This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", the controller) and Zisomedia, trading as Owlsignal ("Processor"). It governs the processing of personal data by Owlsignal on your behalf when you use the service.
Accepting our Terms when you create an account, or sending events from a configured SDK key, constitutes your acceptance of this DPA. A signed PDF version is available on request — email legal@owlsignal.dev from your account address.
"GDPR" means Regulation (EU) 2016/679. "Personal data", "controller", "processor", "sub-processor", "data subject", and "processing" carry the meanings given in Article 4 GDPR.
Owlsignal processes personal data on behalf of the Customer for the duration of the Customer's subscription, plus the retention period defined in section 7. The processing is for the purpose of providing gameplay analytics: event ingestion, aggregation, retention/funnel computation, and dashboard delivery.
Data subjects: end-users of the Customer's game or application ("players").
Categories of personal data: an anonymous device identifier (a hash generated client-side by the Customer's app) and the events that identifier emits — typically session boundaries, progression events, in-game purchases, and error reports. Owlsignal's design excludes direct identifiers (name, email, IP, precise location).
Owlsignal processes personal data only on the Customer's documented instructions. The Customer's instructions are: (a) the configuration the Customer makes in the dashboard, (b) the events the Customer chooses to send via the SDK, and (c) any additional written instructions agreed with Owlsignal. Owlsignal will inform the Customer if, in its opinion, an instruction infringes the GDPR.
Personnel authorized by Owlsignal to process Customer personal data are bound by confidentiality obligations (contractually or by statute).
Owlsignal implements at minimum:
tenant_id) and at the database layer (Postgres Row-Level Security
policies).The Customer authorizes Owlsignal's use of the sub-processors listed in our Privacy Notice. Owlsignal will give at least 30 days' notice before adding or replacing a sub-processor (via in-app banner and email to the account owner). The Customer may object on reasonable data-protection grounds; if the objection cannot be resolved, the Customer may terminate the affected portion of the service.
Owlsignal remains liable to the Customer for the performance of any sub-processor's obligations.
Customer personal data is hosted at rest in the European Union (Supabase eu-central-1, Frankfurt). Where a sub-processor's control plane operates
from outside the EEA (currently Vercel only — see Privacy Notice §3 for the
disclosure), transfers rely on the European Commission's Standard Contractual
Clauses (Decision 2021/914) plus supplementary measures (TLS, encryption at rest,
access logging). The optional AI suggest feature additionally relies on SCCs with
Anthropic, PBC, and only the customer's free-text prompt is sent.
Owlsignal will assist the Customer, taking into account the nature of the processing, in: (a) responding to data subject requests under Articles 12–22 GDPR; (b) ensuring security under Article 32; (c) breach notification under Articles 33–34; (d) data protection impact assessments under Articles 35–36, where applicable.
Owlsignal will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Customer's data, providing the information set out in Article 33(3) GDPR to the extent then known.
Owlsignal will make available to the Customer the information necessary to demonstrate compliance with this DPA. The Customer may, at its own cost and no more than once per calendar year, request an audit conducted by a mutually agreed independent auditor under reasonable confidentiality terms; or rely on equivalent third-party audit reports of Owlsignal's sub-processors where these exist (e.g. Supabase's SOC 2 report).
On termination of the subscription, Owlsignal will, at the Customer's choice, return or delete all Customer personal data within 30 days, subject to retention obligations under EU or Member State law (notably 7-year retention of invoices under Dutch tax law). Aggregated, fully anonymized statistics may be retained.
The liability cap in section 8 of the Terms of Service applies to this DPA. Nothing in this DPA limits liability that cannot be limited under applicable data-protection law (notably administrative fines imposed directly on a controller or processor under Article 83 GDPR).
In the event of a conflict between this DPA and the Terms of Service on matters concerning the processing of personal data, this DPA prevails.
This DPA is governed by Dutch law. Disputes are subject to the exclusive jurisdiction of the courts of Amsterdam, the Netherlands.