Data Processing Addendum (DPA)

• Customer is the Controller of personal data included in Customer Data.
• Bristol Website Design Ltd is the Processor.

We process personal data to provide rank tracking, reporting, account administration, support, security, and billing-related service operations. Processing continues for the term of the agreement and deletion/return period.

• Data subjects: Customer's users; and any individuals whose personal data appears in Customer Data (if Customer includes such data).
• Personal data: identifiers (name/email), technical logs, and any personal data included in Customer Data.

We will:

• process personal data only on Customer's documented instructions (including as necessary to provide the Service),
• ensure confidentiality commitments for authorised personnel,
• implement appropriate technical and organisational security measures,
• assist with data subject requests where applicable and feasible,
• notify Customer of personal data breaches without undue delay,
• maintain records as required by law.

Customer authorises subprocessors necessary to deliver the Service. Subprocessors may include (depending on configuration):

• Stripe (payments)
• Hosting: Hetzner and/or internal infrastructure
• DataForSEO (if used)
• Analytics tooling (e.g., Umami) hosted by us/our infrastructure
• CDN/asset providers (as applicable)

We will make available an up-to-date subprocessor list (either in our Privacy Policy or a dedicated page) and will provide notice of material changes where required.

Where transfers outside the UK/EEA occur, we will use appropriate safeguards (e.g., SCCs/UK Addendum) as required.

Upon termination, we will delete or anonymise personal data within a reasonable time, unless retention is required by law.

Liability under this DPA follows the limitation of liability in the Terms, except where prohibited by law.