Skip to main content
🚀 We just launched on Product Hunt! Check it out →

Data Processing Agreement

Last updated: March 15, 2026

This DPA applies when you (“Controller”) use GetLaunchDay (“Processor”) to collect or process personal data from your end users. Enterprise customers can request a countersigned copy at legal@getlaunchday.com.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data (collection, storage, use, disclosure, deletion).
  • "Controller" means you, the GetLaunchDay customer who determines the purposes and means of processing.
  • "Processor" means GetLaunchDay Inc., which processes Personal Data on behalf of the Controller.
  • "Sub-processor" means a third party engaged by the Processor to assist in processing.

2. Scope of processing

The Processor shall process Personal Data only to the extent necessary to provide the Service as described in the Terms of Service, and in accordance with the Controller's documented instructions.

Categories of data processed include:

  • Contact information (name, email address) of landing page visitors and waitlist signups.
  • Survey responses and form submissions collected through the Service.
  • Usage data and analytics generated from visitors interacting with landing pages.
  • Communication data (email opens, clicks) from email sequences.

3. Obligations of the Processor

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure that persons authorized to process the data have committed to confidentiality.
  • Implement appropriate technical and organizational security measures (see Security page).
  • Assist the Controller in responding to data subject requests (access, deletion, portability).
  • Delete or return all Personal Data at the end of the service engagement, upon request.
  • Make available all information necessary to demonstrate compliance and allow for audits.

4. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall:

  • Maintain an up-to-date list of sub-processors (available at /gdpr).
  • Notify the Controller of any intended additions or replacements 30 days in advance.
  • Ensure sub-processors are bound by data protection obligations no less protective than this DPA.

5. International transfers

Where Personal Data is transferred outside the EEA, the Processor shall ensure appropriate safeguards, including EU Standard Contractual Clauses (SCCs), are in place. The Controller may request EU data residency.

6. Security measures

The Processor implements and maintains the security measures described on our Security page, including but not limited to:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Access controls with role-based permissions and multi-factor authentication.
  • Regular penetration testing and vulnerability scanning.
  • Incident response procedures with 72-hour breach notification.

7. Data breach notification

The Processor shall notify the Controller without undue delay (and within 72 hours) after becoming aware of a Personal Data breach. The notification shall include the nature of the breach, estimated number of affected data subjects, likely consequences, and measures taken to mitigate.

8. Audit rights

The Controller may audit the Processor's compliance with this DPA once per year, with 30 days' advance written notice. The Processor shall cooperate and provide reasonable access to relevant documentation and systems.

9. Term and termination

This DPA remains in effect for the duration of the Service agreement. Upon termination, the Processor shall delete all Personal Data within 30 days unless retention is required by law.

Contact

For DPA inquiries or to request a countersigned copy:

GetLaunchDay Legal Team

Email: legal@getlaunchday.com

DPO: dpo@getlaunchday.com

GDPR Commitment →Privacy Policy →Security →