In the course of providing the Application Services to Customer pursuant to the Agreement, RevenueCat may process Customer Data. “Customer Data” means any data which is defined as ‘personal data’ under Data Protection Legislation processed by RevenueCat pursuant to the Agreement. RevenueCat agrees to comply with the following provisions with respect to Customer Data. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
Data Processing Terms
In this DPA, “Data Protection Legislation” means, as applicable, the European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.
“data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organizational measures” shall be interpreted in accordance with applicable Data Protection Legislation;
The parties agree that Customer is the data controller and that RevenueCat is its data processor in relation to Customer Data. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to RevenueCat pursuant to the Agreement.
The subject-matter of the data processing covered by this DPA is the Application Services ordered by Customer either through RevenueCat’s website or through an Ordering Document and provided by RevenueCat to Customer via www.revenuecat.com, or as additionally described in the Agreement or the DPA. The processing will be carried out for the term of the Agreement or until the term of Customer’s ordering of the Application Services ceases. Further details of the data processing are set out in Annex 1 hereto.
- In respect of Customer Data, RevenueCat:
- shall process the Customer Data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to RevenueCat (from time to time) If RevenueCat is required to process the personal data for any other purpose provided by applicable law to which it is subject, RevenueCat will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest;
- shall notify Customer without undue delay if, in RevenueCat’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation;
- shall implement and maintain appropriate technical and organizational measures designed to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Customer Data and having regard to the nature of Customer Data which is to be protected;
- may hire other companies or persons for the purposes of providing the Application Services (“Sub-Processors”), provided that RevenueCat complies with the provisions of this DPA. Any such Sub-Processors will be permitted to process Customer Data only to deliver the Application Services RevenueCat has retained them to provide, and they shall be prohibited from using Customer Data for any other purpose. RevenueCat remains responsible for its Sub-Processors’ compliance with the obligations of this DPA. Any Sub-Processors to whom RevenueCat transfers Customer Data will have entered into written agreements with RevenueCat requiring that the Sub-Processor abide by terms substantially similar to this DPA. If Customer requires prior notification of any updates of additional Sub-Processor to the list of Sub-Processors, Customer can request such notification in writing by emailing firstname.lastname@example.org. RevenueCat will update the Sub-Processor list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor’s non-compliance with applicable Data Protection Legislation. If, in RevenueCat’s reasonable opinion, such objections are legitimate, and RevenueCat is unable to modify the Application Services to prevent disclosure of Customer Data to the Sub-Processor, then Customer may, by providing written notice to RevenueCat, terminate the Agreement.
- shall ensure that all RevenueCat personnel required to access the Customer Data are informed of the confidential nature of the personal data and comply with the obligations sets out in this DPA;
- at the Customer’s request and cost (and insofar as is possible), shall assist the Customer by implementing appropriate and reasonable technical and organizational measures to assist with the Customer’s obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data) provided that RevenueCat reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
- take reasonable steps at the Customer’s request and cost to assist Customer in meeting Customer’s obligations under Article 32 to 36 of the General Data Protection Regulation taking into account the nature of the processing under this DPA, provided that RevenueCat reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
- at the end of the applicable term of the Application Services, upon Customer’s request, shall securely destroy or return to Customer any Customer Data within RevenueCat’s possession or control;
- shall allow, no more than once every 12 months and at Customer’s expense, Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, provided that Customer has given RevenueCat at least 30 days prior written notice and such audit or inspection is conducted during reasonable business hours with minimal disruption to RevenueCat. Such audit may be carried out by Customer or an inspection body mutually agreed upon by the parties and composed of independent members in possession of the required professional qualifications and bound by a duty of confidentiality. For the avoidance of doubt no access to any part of RevenueCat’s IT system, data hosting sites or centers, or infrastructure will be permitted as part of an audit or inspection;
- If RevenueCat becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to Customer Data (an “Incident”) under the Agreement it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Data, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. RevenueCat shall additionally take reasonable steps to mitigate the effects of any Incident;
- RevenueCat shall provide information reasonably requested by Customer to demonstrate compliance with the obligations set out in this DPA.
- To the extent Customer Data that is subject to the General Data Protection Regulation (Regulation (EU) 2016/279) is transferred outside of the European Economic Area (EEA) to RevenueCat, the terms of the Standard Contractual Clauses (available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02010D0087-20161217) will apply where the applicable transfer of Customer Data is (a) not subject to the laws of a jurisdiction recognized by the European Commission as providing an adequate level of protection for personal data; and (b) not covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for personal data.
Details of the Data Processing
1 Subject Matter, Nature, Purpose
RevenueCat shall process Customer Data to provide the Application Services pursuant to and for the purposes set forth in the Agreement.
The duration of processing will be the same as the duration of the provision of Application Services pursuant to the Agreement.
3 Categories of Individuals
RevenueCat shall process information sent by end users of Customer’s web and mobile applications, identified through Customer’s implementation of the Application Services.
4 Types of Personal Data
As an example, in a standard programmatic implementation, to utilize the Application Services, Customer may allow the following Customer Data to be sent by default as “default properties:”
- Unique device identifier
- Any personally identifiable attribution data attached to the end user by Customer