Data Processing Agreement (DPA)

Last updated: 28 June 2026 · Template (GDPR Art. 28) — review with legal counsel before launch. Accepted in-app when you connect an ad account.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Ecom Vision LTD ("Adfure", "Processor") and the customer ("Controller"). It governs the processing of personal data that Adfure carries out on the Controller's behalf when the Controller uses the Service, in accordance with Regulation (EU) 2016/679 (GDPR).

1. Roles

For the advertising and account data the Controller connects (e.g. Meta, Google, TikTok, LinkedIn ad-account data), the Controller is the data controller and Adfure is the data processor. For Adfure's own account/billing data, Adfure is the controller (see the Privacy Policy).

2. Subject matter, duration, nature & purpose

Adfure processes personal data to provide the Service: analysing advertising performance, monitoring accounts, generating creative and reports, and preparing (approval-gated) changes. Processing lasts for the term of the subscription and the limited retention period thereafter.

3. Types of data & data subjects

Types: advertising performance metrics, campaign/creative content, audience and conversion configuration, business economics the Controller enters, and limited identifiers contained in the connected platforms' reporting. Adfure does not seek special-category data.
Data subjects: the Controller's staff/users, and end-users represented in aggregated advertising metrics.

4. Processor obligations

Process personal data only on the Controller's documented instructions (including via the Service's settings), unless required by law.
Ensure persons authorised to process are bound by confidentiality.
Implement appropriate technical and organisational security measures (Art. 32): encryption of tokens at rest (AES-256-GCM), per-tenant isolation, access controls, input/output filtering, rate limiting, and approval-gated actions.
Do not use the Controller's data to train AI models. AI processing is performed under commercial terms with zero-retention options where available.
Assist the Controller with data-subject requests and with security, breach-notification and DPIA obligations, taking into account the nature of processing.
Notify the Controller without undue delay after becoming aware of a personal-data breach.
At the Controller's choice, delete or return personal data at the end of the service, except where retention is legally required.
Make available information necessary to demonstrate compliance and allow for audits (subject to reasonable notice and confidentiality).

5. Sub-processors

The Controller authorises Adfure to engage sub-processors to deliver the Service, currently including: Anthropic and OpenAI (AI processing — no training on Controller data), Stripe (payments), Hetzner (hosting), Cloudflare (CDN/security), Resend (transactional email), and Apify/Firecrawl (public data retrieval for competitor/market features). Adfure imposes data-protection obligations on each sub-processor equivalent to this DPA and remains liable for their performance. Adfure will give notice of intended changes to sub-processors, allowing the Controller to object.

6. International transfers

Where personal data is transferred outside the EEA, Adfure relies on appropriate safeguards such as the EU Standard Contractual Clauses.

7. Liability & term

This DPA is effective for as long as Adfure processes personal data on the Controller's behalf. Liability is subject to the limitations in the Terms of Service. Where this DPA conflicts with the Terms on data-protection matters, this DPA prevails.

8. Acceptance & contact

The Controller accepts this DPA by accepting the Terms and by connecting an ad account in the Service. Data-protection contact: privacy@adfure.com · Ecom Vision LTD, Bulgaria, EU.