Skip to content
52loops Logo Go to Home

Data Processing Addendum (DPA)

Last Updated: January 5, 2026

1. Roles and Scope

1.1 Applicability: This DPA applies only where 52loops processes Personal Data subject to the GDPR or UK-GDPR. For CCPA/CPRA, please refer to our Privacy Policy.

1.2 Roles: You are the Data Controller; 52loops is the Data Processor.

1.3 Data Processed:

  • Viewer Data: IP address, device type, watch metrics, and geographic location (inferred from IP).

  • Customer Data: Email, name, and billing address (processed via Polar.sh).

    1.4 Processing Purpose: Solely to deliver video content, provide analytics, and fulfill billing and account obligations.

2. Our Obligations

2.1 Instruction-Based Processing: We process data only to provide the Service as defined in our Terms.

2.2 Confidentiality: All personnel are bound by strict confidentiality obligations.

2.3 Security: We maintain technical measures (HTTPS/HLS encryption) to protect data.

2.4 Breach Notification: We will notify you within 48 hours of becoming aware of a personal data breach.

2.5 Data Deletion: Upon account termination, we delete live personal data within 30 days. Backups are retained for 90 days for disaster recovery and are automatically purged thereafter.

3. Sub-processors

3.1 Current List: You authorize the use of:

  • Cloudflare, Inc. (Global): Storage/Edge Infrastructure.

  • Polar.sh, LLC (USA): Payment processing, billing, and tax compliance.

  • PostHog (EU): Analytics.

  • Brevo (EU/France): Email notification delivery.

    3.2 Objections: We will notify you 14 days in advance of adding new sub-processors. You may object with reasonable justification.

    3.3 Liability: We maintain written contracts with all sub-processors imposing GDPR-equivalent obligations. 52loops remains fully liable for their compliance.

4. International Data Transfers

4.1 Transfers to the US:

  • For Cloudflare: We rely on their EU-U.S. Data Privacy Framework certification (ID #US-4698).

  • For Polar.sh (Polar Software, Inc.): Polar.sh states it maintains active certification under the EU-U.S. Data Privacy Framework and remains subject to enforcement by the U.S. Federal Trade Commission (FTC). While the Privacy Shield framework is no longer a standalone legal basis under GDPR, Polar.sh asserts compliance with its principles and offers independent recourse mechanisms (including binding arbitration) for EU data subjects.

    4.2 Security: Payment data is tokenized; 52loops never stores full credit card numbers.

5. Assistance & Compliance

5.1 Subject Rights: We will promptly notify you of any viewer requests to exercise their GDPR rights and provide reasonable assistance to help you respond.

5.2 DPIAs: We will provide reasonable assistance for your Data Protection Impact Assessments.

6. Compliance Verification (Audit)

Upon 30 days’ written notice, we will demonstrate compliance by providing:

  • Third-party audit reports (e.g., Cloudflare SOC 2 Type II).

  • Internal security policies.

  • Remote audits via screen-share for high-risk concerns.

7. Termination

This DPA survives for 24 months after the termination of the main Terms of Service for data deletion and compliance verification purposes.

  • ACCEPTANCE: By using 52loops, you accept this DPA. EU/UK Customers: During signup, you must actively click “I agree to the DPA” to confirm acceptance.