FP FeedPilot
Why different How it works Features Pricing Partners FAQ
Sign in Get FeedPilot
Data Processing Agreement

How we process data on your behalf.

Last updated 6 June 2026.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you or the organization you represent (the "Controller") and the FeedPilot operating entity to be confirmed before paid launch (the "Processor"). It applies where FeedPilot processes personal data on the Controller's behalf in connection with the Service. For individual consumer use, FeedPilot normally acts as an independent controller and the Privacy Policy applies. Personal data processed under this DPA is "Controller Personal Data".

1. Roles, scope, and instructions

The Processor processes Controller Personal Data only on documented instructions from the Controller, including instructions in the Terms, this DPA, product settings, and support requests. The Processor will not sell Controller Personal Data, use it for advertising profiles, or process it for any purpose other than providing, securing, and supporting the Service. Product improvement uses only aggregated or de-identified information unless the Controller gives separate lawful instructions.

The subject matter is user-directed feed scoring, goal alignment, session reporting, account syncing, entitlement management, and related support. The duration is the term of the Controller's use of the Service plus the limited period needed for deletion, backup expiry, legal compliance, and dispute resolution.

2. Nature and purpose of processing

Processing consists of receiving, hosting, transmitting, scoring, summarizing, storing, deleting, and returning Controller Personal Data as needed to operate the Service. FeedPilot works after a feed is rendered to the user. It does not require social media passwords, cookies, session tokens, or server-side operation of the user's social account.

3. Categories of data and data subjects

  • Data subjects. Controller account holders, authorized users, and people whose content is visible in feed items processed during an authorized session.
  • Account and entitlement data. Email address, authentication identifiers, plan status, extension connection data, saved goals, settings, and usage counters.
  • Feed-session data. Minimal item features selected by the user-controlled session, such as caption text, on-screen text, likely author, hashtags, mentions, engagement counts, media type, duration, platform, and, only where enabled, one downscaled frame for visual classification. Raw feed frames are not stored.
  • Output data. Goal-fit scores, risk scores, confidence scores, explanations, action decisions, session summaries, reports, and feed convergence analytics.
  • Support and security data. Support messages, diagnostic metadata, request metadata, security logs, and records needed to protect the Service.
  • Sensitive data. FeedPilot does not require special-category data. If a Controller or user includes health, political, religious, sexual-orientation, child-related, or other sensitive data in goals or feed sessions, the Controller is responsible for having a lawful basis and appropriate safeguards for that use.

4. Confidentiality

The Processor will ensure that personnel authorized to process Controller Personal Data are bound by confidentiality obligations or are subject to appropriate statutory confidentiality duties.

5. Security measures

The Processor implements appropriate technical and organizational measures, taking into account the nature, scope, context, and risk of the processing. Measures include encryption in transit, access controls, least-privilege handling of secrets, data minimization, separation between local and cloud processing, restricted administrative access, secure deployment practices, logging for security and reliability, and backup and recovery controls. Free on-device classification keeps item data on the user's device.

6. Sub-processors

The Controller gives general authorization for the Processor to engage sub-processors for hosting, authentication, model inference, payments, email, support, security, and infrastructure. The Processor will impose data-protection obligations on each sub-processor that are materially equivalent to those in this DPA. A current sub-processor list will be made available on request and published before paid launch. The Processor will give reasonable notice of intended material changes so the Controller may object on reasonable data-protection grounds. Payment providers may also act as independent controllers for regulated payment processing, fraud prevention, and compliance.

7. International transfers

Where Controller Personal Data is transferred outside the EEA, the United Kingdom, or Switzerland, the parties will rely on an adequacy decision or appropriate safeguards, including the European Commission's Standard Contractual Clauses where required. The Processor will take reasonable steps to support transfer impact assessments where applicable.

8. Data subject requests and controller assistance

Taking into account the nature of the processing, the Processor will assist the Controller with requests to access, rectify, erase, restrict, port, or object to processing of Controller Personal Data. The Processor will also assist, as reasonably required, with security obligations, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

9. Personal data breaches

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller Personal Data. The notice will include information reasonably available to the Processor, including the nature of the incident, affected data, likely consequences, mitigation steps, and contact point.

10. Return and deletion

On termination or written request, the Processor will delete or return all Controller Personal Data in active systems, unless Union or Member State law requires retention. Product data that can be deleted includes cloud reports, synced goals, settings, account metadata, session summaries, and feed convergence analytics. Local extension data can be exported or cleared by the user from the extension. Raw feed frames, social passwords, cookies, and session tokens are not deleted from FeedPilot because they are not stored by FeedPilot.

Backup copies are overwritten or deleted in the ordinary backup cycle. The Processor may retain only the data it is legally required to keep, such as billing, tax, fraud-prevention, security, or legal-claims records, and only for the required period.

11. Audits and compliance information

The Processor will make available information reasonably necessary to demonstrate compliance with this DPA and will allow audits required by applicable data-protection law. Audits must be conducted with reasonable notice, during normal business hours, and under confidentiality and security conditions that protect the Service and other users.

12. Controller responsibilities

The Controller is responsible for its own lawful basis, user notices, instructions, account configuration, platform-law compliance, and decisions about goals, autonomy settings, and any sensitive data included in the Service. The Controller must not instruct the Processor to process personal data unlawfully.

13. Order of precedence

If this DPA conflicts with the Terms, this DPA controls only for the processing of Controller Personal Data. All other matters remain governed by the Terms.

To request a countersigned copy once finalized, contact [email protected].

FPFeedPilot

Control your feed before it controls you.

Product

How it worksFeaturesPricing

Company

Why differentPartnersPrivacyFAQ

Legal

TermsPrivacy PolicyDigital AutonomyDPA

Contact

Support Partnerships
Copyright 2026 FeedPilot. All rights reserved. Contact: [email protected]
FP

Welcome back

Sign in to sync your goal and reports across browsers.

or

New to FeedPilot?

Protected by Supabase Auth and Stripe Checkout.

Use your FeedPilot account to manage subscriptions, invoices, and reports.