Data Processing Agreement

For any personal data the advertiser uploads (e.g. customer email captured on the destination URL via Stripe attribution), the advertiser is the Controller and Ads4Founders is the Processor. For analytics on the marketplace itself (visit logs, click classification, leaderboard rankings), Ads4Founders is the Controller.

• Display the advertiser's ad on the marketplace grid.
• Measure clicks and signups attributed to the slot (per /methodology/click-fraud and /methodology/traffic).
• Bill the advertiser via Dodo Payments.

Ads4Founders processes Controller's personal data only on documented instructions from the Controller — i.e. what the Controller configures via the dashboard (slot settings, destination URL, Stripe connect scope) and these Terms. We do not process Controller's data for our own purposes. We notify the Controller if a legal requirement prevents us from following an instruction.

Personnel with access to Controller's personal data — currently Jorge alone — are bound by contractual confidentiality. New hires (if any) execute a confidentiality commitment before access is granted.

TLS in transit, AES-256 encryption at rest, row-level security at the database layer, MFA available on every account and required for admin role, audit logging on every mutation, webhook signature verification. Full inventory and incident-response procedure in the Privacy policy §security.

Current sub-processors are listed in the Privacy policy §sub-processors — Supabase, Dodo Payments, PostHog (self-hosted), Stripe (only if Controller connects), Vercel.

New sub-processors get notified by email and dashboard banner with a 30-day right to object. If the objection cannot be resolved by replacing the sub-processor or providing additional safeguards, the advertiser may terminate without penalty for the remainder of the billing period.

If a data subject contacts Ads4Founders with a GDPR rights request (access, correction, deletion, portability, objection) that pertains to Controller's data, Ads4Founders forwards the request to the Controller within 5 business days and does not respond substantively. We provide reasonable assistance to the Controller in fulfilling the request.

Personal data breach affecting Controller's data: notification within 72 hours of detection, including the categories of data and approximate number of records affected, the likely consequences, the measures taken or proposed, and a contact for follow-up. Notification is sent to the email on file and posted to the dashboard.

The Controller may, at most once per 12 months, request a written audit response covering security and processing controls. Ads4Founders responds within 30 days. If the Controller requires a third-party on-site audit (e.g. for regulated industries), the Controller bears the cost and gives 60 days' notice. Sub-processor audit reports (SOC 2, ISO 27001) are passed through where Ads4Founders has them.

Where Controller's personal data is transferred outside the EEA / UK, the EU Standard Contractual Clauses (Module 2: Controller → Processor; Module 3: Processor → Processor where onward transfer occurs) are incorporated by reference. UK Addendum applies for UK-origin data. Transfer impact assessments are available on request to privacy@ads4founders.com.

On termination, all Controller personal data is deleted — 30-day soft delete (data recoverable on request) followed by anonymized aggregates only — unless retention is required by law (e.g. tax records under /legal/vat). The Controller may export their data via the dashboard or by request before termination.

This DPA is governed by the law and venue specified in the Terms of service §11 (Spain, courts of Madrid).

DPA-specific requests: privacy@ads4founders.com. General contact: Jorge directly via /contact.