- effective from October 9, 2025
Please read this Data Processing Agreement carefully. This Data Processing Agreement governs the transfer and processing of personal data by the Provider on behalf of the User and in connection with the Users use of the Growthflicks Service. By setting up an account and clicking [START APP] or using any of the Growthflicks Services which do not require registration, you agree to be bound by this Agreement. If you do not agree to be bound by this Agreement, you may not access or interact with the Growthflicks Service.
This Growthflicks Data Processing Agreement and its Appendices (hereinafter: "DPA") reflects the parties' agreement with respect to the Processing of Personal Data by the Provider (as the Processor) on behalf of the User (as the Controller) in connection with the Users' use of the Growthflicks Service, whereby all bolded terms are further defined below.
This DPA is supplemental to, and forms an integral and indispensable part of the Growthflicks Terms of Service (hereinafter: "Terms" or "Agreement") published on https://growthflicks.com/terms, which apply to and govern the setting-up, use and access of the Growthflicks Service.
This DPA is effective from the moment that the Provider and User enter into the Agreement as described in point 1.1. of said Agreement.
If you do not agree to the terms and clauses of this DPA or the Agreement, you are not authorised to validly register an account with us or authorised for using any of the Growthflicks services which do not require registration and accessing or using the Growthflicks Service, you must immediately stop doing so.
In case of any conflict or inconsistency between the terms and clauses of this DPA and the terms and clauses of the Agreement, this DPA will take precedence over the terms and clauses of the Agreement to the extent of such conflict or inconsistency.
Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
All enquiries regarding this DPA may be directed at [email protected].
By setting up an account and clicking [I agree] or using any of the Growthflicks Services which do not require registration as described in point 1.1. of the Agreement, this DPA is deemed as validly concluded between:
Before your use of the Service, you are asked to dully review, understand and get acquainted with the content of both this DPA and the Agreement.
Any reference to this DPA includes its Appendices.
We may make changes to this DPA at any time by notifying you of the change by email or by posting a notice on the https://growthflicks.com/ website. Unless stated otherwise, any change takes effect from the date set out in the notice. You are responsible for ensuring you are familiar with the last version of this DPA. By continuing to access and use the Growthflicks Service and the https://growthflicks.com/ website from the date on which this DPA is changed, you agree to be bound by the changed DPA.
If you do not agree to the changes, you must notify us immediately whereby we shall proceed with terminating your account and ceasing any and all Data Processing and returning / destroying all Personal Data to you as per the applicable clauses of the Agreement and this DPA.
This DPA was last updated on the 14th of August, 2025
In this DPA all of the bolded terms shall have the same meaning as the defined terms from the Agreement, with the added inclusion of the following terms:
Agreement (also called Terms)
shall mean the Growthflicks Terms of Service published on https://growthflicks.com/terms, which apply to all websites and services that are represented by the Growthflicks (unregistered) trademark and govern the setting-up, use and access of the Growthflicks Service and the https://growthflicks.com/ website and under which certain Personal Data needs to be processed in accordance with this DPA.
Growthflicks Data Processing Agreement (also called DPA)
shall mean this legal agreement that you shall simultaneously enter into together with the Agreement when performing the actions from point 1.1. of the Agreement, and under which the Provider shall be deemed as the Processor and you shall be deemed as the Controller of any and all Personal Data that shall be sent, transmitted or transferred to the Provider directly or through the use of the Growthflicks Service or the https://growthflicks.com/ website for the performance of the Service by you or any third party. This DPA forms a supplemental, integral and indispensable part of the Agreement and your use of the Growthflicks Service and the https://growthflicks.com/ website, whereby this DPA is subject to the provisions of Article 28 of the GDPR.
Controller Personal Data
shall mean any End User Personal Data or any other Personal Data, that the Provider or Subprocessor Processes or shall Process pursuant to or in connection with the Agreement.
Data processing (also Processing)
means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In the context of this DPA, the Provider shall Process the End User Data for which the User is deemed as the Controller in order to provide the Service.
European Economic Area (also called EEA)
shall mean the EU Member States and Iceland, Liechtenstein, and Norway.
End User Personal data
shall mean personal data which relates to a natural or natural persons belonging to a legal person that interacts with the Growthflicks Service as well as any Third party individual personal data.
Subprocessor (or Contracted Subprocessor)
shall mean any person (including any third party and any Provider Affiliate, but excluding an employee of the Provider or any of its subcontractors) appointed by or on behalf of the Provider or any Provider Affiliate to Process Personal Data on behalf of the Provider in connection with the Agreement.
Standard contractual clauses
shall mean the standard data protection clauses for the transfer of Personal Data to Processors established in countries outside of the EEA, where an adequate level of data protection with regards to the GDPR is not ensured on a national and systemic level, as described in Article 46 of the GDPR.
You (also your, User, Controller)
shall mean the legal entity that shall be identified as the registered user of the Service when you, the duly authorised individual representing said entity, register an account (i.e. perform the actions from point 1.1. in the name the company you represent) is bound to this Agreement and the Growthflicks Data Processing Agreement in accordance with the terms herein. The aforementioned also relates to any and all Permitted Users, Personnel, or your User Affiliates. In the context of this DPA you shall be deemed as the Processor of Personal Data.
The Parties seek to implement this DPA in order to achieve compliance with the requirements with the Applicable legislation as it pertains to the Processing of Personal Data and especially Article 28 of the GDPR, which forms the basis under which this DPA is drafted and construed.
Notwithstanding any other provision relating to the term of this DPA, this DPA will take effect on the Star Date and shall remain in force until the Provider has deleted or returned all End User Personal Data to the Controller, whereby it shall be deemed as automatically terminated.
The Provider shall:
For the avoidance of doubt, the Provider shall only use the Controller Personal Data to provide the Service and shall not keep, retain, disclose, make available to third parties, sell or otherwise use the Controller Personal Data for any purpose other than for providing the Service under the Agreement as further described in Appendix 1.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Provider and each Provider Affiliate shall in relation to the Controller Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32 of the GDPR.
The list of technical and organisational measures that the Provider and each Provider Affiliate offers the Controller under this DPA is included in Appendix 2.
Prior to concluding the Agreement and this DPA, the Controller is required to review and analyse the contents of Appendix 2 with regards to the technical and organisational measures and other security commitments which the Provider offers in connection with the provision of the Service.
The Controller specifically authorises and generally agrees with the Provider and each Provider Affiliate appointing and engaging Subprocessors in accordance with this section 8 and any restrictions in the Agreement.
The Provider and each Provider Affiliate may also continue to use those Subprocessors already engaged by the Provider or any Provider Affiliate at the Start Date, whereby the Provider and Provider Affiliate shall be in each case and as soon as practicable required to ensure that the obligations set out in this section 8. are met by such Subprocessors.
The list of Subprocessor, including details regarding their location and Processing functions is available in Appendix 2 of this DPA and may be updated from time to time by the Provider.
Taking into account the nature of the Processing, the Provider and each Provider Affiliate shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controllers' obligations to respond to requests to exercise Data Subject rights under the GDPR and the Applicable legislation.
The Provider shall:
The Provider shall notify the Controller without undue delay upon the Provider or any Subprocessor becoming aware of a Personal Data Breach affecting the Controller Personal Data, providing the Controller with sufficient information to allowing him to meet any obligations to report or inform the Data Subjects of the Personal Data Breach under the Applicable legislation.
The Provider shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Subject to points 12.2 and 12.3 the Provider and each Provider Affiliate shall promptly and in any event within 30 (thirty) business days of the date of termination of the Agreement (i.e. termination by either the Controller or the Provider under the applicable clauses of the Agreement) delete and procure the deletion of all copies of those Controller Personal Data, that are listed as being stored in Appendix 1, thereby permanently removing all copies and instances of such data in the Provider's systems. By notifying the Provider prior to termination of the Agreement, the Controller and Provider may also arrange for the transfer of such data to the Controller prior to deletion.
The Provider and each Contracted Processor may retain Controller Personal Data to the extent required by Applicable legislation and only to the extent and for such period as required by the Applicable legislation and always provided that the Provider and each Provider Affiliate shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable legislation requiring its storage and for no other purpose.
Without prejudice to any applicable Standard contractual clauses which may have been entered into on the basis of this DPA:
With regard to the subject matter of this DPA and in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
Under or in connection with the Agreement, this DPA or any Standard contractual clauses which may have been concluded in connection with this DPA and regardless of the type of liability, the parties hereby agree, that the total combined liability of the Provider and the Provider Affiliate towards the Controller, the Controller Affiliate or towards both, shall be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement.
The aforementioned shall not affect each parties liability to Data subjects under the GDPR or Applicable legislation or any Standard contractual clauses which may have been concluded in connection with this DPA so that such limitation of liability or liability cap would directly breach the GDPR or the Applicable legislation.
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
For any questions about this Data Processing Agreement, please contact us at [email protected]