Data Processing Agreement

This Data Processing Agreement (the “DPA”) forms part of, and is incorporated by reference into, the Opinly Terms of Service (the “Agreement”) entered into between Opinly.ai (“Opinly”, “we”, “us”, or “Processor”) and the customer identified in the relevant account or order form (“Customer”, “you”, or “Controller”). It governs Opinly’s processing of Personal Data on behalf of Customer in connection with the Services, including (without limitation) the Opinly Pixel, web analytics, conversion tracking, and lifecycle messaging features.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict, solely with respect to the processing of Personal Data.

1. Definitions

Capitalised terms used but not defined in this DPA have the meaning given to them in the Agreement. In addition:

“Applicable Data Protection Law” means all laws and regulations of any jurisdiction applicable to the processing of Personal Data under this DPA, including the UK General Data Protection Regulation (“UK GDPR”), the EU General Data Protection Regulation (Regulation (EU) 2016/679, “EU GDPR”), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and any other applicable U.S. state privacy laws, in each case as amended or replaced from time to time.
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Sub-processor”, and “Personal Data Breach” have the meanings given to them under the EU GDPR (or, where applicable, the equivalent terms under UK GDPR or CCPA/CPRA such as “Business”, “Service Provider”, and “Consumer”).
“Customer Data” means any Personal Data that Opinly Processes on behalf of Customer under the Agreement, including data collected through the Opinly Pixel from Customer’s website visitors and end users.
“End User” means a visitor to, or user of, Customer’s website, application, or other property on which the Opinly Pixel or other Services have been deployed.
“Opinly Pixel” means the JavaScript tag, snippet, SDK, or server-side endpoint provided by Opinly that Customer installs on its properties to collect analytics and conversion events.
“Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses approved by the European Commission in Decision 2021/914 of 4 June 2021 (the “EU SCCs”); and (ii) the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 (the “UK IDTA Addendum”), in each case as amended or replaced.

2. Roles of the Parties

The parties acknowledge and agree that, with regard to the Processing of Customer Data under this DPA, Customer acts as Controller (or, where relevant, Business) and Opinly acts as Processor (or Service Provider). Where Customer itself acts as a Processor on behalf of a third-party Controller (for example, where Customer is an agency operating the Services on behalf of one of its own customers), Opinly acts as a Sub-processor and Customer warrants that it has authority from the relevant Controller to instruct Opinly to Process the relevant Personal Data on the terms set out in this DPA.

Opinly will not sell or share Customer Data (as those terms are defined under CCPA/CPRA) and will not retain, use, or disclose Customer Data for any purpose other than the specific purposes described in this DPA and the Agreement, including for any commercial purpose other than providing the Services. Opinly certifies that it understands and will comply with the restrictions in this paragraph.

3. Subject Matter, Nature, Purpose, and Duration

3.1 Subject matter. The subject matter of the Processing is Opinly’s provision of the Services to Customer, including the operation of the Opinly Pixel, web and conversion analytics, dashboarding, attribution, lifecycle messaging, AI-assisted content tooling, and related features.

3.2 Nature and purpose. Opinly will Process Customer Data for the purpose of (a) providing, securing, maintaining, supporting, and improving the Services; (b) complying with Customer’s documented instructions, including the configuration options exposed through the Services; (c) complying with Applicable Data Protection Law and other legal obligations to which Opinly is subject; and (d) producing aggregated and de-identified statistics from which no individual can reasonably be identified.

3.3 Duration. Opinly will Process Customer Data for the duration of the Agreement and any post-termination period during which Opinly retains Customer Data in accordance with Section 10 below.

4. Categories of Data Subjects and Personal Data

4.1 Data Subjects. Customer Data may relate to the following categories of Data Subjects: (a) End Users of Customer’s websites, applications, and other properties on which the Opinly Pixel or other Services are deployed; (b) Customer’s own personnel, contractors, and Authorised Users who interact with the Services; and (c) any other Data Subjects whose Personal Data Customer chooses to submit to the Services.

4.2 Categories of Personal Data. Personal Data collected through the Opinly Pixel may include, depending on Customer’s configuration:

Online identifiers: anonymous visitor identifier (an Opinly-issued cookie or first-party storage ID), session identifier, truncated or hashed IP address, and browser/device user agent.
Event data: URL of pages viewed, referrer, page-view and click events, custom event names and properties supplied by Customer, UTM parameters, click-IDs (for example gclid, fbclid, rdt_cid), and ecommerce values such as revenue and currency.
Approximate location: two-letter country code derived from IP address (no precise geolocation is collected by the Pixel).
Identified visitor data: where Customer chooses to identify an End User through the Pixel’s identify call, the email address, external user ID, and/or any other properties that Customer explicitly passes.
Authorised User data: the name, email address, phone number (where provided), and account credentials of Customer’s personnel who use the Services.

Customer remains responsible for determining what categories of Personal Data it chooses to collect, transmit, and instruct Opinly to Process through the Services. Customer must not knowingly send Opinly any “special categories of personal data” (Article 9 GDPR), Protected Health Information, payment card data, government identifiers, biometric identifiers, precise geolocation, or any data of children under 13 (or, in the EEA/UK, under 16) through the Opinly Pixel without first putting an appropriate written agreement in place with Opinly.

5. Customer Instructions and Responsibilities

5.1 Documented instructions. Opinly will Process Customer Data only on documented instructions from Customer, including with regard to transfers of Personal Data outside the European Economic Area, the United Kingdom, or Switzerland, unless required to do so by EU, Member State, or other applicable law to which Opinly is subject. The Agreement (including this DPA), the configuration options Customer selects within the Services, and any written instructions Customer provides to Opinly in connection with the Services together constitute Customer’s complete documented instructions.

5.2 Customer compliance. Customer represents and warrants that: (a) it has provided, and will continue to provide, all notices and obtained and will obtain all consents and rights necessary under Applicable Data Protection Law for Opinly to Process Customer Data and provide the Services, including by deploying the Opinly Pixel on Customer’s properties and by triggering identify and conversion events; (b) its instructions to Opinly regarding the Processing of Personal Data comply with Applicable Data Protection Law; and (c) it is solely responsible for the lawfulness of the Personal Data it provides to Opinly and for compliance with all applicable cookie, e-privacy, and consent-management requirements (including obtaining consent through a consent management platform where required).

5.3 Consent disclosures. Customer is responsible for publishing a clear and accurate privacy notice on each property on which the Opinly Pixel is deployed, identifying Opinly as a Processor / Service Provider and describing the categories of Personal Data collected and the purposes of Processing. Opinly will, on request, provide reasonable supporting information to assist Customer in preparing such notices.

5.4 Unlawful instructions. Opinly will inform Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Law, in which case Opinly may suspend performance of the relevant instruction until Customer modifies or confirms it.

6. Confidentiality

Opinly will ensure that personnel authorised to Process Customer Data are subject to appropriate obligations of confidentiality (whether contractual or statutory), and will limit access to Customer Data to personnel who require such access for the purposes of providing the Services.

7. Security of Processing

Opinly will implement and maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk presented by the Processing of Customer Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. A summary of those measures is set out in Annex II below.

Opinly will regularly review and, where appropriate, update those measures to maintain compliance with Applicable Data Protection Law. Opinly may update or modify the measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

8. Sub-processors

8.1 General authorisation. Customer provides Opinly with general written authorisation to engage Sub-processors to Process Customer Data in connection with the Services. A current list of Sub-processors, together with the function each performs and the country in which it Processes Customer Data, is set out in Annex III below and is available on request from support@opinly.ai.

8.2 Changes. Opinly will inform Customer of any intended addition or replacement of Sub-processors, giving Customer the opportunity to object to such changes on reasonable grounds relating to data protection. If Customer objects in writing within 14 days of receiving notice of the change, the parties will work together in good faith to find a workable solution. If no such solution can be agreed, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services on written notice to Opinly.

8.3 Flow-down obligations. Opinly will impose written obligations on each Sub-processor that are no less protective of Customer Data than those set out in this DPA, and will remain liable to Customer for the acts and omissions of its Sub-processors that cause Opinly to breach its obligations under this DPA.

9. International Transfers

Customer acknowledges that Opinly and its Sub-processors may Process Customer Data in the United States and in other countries outside the European Economic Area, the United Kingdom, and Switzerland. To the extent any such transfer is a “restricted transfer” under Applicable Data Protection Law, the parties agree that:

the EU SCCs (module 2, Controller-to-Processor, or module 3, Processor-to-Processor, as applicable) are hereby incorporated by reference and apply to such transfers from the EEA; with the optional docking clause enabled, “Option 1” chosen in Clause 9(a) (general written authorisation), Clause 17 governed by the law of Ireland, Clause 18 specifying the courts of Ireland, and Annexes I, II, and III populated by reference to the Annexes to this DPA;
the UK IDTA Addendum is hereby incorporated by reference and applies to transfers from the United Kingdom, with Tables 1, 2, and 3 completed by reference to the Annexes to this DPA and Table 4 leaving the “neither party” option selected;
for transfers from Switzerland, the EU SCCs apply with references to “EU Member State law” or “supervisory authority of an EU Member State” read as references to the Federal Act on Data Protection and the Swiss Federal Data Protection and Information Commissioner, respectively.

Where, in the future, an alternative transfer mechanism (such as an adequacy decision or a successor framework to the EU–US Data Privacy Framework) becomes available and applicable to the parties, the parties will work together to rely on that mechanism where appropriate.

10. Return and Deletion of Customer Data

Upon termination or expiry of the Agreement, Opinly will, at Customer’s election (notified in writing within 30 days of termination), either delete or return all Customer Data in its possession or control, and delete existing copies, unless retention of all or part of the Customer Data is required by applicable law, in which case Opinly will retain such Customer Data only for so long as required and will continue to protect it in accordance with this DPA.

During the term of the Agreement, Customer may delete Customer Data, including data collected through the Opinly Pixel, using the deletion tools made available within the Services or by submitting a written request to support@opinly.ai.

11. Assistance to Customer

11.1 Data Subject requests. Taking into account the nature of the Processing, Opinly will provide reasonable assistance to Customer through appropriate technical and organisational measures, insofar as this is possible, to enable Customer to fulfil its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection). If Opinly receives a request from a Data Subject directly, Opinly will, where practicable and lawful, forward the request to Customer without responding to it itself (other than to acknowledge receipt).

11.2 DPIAs and consultations. Opinly will provide Customer with reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to Opinly.

12. Personal Data Breaches

Opinly will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any confirmed Personal Data Breach affecting Customer Data. Such notification will contain at least the information required by Article 33(3) of the EU GDPR to the extent then known, including (where applicable) the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences of the breach, and the measures taken or proposed to address it.

Customer is solely responsible for fulfilling any notification obligations it may have to supervisory authorities or affected Data Subjects under Applicable Data Protection Law.

13. Audits and Information Rights

Opinly will make available to Customer information reasonably necessary to demonstrate compliance with its obligations under this DPA. Upon Customer’s reasonable written request, and no more than once in any 12-month period (other than where required by a supervisory authority or following a confirmed Personal Data Breach), Opinly will allow for, and contribute to, audits conducted by Customer or a mutually agreed independent auditor. Audits will be conducted during normal business hours, with reasonable advance notice, in a manner that does not unreasonably interfere with Opinly’s business operations, and subject to confidentiality obligations. Customer will bear its own costs of any audit; Opinly’s costs of supporting the audit will be borne by Customer at Opinly’s then-current professional services rates.

Where available, Opinly may satisfy its obligations under this Section 13 by providing Customer with copies of independent third-party certifications, attestations, or audit reports maintained by its Sub-processors (for example, the security certifications published by Amazon Web Services), together with Opinly’s written responses to industry-standard security questionnaires.

14. Liability

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and all DPAs and order forms together.

15. General

15.1 Order of precedence. Except as expressly modified by this DPA, the terms of the Agreement remain in full force and effect. The Standard Contractual Clauses, where applicable, prevail over any conflicting provisions of the Agreement and this DPA.

15.2 Updates. Opinly may update this DPA from time to time to reflect changes in Applicable Data Protection Law, the Services, or its Sub-processor list. Material changes will be communicated to Customer in accordance with the notice provisions of the Agreement.

15.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect.

Annex I – Description of the Processing

A. List of Parties. The data exporter is Customer and the data importer is Opinly.ai. The signatories and contact details of each party are as set out in the Agreement and the relevant order form.

B. Description of transfer.

Data Subjects: as described in Section 4.1 above.
Categories of Personal Data: as described in Section 4.2 above.
Sensitive data: not intended to be transferred. Customer is contractually prohibited from sending special categories of data through the Services without a separate written agreement with Opinly.
Frequency of transfer: continuous, for the duration of the Agreement.
Nature of the Processing: collection, recording, organisation, structuring, storage, retrieval, consultation, use, transmission, alignment or combination, restriction, erasure, and destruction, in each case as necessary to provide the Services.
Purpose of the Processing: as described in Section 3.2 above.
Retention period: as described in Section 10 above and as documented in the Services. Aggregated and de-identified data may be retained for longer periods to the extent permitted by Applicable Data Protection Law.
Transfers to Sub-processors: for the purposes set out in Annex III, for the duration of the Agreement.

C. Competent supervisory authority. For transfers subject to the EU GDPR, the supervisory authority of the EU Member State in which the Customer (acting as data exporter) is established. For transfers subject to the UK GDPR, the UK Information Commissioner.

Annex II – Technical and Organisational Measures

Opinly implements and maintains the following technical and organisational measures to ensure the ongoing confidentiality, integrity, availability, and resilience of the Services:

Encryption in transit: all Customer Data transmitted to and from the Services is encrypted using industry-standard TLS (currently TLS 1.2 or higher).
Encryption at rest: Customer Data stored within the Services is encrypted at rest using strong, industry-standard ciphers (for example, AES-256).
Access controls: access to production systems is restricted to authorised personnel, requires multi-factor authentication, follows the principle of least privilege, and is logged and reviewed.
Network security: production environments are segregated from development and test environments and protected by network-level controls (including firewalls, security groups, and intrusion detection).
Application security: code is reviewed prior to deployment, dependencies are monitored for known vulnerabilities, and security patches are applied on a risk-prioritised basis.
Logging and monitoring: system and application logs are retained, monitored for anomalous activity, and used to support incident response.
Bot and abuse mitigation: the Opinly Pixel includes server-side bot detection and rate-limiting to reduce the volume of non-human traffic ingested and stored.
Personnel: personnel with access to Customer Data are bound by written confidentiality obligations and receive periodic data protection and security training.
Vendor management: Sub-processors are evaluated for security and data protection prior to engagement and are bound by written agreements that flow down the obligations of this DPA.
Business continuity: Customer Data is backed up regularly, backups are encrypted and access-controlled, and recovery procedures are tested periodically.
Incident response: Opinly maintains a documented incident response process covering detection, triage, containment, eradication, recovery, notification, and post-incident review.
Data minimisation: the Opinly Pixel hashes IP addresses prior to storage and does not collect precise geolocation by default.

Annex III – List of Sub-processors

The following Sub-processors are engaged by Opinly to Process Customer Data in connection with the Services. This list may be updated from time to time in accordance with Section 8.2 above.

Amazon Web Services, Inc. – cloud hosting, storage, compute, networking, queuing, and analytics infrastructure (including S3, Lambda, EventBridge, SES, CloudFront, Athena, and DynamoDB). United States and, where Customer is located in the EEA/UK, EU regions.
PlanetScale, Inc. – managed MySQL database hosting for application data. United States.
Clerk, Inc. – identity, authentication, and Authorised User account management. United States.
Stripe, Inc. – payments processing and subscription billing. United States and other regions where Stripe operates.
Klaviyo, Inc. – lifecycle email and SMS messaging to Authorised Users who have opted in. United States.
PostHog Inc. – product analytics and feature flagging for the Services. United States or EU, depending on configuration.
Statsig, Inc. – experimentation and feature flagging. United States.
Functional Software, Inc. (Sentry) – application error monitoring and observability. United States.
OpenAI, OpCo, LLC; Anthropic, PBC; xAI Corp.; and other AI model providers – inference for AI-assisted features. United States. AI model providers are contractually prohibited from using Customer Data to train their models.

A current, named list of Sub-processors, including their addresses and the specific Services to which each contributes, is available on request from support@opinly.ai.

Contact

Questions regarding this DPA, requests for a counter-signed copy, or requests relating to the Processing of Customer Data should be directed to support@opinly.ai.

Opinly.ai Data Processing Agreement