Data Processing Agreement

Effective date: June 6, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between growity.ai, operated by Egorsky LLC ("Processor", "we"), and the customer ("Controller", "you") who uses our platform to manage advertising. It governs our processing of personal data on your behalf in accordance with the GDPR and applicable data protection law. Where this DPA conflicts with the Terms on data protection matters, this DPA prevails.

1. Roles of the Parties

For personal data you submit or that is collected through your campaigns, you act as the Controller and we act as the Processor. We process such data only on your documented instructions, including those expressed through your use of the platform, unless required otherwise by law.

2. Subject Matter & Duration

Subject matter: operating, optimizing, and reporting on your advertising campaigns across connected ad platforms.

Duration: for the term of your subscription and the retention periods set out in our Privacy Policy.

Nature & purpose: collection, storage, analysis, and transmission of campaign and account data to deliver the service.

Categories of data subjects: your authorized users and the audiences interacting with your ads.

Types of personal data: account identifiers (name, email), campaign and performance data, and technical identifiers such as IP address.

3. Our Obligations as Processor

  • Process personal data only on your documented instructions.
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (see Section 5).
  • Assist you, where reasonable, in responding to data subject rights requests and in meeting your security, breach-notification, and impact-assessment obligations.
  • Notify you without undue delay after becoming aware of a personal data breach affecting your data.
  • Delete or return personal data at the end of the engagement, subject to legal retention obligations.
  • Make available information necessary to demonstrate compliance, and allow for audits in line with Section 6.

4. Sub-processors

You grant general authorization for us to engage the sub-processors listed in our Privacy Policy (including Stripe, Google, Telegram, Yandex, Meta, and Brevo). We impose data protection obligations on each sub-processor no less protective than those in this DPA, and we remain responsible for their performance.

We will inform you of intended changes to sub-processors with a reasonable opportunity to object on legitimate data protection grounds.

5. Security Measures

We maintain industry-standard safeguards, including encryption in transit and at rest, access controls on a need-to-know basis, and ongoing monitoring. We do not store ad-platform passwords, authentication tokens, or full card numbers (see the Privacy Policy for details).

6. Audits

On reasonable written request, and no more than once per year unless required by a supervisory authority, we will provide information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and the security of other customers' data.

7. International Transfers

Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards such as European Commission–approved Standard Contractual Clauses or transfers to jurisdictions with an adequacy decision, as described in our Privacy Policy.

8. Contact

For DPA-related questions or to request a countersigned copy, contact privacy@growity.ai.