Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the Terms of Service between Shand Enterprises LLC ("Clyro", "we", "us") and the business that uses the Clyro platform to build, host, and measure funnels (the "operator", "you"). It sets out the terms on which Clyro processes personal data relating to the visitors and leads of the operator's funnels (together, the "funnel-visitor data") on the operator's behalf.
For that funnel-visitor data, the operator is the controller and Clyro is the processor. Where Clyro is instead the controller — for example, of the operator's own account, billing, and usage data — the Privacy Policy governs directly and this DPA does not apply.
How this DPA applies
This DPA applies automatically to every operator from the moment you accept the Terms of Service and use the Service to collect or process funnel-visitor data. It does not require a separate signature to take effect.
This DPA applies only to the processing of funnel-visitor data, for which the operator is the controller and Clyro is the processor. It does not govern operator account, billing, or usage data; for that data Clyro is the controller and the Privacy Policy applies.
Definitions
Capitalized terms not defined here have the meaning given in the Terms of Service. The following definitions apply throughout this DPA:
- Applicable data protection law means all data protection and privacy laws that apply to the processing of funnel-visitor data under this DPA, including the EU General Data Protection Regulation (the "GDPR"), the UK GDPR and the UK Data Protection Act 2018 (together, the "UK GDPR"), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (the "CCPA/CPRA").
- Controller means the party that, alone or jointly with others, determines the purposes and means of the processing of personal data. For funnel-visitor data, the operator is the controller.
- Processor means the party that processes personal data on behalf of the controller. For funnel-visitor data, Clyro is the processor.
- Sub-processor means any third party engaged by Clyro to process funnel-visitor data on Clyro's behalf in the course of providing the Service.
- Personal data means any information relating to an identified or identifiable natural person that Clyro processes on the operator's behalf under this DPA.
- Processing means any operation performed on personal data — such as collection, recording, storage, use, disclosure, or deletion — whether or not by automated means.
- Data subject means the identified or identifiable natural person to whom the personal data relates — here, the operator's funnel visitors and leads.
Roles of the parties
For the processing of funnel-visitor data, the operator is the controller and Clyro is the processor. The operator determines the purposes and means of the processing; Clyro processes the data only on the operator's documented instructions and to provide the Service.
This allocation of roles applies to funnel-visitor data only. It does not change Clyro's status as a controller of the operator's own account, billing, and usage data, which is governed by the Privacy Policy.
Details of the processing
The following describes the processing of funnel-visitor data carried out by Clyro on the operator's behalf under this DPA.
| Aspect | Detail |
|---|---|
| Subject matter | Provision of the Clyro funnel-building, hosting, and analytics service to the operator. |
| Duration | For the term of the operator's account. On termination, the personal data is deleted in line with the retention practices set out in the Privacy Policy. |
| Nature and purpose | Hosting and serving the operator's funnels, recording analytics, attributing conversions, capturing leads, running A/B tests, and lead-quality enrichment. |
| Categories of data subjects | The operator's funnel visitors and leads. |
Categories of personal data
The categories of personal data processed depend on how the operator configures the Service, and may include:
| Category | What it includes |
|---|---|
| Identifiers | Name, email address, and phone number submitted in funnel forms. |
| Online identifiers | A device identifier, an anonymized IP address, and fingerprint-derived risk signals. |
| Location data | Country, region, and city, and — where available — precise latitude/longitude and postal code. |
| Internet activity | Page views, clicks, video engagement, and attribution, UTM, and ad-click identifiers. |
| Commercial data | Buyer name and email and payment-provider reference IDs. No card data is processed by Clyro. |
| Inferences | Lead-quality labels derived from submitted data. |
Special categories of data
Clyro does not request, and the Service is not designed to collect, special categories of personal data (such as data revealing health, racial or ethnic origin, religious beliefs, or sexual orientation), or data relating to criminal convictions.
Operators must not use the Service to collect special-category data without putting in place their own appropriate safeguards and ensuring a valid legal basis under applicable data protection law. The operator is responsible for any such data it chooses to collect through its funnels.
Controller (operator) obligations
As the controller of funnel-visitor data, the operator is responsible for:
- Establishing and maintaining a valid lawful basis for the collection and processing of funnel-visitor data through the Service.
- Providing data subjects with all required privacy notices and obtaining any consents required under applicable data protection law.
- Ensuring that its instructions to Clyro for the processing of funnel-visitor data are lawful and that the operator has the right to transfer that data to Clyro for processing.
- Configuring the Service, and any integrations or tracking it adds to its funnels, in a manner that complies with applicable data protection law.
Processor (Clyro) obligations
As the processor of funnel-visitor data, Clyro will:
- Process on documented instructions. Process funnel-visitor data only on the operator's documented instructions — including those set out in this DPA and the Terms of Service — and to provide the Service, unless required to do otherwise by law (in which case Clyro will inform the operator unless legally prohibited).
- Maintain confidentiality. Ensure that personnel authorized to process funnel-visitor data are bound by appropriate confidentiality obligations.
- Assist the operator. Provide reasonable assistance to the operator, taking into account the nature of the processing, with responding to data-subject requests, carrying out data protection impact assessments (DPIAs) and any required prior consultations, and meeting its breach-response obligations.
- Notify of breaches. Notify the operator without undue delay after becoming aware of a personal-data breach affecting funnel-visitor data, with information reasonably available to Clyro to support the operator's own notification obligations.
Technical and organizational security measures
Clyro implements appropriate technical and organizational measures to protect funnel-visitor data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These include:
- Encryption of data in transit.
- Hashing of credentials.
- Encryption of stored third-party integration tokens.
- Workspace-scoped access controls that confine each operator's data to their own workspace.
- CSRF protection on state-changing requests.
- A strict separation between the operator/dashboard domain and the domain on which funnels are served.
- Error monitoring that strips cookies and authentication tokens.
Sub-processors
The operator gives Clyro general authorization to engage the sub-processors listed on the Sub-processors page to process funnel-visitor data in connection with the Service.
Clyro imposes data-protection obligations on each sub-processor that are equivalent to those set out in this DPA, and remains responsible to the operator for each sub-processor's performance of those obligations.
Clyro will give the operator notice of any new sub-processor before that sub-processor begins processing funnel-visitor data. The operator may object on reasonable data-protection grounds; the parties will work in good faith to resolve the objection, and if it cannot be resolved the operator may terminate the affected portion of the Service as its remedy.
International data transfers
Clyro and its sub-processors are primarily located in the United States. By using the Service, the operator instructs Clyro to transfer and process funnel-visitor data in the United States and other countries where Clyro or its sub-processors operate.
Where a transfer of funnel-visitor data from the EEA, the United Kingdom, or Switzerland requires an appropriate safeguard, the parties rely on the European Commission's Standard Contractual Clauses (controller-to-processor module) and the UK International Data Transfer Addendum, each of which is incorporated into this DPA by reference and completed with the details of the processing set out above.
Data-subject requests
A data subject must exercise its rights with the operator, who is the controller of the funnel-visitor data. Where Clyro receives a request directly from a data subject relating to funnel-visitor data, Clyro will forward the request to the relevant operator where it can identify them and will not respond to the request itself except on the operator's instructions or as required by law.
Taking into account the nature of the processing, Clyro will provide reasonable assistance to the operator in responding to data-subject requests it receives.
Return and deletion of data
On termination of the operator's account, Clyro will delete or, at the operator's choice, return the funnel-visitor data, unless retention is required by law.
During the term, deleting a workspace or a funnel permanently removes the visitor data associated with it — including the related analytics, visitor records, and form submissions. Clyro's retention practices for funnel-visitor data are described in the Privacy Policy.
Audit and compliance
Clyro will make available to the operator the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to reasonable audits, including inspections, conducted by the operator or an auditor it mandates.
Audits are subject to reasonable prior written notice, must be conducted during normal business hours, must not unreasonably disrupt Clyro's operations, and are subject to appropriate confidentiality obligations.
CCPA terms
To the extent the CCPA/CPRA applies, Clyro processes funnel-visitor data as a "service provider" on the operator's behalf. Clyro will not sell or share that data within the meaning of the CCPA/CPRA.
Clyro will not retain, use, or disclose funnel-visitor data for any purpose other than the specific business purpose of performing the Service for the operator, or as otherwise permitted by the CCPA/CPRA, and will not retain, use, or disclose it outside the direct business relationship between the parties.
Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, and any reference in the Terms of Service to a party's liability means the aggregate liability of that party under the Terms of Service and this DPA together.
Order of precedence
For the processing of funnel-visitor data, this DPA prevails to the extent of any conflict with the Terms of Service. In all other respects the Terms of Service remain in full force and effect.
Contact us
For any question about this DPA, to request a counter-signed copy, or for any data-protection matter, contact Shand Enterprises LLC at team@clyro.io.