Data processing agreement
Last updated: 3 July 2026 · forms part of the Terms
In plain words
- Your customers’ data is yours. When Macromuffin handles it to run your business, we act only on your instructions.
- We protect it with the same security as everything else, tell you fast if something goes wrong, and delete or return it when you leave.
- Our sub-processors are listed publicly and we give notice before adding any.
1Roles & scope
For personal data belonging to your business’s end customers (“Customer Data”), you are the controller and Macromuffin is the processor. This DPA applies whenever the service processes Customer Data and incorporates UK GDPR and EU GDPR Article 28 requirements.
2Processing details
| Subject matter | Operating your business on the Macromuffin platform |
|---|---|
| Duration | The term of your subscription plus the export window in the Terms |
| Nature & purpose | Hosting, sending and receiving communications, support handling, analytics, and AI processing needed to run your business per your configuration |
| Data categories | Contact details, account and order records, support correspondence, usage data of your customers, as determined by you |
| Data subjects | Your customers, subscribers, and prospects |
3Our commitments
- Instructions only. We process Customer Data only on your documented instructions (including the autonomy settings you configure), unless law requires otherwise, in which case we tell you first where permitted.
- Confidentiality. People authorised to process Customer Data are bound by confidentiality.
- Security. We apply the measures described in the Privacy policy’s Security section (encryption at rest and in transit, gated and logged external actions, envelope-encrypted keys) as our technical and organisational measures.
- Assistance. We help you respond to data-subject requests and meet your security, breach, and impact-assessment obligations, using the product’s export, deletion, and audit-trail tooling.
- Breach notice. We notify you without undue delay after becoming aware of a personal data breach affecting Customer Data, with the information you need for your own notifications.
- Deletion & return. On termination we delete or return Customer Data per the Terms’ export window, except where law requires retention.
- Audit. We make available information reasonably necessary to demonstrate compliance, and allow audits as required by Article 28, on reasonable notice.
4Sub-processors
You authorise the sub-processors listed at /legal/subprocessors (model providers, payments, hosting, monitoring, and email delivery). We’ll give 14 days’ notice before adding one; if you reasonably object, you may terminate the affected service. We remain responsible for our sub-processors’ performance.
5International transfers
Transfers of Customer Data outside the UK/EEA are made under the UK IDTA or EU SCCs (as applicable), which are incorporated into this DPA, with supplementary measures where needed. AI processing of Customer Data may occur outside the UK/EEA under these safeguards; a choice of processing region is not offered in this version.
6Liability
Liability under this DPA is subject to the limitations in the Terms, to the extent the law allows.