Pricelyzerv0 · 2026
Sign up
Legal
LEGAL

Data Processing Agreement

Last updated: May 18, 2026

Overview

This Data Processing Agreement ("DPA") forms part of the contract between Pricelyzer, Inc. ("Pricelyzer," the Processor) and the customer entity that has signed up for a Pricelyzer account (the Controller). It applies where Pricelyzer processes personal data on the Controller's behalf in connection with the Pricelyzer platform, as required by Regulation (EU) 2016/679 (GDPR), the UK GDPR, and any equivalent data protection law applicable to the Controller.

By using Pricelyzer, or by signing a separate Enterprise agreement that incorporates this DPA, the Controller and Pricelyzer agree to the terms below. If you require a countersigned DPA for enterprise procurement, email privacy@pricelyzer.app.

1. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person processed by Pricelyzer on behalf of the Controller in connection with the service.
  • Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, erasure.
  • Sub-processor — any third party engaged by Pricelyzer to process Personal Data on behalf of the Controller.
  • Security Incident — a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
  • Standard Contractual Clauses (SCCs) — the EU Commission Implementing Decision 2021/914 module sets for international data transfers.

2. Subject matter, nature, and purpose of processing

  • Subject matter. Pricelyzer processes Personal Data to provide sourcing-intelligence services to the Controller's Amazon seller business, as described in the Terms of Service and Privacy Policy.
  • Nature of processing. Storage, retrieval, computation (fee estimation, ROI calculation), display, and deletion of data derived from the Controller's Amazon SP-API authorisation, account registration, and platform usage.
  • Purpose. Operation of the Pricelyzer cockpit, including Scratchpad, Bulk Sourcing, Store Scanner, Ungate Checker, FBM Shipping, Watchlist, Deal Delivery, and Browser Extension.
  • Duration. For the term of the Controller's subscription, plus the 30-day post-cancellation grace period, plus any statutory retention period thereafter.

3. Types of personal data and data subjects

Pricelyzer processes the following Personal Data categories on the Controller's behalf:

  • Account data. Email address, name, password hash, subscription identifiers. Data subjects: the Controller's authorised users.
  • Amazon SP-API data. Seller account identifiers, inventory data, fee schedule results, Buy Shipping rate lookups, as authorised by the Controller via OAuth. Data subjects: the Controller's Amazon seller entity (not individual consumers).
  • Usage data. Query logs, latency measurements, tool usage counts associated with user sessions. Data subjects: the Controller's authorised users.
  • Deal Delivery subscriber data. Email address and subscription consent record. Data subjects: individuals who opted in to the newsletter.

Pricelyzer does not, in the ordinary course of service, process sensitive personal data (as defined by GDPR Article 9) or children's data on the Controller's behalf.

4. Controller obligations

The Controller represents and warrants that:

  • It has a lawful basis for the processing activities it instructs Pricelyzer to perform.
  • It has provided required notices and obtained necessary consents from its authorised users before they use Pricelyzer.
  • Its instructions to Pricelyzer comply with applicable data protection law.
  • It will promptly notify Pricelyzer of any changes to instructions that affect Pricelyzer's processing obligations.

5. Pricelyzer's obligations as Processor

Pricelyzer agrees to:

  • Process Personal Data only on documented instructions from the Controller (including as set out in the Terms of Service and this DPA), unless required by applicable law to process otherwise — in which case Pricelyzer will inform the Controller before processing, unless prohibited by law.
  • Ensure that persons authorised to process the Personal Data are subject to binding confidentiality obligations.
  • Implement appropriate technical and organisational security measures as described in Section 6 and on our Security page.
  • Assist the Controller in responding to data subject rights requests (access, erasure, portability, rectification, restriction, objection) within 5 business days of receiving a forwarded request, to enable the Controller to respond within applicable deadlines.
  • Assist the Controller in meeting its obligations under GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation) taking into account the nature of processing and information available to Pricelyzer.
  • Delete or return all Personal Data following termination of the service, and delete existing copies unless applicable law requires storage — in accordance with the retention schedule in the Privacy Policy.
  • Make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits (including inspections) conducted by the Controller or its authorised auditor, subject to reasonable advance notice (minimum 30 days) and confidentiality obligations. Pricelyzer may, where it has them, satisfy audit obligations by providing current third-party audit reports of Pricelyzer or its key sub-processors (for example, the SOC 2 attestations maintained by Supabase, Stripe, and Cloudflare). Pricelyzer does not currently hold its own SOC 2 Type II or ISO 27001 attestation; if and when such an attestation is obtained, this DPA will be updated accordingly.

6. Security measures

Pricelyzer implements the following security measures, which may be updated from time to time as the state of technology evolves:

  • Encryption in transit. All data transmitted between clients and Pricelyzer infrastructure uses TLS 1.2 or higher with modern cipher suites.
  • Encryption at rest. Personal Data stored in Pricelyzer's managed Postgres database is encrypted at rest using AES-256 at the storage layer, as provided by our database vendor (Supabase).
  • Access controls. Access to production systems and Personal Data is restricted to Pricelyzer personnel on a need-to-know basis. Multi-factor authentication is enforced on all privileged tooling (cloud, database, payments) for current personnel.
  • Incident detection. Pricelyzer relies on hosting- and database-provider native audit trails for administrative-action logging, and operates server-side error logging for application events. We plan to add a dedicated error-monitoring sub-processor (Sentry) before public launch.
  • Penetration testing. Pricelyzer plans to commission an external penetration test before crossing meaningful user scale; a summary attestation will be made available once that test is complete.
  • Business continuity. Application data is stored on a managed Postgres service that provides automated daily backups and point-in-time recovery within the provider's retention window.

See our Security page for additional detail.

7. Security incidents

In the event of a confirmed Security Incident affecting Personal Data, Pricelyzer will:

  • Notify the Controller without undue delay and no later than 72 hours after Pricelyzer becomes aware of the incident.
  • Provide in the initial notification (or as soon as reasonably practicable thereafter): the nature of the incident, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.
  • Cooperate with the Controller's reasonable requests for further information to enable the Controller to meet its breach notification obligations to supervisory authorities and data subjects.

8. Sub-processors

The Controller grants Pricelyzer a general authorisation to engage Sub-processors, subject to the conditions in this section. The current list of Sub-processors is published on our Sub-processors page.

Pricelyzer will provide the Controller with at least 14 days' prior written notice (via email to the account's registered address) of any intended new Sub-processor. If the Controller objects to a new Sub-processor on reasonable data-protection grounds, it must notify Pricelyzer within 14 days. Pricelyzer will use reasonable efforts to address the objection; if it cannot, the Controller may terminate the affected services without penalty by providing 30 days' written notice.

Pricelyzer imposes on each Sub-processor data-protection obligations substantially equivalent to those in this DPA.

9. International data transfers

Where Pricelyzer transfers Personal Data from the European Economic Area, United Kingdom, or Switzerland to Sub-processors located in the United States or other countries without an adequacy decision, Pricelyzer relies on EU Standard Contractual Clauses (Commission Decision 2021/914) as the transfer mechanism. The applicable SCC module (Controller-to- Processor or Processor-to-Processor as relevant) is incorporated by reference into the agreements with each relevant Sub-processor.

Where the Controller requires a copy of the relevant SCCs or transfer impact assessment, contact privacy@pricelyzer.app.

10. Liability and indemnification

Each party's liability under this DPA is subject to the liability limitations and exclusions set out in the Terms of Service. Where both parties are responsible for damage caused by processing in breach of GDPR, liability is apportioned according to each party's degree of responsibility for the damage, as determined by applicable law.

11. Order of precedence

In the event of a conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall take precedence. In all other matters, the Terms of Service prevail.

12. Governing law

This DPA is governed by the same governing law as the Terms of Service (Delaware, United States), except where mandatory provisions of GDPR or UK GDPR require a specific governing law for the SCCs, in which case those provisions apply to the SCC portions only.

13. Requesting a countersigned DPA

Enterprise customers who require a countersigned, entity-specific DPA for their procurement process may request one by contacting privacy@pricelyzer.app. Include your company name, registered address, and the specific jurisdiction(s) relevant to your request. We aim to respond within 5 business days.

14. Contact

Data protection inquiries: privacy@pricelyzer.app
Legal inquiries: legal@pricelyzer.app

legal · pricelyzer.app