Data Processing Agreement

How pomela processes your end‑users' data on your behalf. This DPA forms part of, and is governed by, the Terms of Service.

Effective 2026‑06‑01 · Applies whenever a pomela app collects or stores end‑user data.

The core relationship For the personal data your generated apps collect from your end‑users ("users‑of‑users"), you are the data controller and pomela is your data processor. You decide what data is collected and why; we process it only to provide the service, only on your documented instructions.

1 · Definitions

"Controller", "Processor", "Sub‑processor", "Data Subject", "Personal Data", and "Processing" have the meanings given in the GDPR. "End‑User Data" means personal data your app collects from your end‑users and stores through pomela (e.g., the rows in app_state). "Your Account Data" means data about you as our customer (your email, plan, prompts), for that, pomela is the controller; see the Privacy Policy.

2 · Roles

3 · Processing on instructions

We process End‑User Data only as instructed by you and as necessary to provide the service. If we believe an instruction violates data‑protection law, we will tell you. If we are legally compelled to process beyond your instructions, we will notify you first unless the law forbids it.

4 · Users‑of‑users' rights

Your end‑users are your data subjects. You are responsible for responding to their access, rectification, erasure, portability, and objection requests. pomela gives you the tooling to do so:

If we receive a request directly from one of your end‑users, we will not respond to it ourselves; we will refer them to you (or forward it to you) as the controller.

5 · Security

We maintain appropriate technical and organizational measures, encryption in transit and at rest, secret storage in an AES‑256‑GCM vault, row‑level‑security tenant isolation, least‑privilege access, and audit logging. The current measures are summarized in our Security page and incorporated here by reference.

6 · Sub‑processors

You authorize pomela to engage the sub‑processors listed at /legal/subprocessors to process End‑User Data on your behalf. We impose data‑protection obligations on each sub‑processor no less protective than this DPA. Change notification: before adding or replacing a sub‑processor, we will update that list and notify subscribed creators by email at least 14 days in advance; you may object on reasonable data‑protection grounds, and if we can't resolve the objection you may terminate the affected processing.

7 · Breach notification

If we become aware of a personal‑data breach affecting End‑User Data, we will notify you without undue delay and provide the information you reasonably need to meet your own notification obligations.

8 · Return & deletion

On termination, or on your request, we will delete (or, where you ask and it is feasible, return) the End‑User Data we process for you, except where retention is required by law. The in‑product deletion tools perform this for a given app immediately and irreversibly.

9 · International transfers

Where End‑User Data is transferred outside its region, we rely on a lawful transfer mechanism (e.g., Standard Contractual Clauses) with the relevant sub‑processor. A lawyer must confirm the specific mechanisms and any regional addenda for your launch markets.

10 · Audit

On reasonable notice and no more than once per year (or after a breach), we will make available the information necessary to demonstrate compliance with this DPA, including third‑party certifications where available (see the certification track in our gaps document).

This DPA is a draft skeleton modeled on GDPR Article 28 controller/processor terms. A lawyer must finalize the parties, the Standard Contractual Clauses, the regional addenda (UK, Swiss, US state laws), and the technical‑and‑organizational‑measures annex.