DropLaunch OSDropLaunch OS

Data Processing Agreement

Last updated: May 20, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", acting as Data Controller) and DropLaunch OS ("DropLaunch", acting as Data Processor). It is offered to satisfy Article 28 of the EU General Data Protection Regulation 2016/679 (GDPR) where DropLaunch processes personal data on behalf of the Customer.

For most consumer accounts, accepting our Terms and Privacy Policy at sign-up is sufficient and this DPA is offered as public reference. Business customers who require a signed counterpart can request one by writing to support@droplaunch.me.

1. Definitions

The terms "personal data", "processing", "data subject", "controller", "processor", "sub-processor" and "supervisory authority" have the meanings given to them in GDPR Article 4.

2. Subject matter & duration

The subject matter of the processing is the provision of the DropLaunch OS Service (account management, AI-driven generation of marketing assets, customer support and billing). The duration coincides with the term of the Customer's subscription, plus the retention periods set out in the Privacy Policy.

3. Nature, purpose & categories of data

  • Nature & purpose: collection, storage, retrieval, transmission to AI providers, and deletion of personal data as required to deliver the Service.
  • Categories of data subjects: the Customer's end-users (typically the Customer themselves and any team-mates invited to the workspace).
  • Categories of personal data: account identifiers, email, names, IP addresses, billing data and any personal data the Customer chooses to submit as input to the generation pipeline.
  • Special categories: none are intentionally processed. Customers must not submit special-category data (GDPR Art. 9) through the Service.

4. Obligations of DropLaunch as Processor

DropLaunch shall:

  • Process personal data only on documented instructions from the Customer, including with regard to transfers to third countries, unless required to do so by applicable EU law.
  • Ensure persons authorised to process the personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures under GDPR Art. 32 (see Annex 1).
  • Assist the Customer in responding to data subject requests (GDPR Art. 12–22) through built-in product features and, where insufficient, manual support.
  • Assist the Customer with data protection impact assessments and prior consultations (Art. 35–36) on reasonable request.
  • Notify the Customer without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach.
  • At the Customer's choice, delete or return all personal data after the end of the provision of the Service and delete existing copies, unless applicable EU law requires storage.
  • Make available to the Customer all information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits as set out in Section 8.

5. Sub-processors

The Customer grants DropLaunch a general authorisation to engage sub-processors. The current list of sub-processors is published in our Privacy Policy and includes Supabase, Vercel, Stripe, OpenRouter, OpenAI and Google. DropLaunch will give 30 days prior notice of any intended addition or replacement of sub-processors. The Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to find a solution; if none is found, the Customer may terminate the Service for the affected component.

DropLaunch imposes on each sub-processor the same data-protection obligations as set out in this DPA, by way of a written contract.

6. International transfers

Where personal data is transferred outside the European Economic Area (e.g. to OpenAI or Google in the US), DropLaunch ensures appropriate safeguards under GDPR Art. 46, in particular the EU Standard Contractual Clauses (Commission Decision 2021/914) or the EU-U.S. Data Privacy Framework, as applicable.

7. Security measures (Annex 1)

  • Encryption in transit (TLS 1.3) and at rest (AES-256) for all customer data.
  • Strict role-based access control to production systems with mandatory MFA.
  • Audit logs for all administrative access and AI generation calls.
  • Database backups encrypted and geographically replicated within the EU.
  • Private storage buckets with signed-URL distribution (no public asset URLs).
  • Row-level security on all multi-tenant tables to prevent cross-account access.
  • Vulnerability monitoring and patch management on hosted infrastructure.

8. Audit rights

Once per calendar year, the Customer (or an independent auditor mandated by the Customer and bound by confidentiality) may request a written summary of DropLaunch's technical and organisational measures. On-site audits are available for Agency-plan customers and other commercial agreements, on reasonable prior notice and during normal business hours, at the Customer's cost.

9. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable law.

10. Governing law

This DPA is governed by the laws of the European Union and the dispute-resolution provisions of the Terms of Service apply.

11. Contact & requesting a signed copy

Email support@droplaunch.me with your company name, VAT number and the contracting entity to receive a counter-signed PDF copy of this DPA. We aim to return signed counterparts within 5 business days.