from one of your end‑users, we will not respond to it ourselves; we will refer them to you (or forward it to you) as the controller.
5 · Security
We maintain appropriate technical and organizational measures, encryption in transit and at rest, secret storage in an AES‑256‑GCM vault, row‑level‑security tenant isolation, least‑privilege access, and audit logging. The current measures are summarized in our Security page and incorporated here by reference.
6 · Sub‑processors
You authorize pomela to engage the sub‑processors listed at /legal/subprocessors to process End‑User Data on your behalf. We impose data‑protection obligations on each sub‑processor no less protective than this DPA. Change notification: before adding or replacing a sub‑processor, we will update that list and notify subscribed creators by email at least 14 days in advance; you may object on reasonable data‑protection grounds, and if we can't resolve the objection you may terminate the affected processing.
7 · Breach notification
If we become aware of a personal‑data breach affecting End‑User Data, we will notify you without undue delay and provide the information you reasonably need to meet your own notification obligations.
8 · Return & deletion
On termination, or on your request, we will delete (or, where you ask and it is feasible, return) the End‑User Data we process for you, except where retention is required by law. The in‑product deletion tools perform this for a given app immediately and irreversibly.
9 · International transfers
Where End‑User Data is transferred outside its region, we rely on a lawful transfer mechanism (e.g., Standard Contractual Clauses) with the relevant sub‑processor. A lawyer must confirm the specific mechanisms and any regional addenda for your launch markets.
10 · Audit
On reasonable notice and no more than once per year (or after a breach), we will make available the information necessary to demonstrate compliance with this DPA, including third‑party certifications where available (see the certification track in our gaps document).