Legal

Data Processing Agreement

Last updated: March 2026

1. Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and Uniqsale ("Data Processor") and governs the processing of personal data in connection with our Services.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person processed through the Services.
  • Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.
  • Data Subject: An individual whose Personal Data is processed.
  • Sub-processor: A third party engaged by Uniqsale to process Personal Data.
  • GDPR: The General Data Protection Regulation (EU) 2016/679.

3. Scope of Processing

Uniqsale processes Personal Data on your behalf for the following purposes:

  • Tracking user interactions via the SDK (anonymous identifiers, behavioral data)
  • Experience assignment and personalization
  • Analytics and insight generation
  • AI-powered experience recommendations

Categories of data subjects include your website visitors and end users. Categories of personal data include anonymous identifiers (sdk_id), behavioral data (page views, interactions), and device/browser information.

4. Processor Obligations

Uniqsale agrees to:

  • Process Personal Data only on your documented instructions
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to Data Subject requests (access, deletion, portability)
  • Notify you of data breaches without undue delay (within 72 hours)
  • Delete or return Personal Data upon termination of the agreement
  • Make available information necessary for compliance audits
  • Inform you if an instruction infringes data protection law

5. Controller Obligations

You agree to:

  • Ensure you have a lawful basis for processing (consent, legitimate interest, etc.)
  • Provide clear instructions for data processing
  • Maintain appropriate privacy notices for your end users
  • Respond to Data Subject requests in a timely manner
  • Notify Uniqsale of any changes to processing instructions

5.1 Consent Requirements for SDK Deployment

Prior to enabling the Uniqsale SDK on your Customer Site, you MUST:

(a) Determine whether your end users include residents of the European Economic Area (EEA), United Kingdom, or other jurisdictions requiring consent for analytics/tracking technologies;

(b) If such users may be present, implement a consent management solution (e.g., cookie banner) that:

  • Obtains affirmative opt-in consent before the Uniqsale SDK loads
  • Clearly discloses that behavioral tracking and personalization will occur
  • Allows users to withdraw consent at any time

(c) Configure the Uniqsale SDK to load conditionally based on user consent status;

(d) Maintain records of consent as required by applicable law;

(e) You acknowledge that Uniqsale, as Data Processor, cannot obtain consent directly from your end users. Failure to obtain required consent is solely your responsibility, and you shall indemnify Uniqsale against any claims arising from your failure to do so.

6. Sub-processors

You authorize Uniqsale to engage sub-processors to assist in providing the Services. Current sub-processors include:

  • MongoDB, Inc. - Database hosting
  • OpenAI, LLC - AI processing (aggregated data only)
  • Clerk, Inc. - Authentication services

We will notify you of changes to sub-processors 14 days in advance. You may object to a new sub-processor on reasonable data protection grounds within 14 days of notification.

7. Security Measures

Uniqsale implements appropriate security measures including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and authentication requirements
  • Regular security assessments and vulnerability testing
  • Incident response procedures
  • Employee security training
  • Physical security at data centers

8. Data Transfers

If Personal Data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for countries with equivalent protection
  • Other approved transfer mechanisms under GDPR

Contact us for copies of relevant transfer agreements.

9. Data Subject Rights

We will assist you in fulfilling Data Subject requests including:

  • Right of access - providing copies of personal data
  • Right to rectification - correcting inaccurate data
  • Right to erasure - deleting personal data
  • Right to restriction - limiting processing
  • Right to data portability - exporting data in machine-readable format
  • Right to object - stopping certain processing activities

We provide APIs for data export and deletion. Contact us at support@uniqsale.ai to initiate requests.

10. Data Retention

We retain Personal Data for the period necessary to provide the Services:

  • Behavioral data (SDK events): Up to 24 months
  • Account data: Duration of account plus 30 days
  • Aggregated/anonymized data: Indefinitely (no longer personal data)

Upon request or termination, we will delete Personal Data within 30 days unless legally required to retain it.

11. Audit Rights

Upon reasonable notice, you may audit our compliance with this DPA. We will provide necessary information and allow for inspections, subject to confidentiality obligations and reasonable scheduling. We may satisfy audit requirements through third-party certifications (SOC 2, ISO 27001) where available.

12. Breach Notification

In the event of a Personal Data breach, we will notify you without undue delay (within 72 hours of becoming aware). The notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

13. Term and Termination

This DPA remains in effect for the duration of the Services agreement. Upon termination, we will delete all Personal Data within 30 days, unless you request data return or legal retention is required. Provisions regarding confidentiality and liability survive termination.

14. Contact

For DPA inquiries, data subject requests, or to request a signed copy: