Data Processing Agreement

1. Definitions

• Controller: The AdPatterns subscriber who manages ad accounts.
• Processor: AdPatterns, operator of adpatterns.io.
• Personal Data: Any data processed through AdPatterns relating to the Controller's clients or their end users.
• Sub-processors: Third-party services used by the Processor, listed in Schedule 1 below.
• GDPR: EU General Data Protection Regulation 2016/679.

2. Subject Matter and Duration

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the AdPatterns service including ad account change tracking, alerts, reporting, and the ROAS calculator, for the duration of the active paid subscription.

3. Nature and Purpose of Processing

• Storage and retrieval of Meta Ads API data for connected client accounts
• Generation of change logs, reports, and alerts
• Secure transmission of data between the Meta API and the Controller's AdPatterns dashboard
• Display and calculation of performance metrics

4. Categories of Personal Data Processed

• Meta ad account identifiers and account names
• Campaign, ad set, and ad performance data
• Change history: budgets, bids, audiences, creative changes
• AdPatterns user accounts associated with the Controller's workspace (name, email)
• Meta user IDs associated with ad account changes (where provided by the Meta API)

5. Processor Obligations

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller (i.e., the normal use of the AdPatterns service).
2. Ensure that persons authorized to process Personal Data are under appropriate confidentiality obligations.
3. Implement technical and organizational security measures as required by Article 32 GDPR, including encryption in transit and at rest, access controls, and regular security reviews.
4. Not engage new Sub-processors without notifying the Controller by email with at least 30 days' advance notice. If the Controller objects, they may terminate their subscription within the notice period and receive a prorated refund.
5. Assist the Controller in responding to data subject rights requests insofar as this is possible given the nature of the processing.
6. Delete or return all Personal Data upon termination of the subscription, at the Controller's written request.
7. Notify the Controller within 72 hours of becoming aware of a personal data breach that may affect the Controller's client data.
8. Provide all information reasonably necessary to demonstrate compliance with this DPA upon written request.

6. Controller Obligations

The Controller shall:

1. Ensure they have a lawful basis under GDPR for processing their clients' data through AdPatterns.
2. Ensure that client Meta ad account access is properly authorized by the account owner.
3. Notify the Processor of any data subject requests involving data processed through AdPatterns.
4. Not instruct the Processor to process data in a manner that would violate applicable law or GDPR.

7. Sub-Processors

The current list of Sub-processors is set out in Schedule 1 below. The Processor will provide 30 days' advance notice of any new Sub-processors by email to the Controller's registered email address.

8. International Data Transfers

Some Sub-processors (Stripe, Resend, Meta API) operate in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission. Cloudflare participates in the EU-US Data Privacy Framework.

The primary data infrastructure (Hetzner, Germany) is located within the European Union.

9. Governing Law

This DPA is governed by Romanian law and the GDPR as applicable in Romania.

Schedule 1: Sub-Processors

Contact

Questions about this DPA: legal@adpatterns.io

AdPatterns (adpatterns.io).