Data Processing Agreement

• Controller — the customer (you) using DropFix
• Processor — DropFix
• Effective date — the date you accepted our Terms of Service

This DPA is automatically incorporated into the Terms of Service. No separate signature is required.

• Personal Data — information that can identify a natural person
• Processing — any operation performed on Personal Data
• Data Subject — the individual whose data is processed
• Sub-processor — a third party we engage to process Personal Data
• GDPR — EU General Data Protection Regulation 2016/679
• CCPA — California Consumer Privacy Act
• DPDP Act— India's Digital Personal Data Protection Act 2023

3.1 Subject matter and purpose

DropFix processes Personal Data only to provide the service to the Controller: churn detection, behavioral scoring, AI-drafted retention emails, and the integrations the Controller chooses to enable.

3.2 Categories of data subjects

• The Controller's end users (tracked via the SDK)
• The Controller's team members with DropFix access

3.3 Types of personal data

• User identifiers and contact info you choose to send via identify()
• Behavioral events: page views, clicks, feature usage, session timestamps
• Subscription state from billing integrations (plan, MRR, trial dates)
• Free-text notes you add about specific users

DropFix shall:

• Process Personal Data only on the Controller's documented instructions (using the service constitutes such instruction)
• Keep Personal Data confidential and limit access to personnel who need it
• Implement appropriate technical and organizational security measures (see Section 6)
• Notify the Controller of any Personal Data breach within 72 hours of discovery
• Assist the Controller with data-subject rights requests (access, deletion, etc.)
• Return or delete all Personal Data within 30 days of contract termination
• Make information necessary to demonstrate compliance available on request
• Not engage new Sub-processors without 30 days' advance notice (see Section 7)

The Controller shall:

• Have a lawful basis (consent, legitimate interest, etc.) for collecting the data they send to DropFix
• Tell their end users in their own privacy notice that they use DropFix for retention purposes
• Respond to data-subject rights requests from their end users
• Configure DropFix's privacy settings appropriately
• Not use DropFix to process special-category data (health, race, etc.)

DropFix implements appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of data in transit (TLS 1.2+) and at rest
• Encrypted storage of Gmail / Slack OAuth tokens and Stripe Restricted API Keys (AES-256-GCM)
• Role-based access controls with two-factor authentication
• Network isolation and least-privilege access
• Regular vulnerability scanning and dependency audits
• Logging and monitoring of access to Personal Data

Full details are on the Security page.

DropFix engages a small number of Sub-processors to deliver the service. They fall into these categories:

• Cloud hosting and database providers (for application and data storage)
• Payment processor (Stripe — when you subscribe to a paid plan)
• Transactional email provider (for digests, alerts, and account emails)
• AI provider (for generating win-back drafts from anonymised signals only)
• Optional integrations you explicitly connect: Google (Gmail), Slack

The current list of named Sub-processors is available on request — email privacy@dropfix.in. We give 30 days' written notice of any new Sub-processor; you can object during that period.

If a data subject contacts DropFix directly about their personal data, we'll forward the request to you within 5 business days. We'll help you respond to requests for access, correction, deletion, restriction, portability, and objection.

If DropFix becomes aware of a Personal Data breach affecting the Controller's data, we will:

• Notify the Controller within 72 hours of discovery
• Provide all available details: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and remediation steps
• Cooperate with the Controller's investigation and breach-notification obligations to regulators and data subjects

Where DropFix or its Sub-processors transfer Personal Data outside the EEA, UK, or other restricted jurisdictions, we use Standard Contractual Clauses (or equivalent safeguards) as required by applicable law.

Once per year, on at least 30 days' written notice and during business hours, the Controller may audit DropFix's compliance with this DPA. We'll respond to reasonable audit requests in writing and provide compliance documentation. The Controller bears reasonable audit costs.

Within 30 days of contract termination — or earlier on the Controller's request — DropFix will delete or return all Personal Data, except where retention is required by law. Backups containing deleted data roll out within 30 days.

Each party's liability under this DPA is subject to the limitations in the main Terms of Service.

This DPA remains in effect as long as DropFix processes Personal Data on your behalf. It automatically terminates with the Terms of Service.

This DPA is governed by the laws of India, without regard to conflict-of-law principles, and is subject to the dispute-resolution provisions of the Terms of Service.