Data Processing Addendum
Date of Last Revision: July 6, 2026
This Data Processing Addendum (this "DPA") supplements and is incorporated into the CreatorStore Terms of Service and any other agreement between CreatorStore Labs LLC ("CreatorStore," "Processor," "we," "us") and the Creator that has accepted the Terms of Service ("Creator," "Controller," "you"). This DPA applies where CreatorStore processes personal data of the Creator's Customers on the Creator's behalf.
By using the Service to collect, store, or process Customer personal data, you accept and agree to be bound by this DPA. If you do not accept this DPA, you must discontinue use of the Service.
1. Definitions
Terms used in this DPA have the meanings given in the Terms of Service unless defined here. In addition:
"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended ("CCPA/CPRA"), and other comparable state or national data protection laws.
"Controller" means the natural or legal person that determines the purposes and means of the processing of Personal Data. Under the CCPA/CPRA, "Controller" corresponds to "Business."
"Customer Personal Data" means Personal Data relating to Creators' Customers, prospective Customers, subscribers, or website visitors, processed by CreatorStore on behalf of the Creator through the Service.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Personal Data" means any information relating to an identified or identifiable natural person as defined by Applicable Data Protection Laws. Under the CCPA/CPRA, "Personal Data" corresponds to "Personal Information."
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.
"Processor" means the natural or legal person that processes Personal Data on behalf of the Controller. Under the CCPA/CPRA, "Processor" corresponds to "Service Provider" or "Contractor."
"Sub-processor" means any third party engaged by CreatorStore to process Customer Personal Data on behalf of the Creator.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission (Decision (EU) 2021/914) or, as applicable, the UK International Data Transfer Addendum.
2. Roles and Scope
a. Roles. With respect to Customer Personal Data, the Creator is the Controller and CreatorStore is the Processor. Each party will comply with the obligations that apply to it under Applicable Data Protection Laws.
b. Separate Processing by CreatorStore. CreatorStore also processes certain personal data as an independent Controller for its own purposes (including account management, service improvement, fraud prevention, and legal compliance). Such processing is governed by the CreatorStore Privacy Policy and is outside the scope of this DPA.
c. Subject Matter, Nature, and Purpose. The subject matter of processing is the provision of the Service, including storefront hosting, e-commerce functionality, scheduling, email communications, and analytics. The nature and purposes are described in the Terms of Service and Privacy Policy.
d. Categories of Data Subjects. Customers, prospective Customers, subscribers, and visitors to Creator storefronts.
e. Categories of Personal Data. Identifiers (name, email, IP address); billing and address information; transaction and order data; communication content (Customer-to-Creator messages); marketing preferences; and other information voluntarily provided by Customers to Creator storefronts.
f. Duration. The duration of processing is the term of the Creator agreement plus any period during which CreatorStore retains Customer Personal Data as permitted by Section 10 of this DPA.
3. Instructions and Processing
CreatorStore will process Customer Personal Data only on documented instructions from the Creator, including with regard to international transfers, except where CreatorStore is required to process otherwise by law. In such a case, CreatorStore will inform the Creator of the legal requirement before processing, unless prohibited by law.
The Creator's documented instructions are (i) the Terms of Service, this DPA, and any Creator configuration of the Service; and (ii) any additional written instructions the Creator provides that CreatorStore accepts. CreatorStore will inform the Creator if, in its opinion, an instruction infringes Applicable Data Protection Laws.
4. Confidentiality
CreatorStore ensures that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security
CreatorStore implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Measures include, as appropriate:
encryption of Personal Data in transit and at rest; ongoing confidentiality, integrity, availability, and resilience of processing systems and services; ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident; regular testing, assessing, and evaluating of the effectiveness of technical and organizational measures; role-based access controls and multi-factor authentication for administrative accounts; secure development practices and vulnerability management; and vendor security due diligence.
6. Sub-processors
a. General Authorization. The Creator provides a general authorization for CreatorStore to engage Sub-processors to process Customer Personal Data, subject to this Section 6.
b. Current Sub-processors. A current list of Sub-processors is available on request by emailing [email protected]. Categories of Sub-processors include cloud hosting providers, payment processing (Stripe, Inc.), email delivery, customer support tooling, analytics, and generative AI service providers.
c. New Sub-processors and Objection Right. CreatorStore will provide the Creator with prior notice of the addition or replacement of Sub-processors by updating the list and, at the Creator's option, by email to the Creator's registered contact. The Creator may object to a new Sub-processor on reasonable data protection grounds by emailing [email protected] within fifteen (15) days of notice. Where the parties cannot agree on a resolution, the Creator's exclusive remedy is to terminate the Creator agreement with respect to the affected Service functionality.
d. Sub-processor Agreements. CreatorStore imposes contractual data protection obligations on each Sub-processor that are no less protective than those in this DPA. CreatorStore remains liable to the Creator for the performance of each Sub-processor's data protection obligations, in accordance with Applicable Data Protection Laws.
7. Data Subject Rights
CreatorStore will, taking into account the nature of the processing, assist the Creator by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Creator's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (including access, rectification, erasure, restriction, portability, and objection).
Where CreatorStore receives a request directly from a Data Subject relating to Customer Personal Data, CreatorStore will not respond to that request except on the documented instructions of the Creator or as required by law, and will inform the Creator of the request without undue delay.
8. Assistance with the Creator's Compliance Obligations
CreatorStore will assist the Creator, taking into account the nature of processing and the information available to CreatorStore, in ensuring compliance with the Creator's obligations under Applicable Data Protection Laws relating to (a) security of processing; (b) notification and communication of Personal Data Breaches; (c) data protection impact assessments; and (d) prior consultation with supervisory authorities. Where this assistance would impose costs on CreatorStore beyond ordinary support, the Creator agrees to reimburse reasonable costs.
9. Personal Data Breach Notification
CreatorStore will notify the Creator without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include, to the extent known at the time: the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed to address the breach and mitigate its effects.
The Creator, as Controller, is responsible for onward notifications to supervisory authorities and Data Subjects as required by Applicable Data Protection Laws.
10. Deletion or Return of Personal Data
Upon termination or expiration of the Creator agreement, and at the Creator's choice, CreatorStore will delete or return all Customer Personal Data to the Creator, and delete existing copies, unless applicable law requires storage of the Customer Personal Data. Deletion or return will occur within a reasonable period (typically ninety (90) days).
CreatorStore may retain Customer Personal Data in encrypted backups for the standard retention period of those backups (up to one (1) year), after which such data is deleted or de-identified. During this period, CreatorStore will maintain confidentiality and integrity of the Personal Data and will not process it except as necessary for backup integrity and legal compliance.
11. Audits
CreatorStore will make available to the Creator all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and equivalent provisions of Applicable Data Protection Laws, and will allow for and contribute to audits, including inspections, conducted by the Creator or another auditor mandated by the Creator, subject to the following.
a. Frequency and Scope. Audits are limited to once per calendar year, unless required more frequently by a supervisory authority or following a Personal Data Breach.
b. Notice and Confidentiality. The Creator will provide at least thirty (30) days' prior written notice, execute confidentiality obligations satisfactory to CreatorStore, and conduct the audit during regular business hours in a manner that does not unreasonably interfere with CreatorStore's operations.
c. Reports. Where CreatorStore has current independent third-party audit reports (such as SOC 2 Type II or ISO 27001), the parties agree that provision of such reports satisfies the audit right except where a supervisory authority requires an on-site inspection.
d. Costs. The Creator bears the costs of any audit it initiates, including reimbursement of CreatorStore's reasonable time and expenses in cooperating.
12. International Transfers
a. Transfers Out of the EEA/UK/Switzerland. Where processing under this DPA involves the transfer of Customer Personal Data from the EEA, the UK, or Switzerland to a country not recognized by the European Commission (or the equivalent UK or Swiss authority) as providing an adequate level of data protection, the parties agree that the transfer is governed by the Standard Contractual Clauses (Module Two: Controller to Processor), which are incorporated into this DPA by reference. For transfers from the UK, the parties incorporate the UK International Data Transfer Addendum. For transfers from Switzerland, the parties adopt the SCCs with the understanding that references to GDPR are read as references to the Swiss FADP where applicable.
b. Additional Safeguards. Where required, CreatorStore will implement supplementary measures to protect transferred Personal Data, including encryption, contractual protections against government access requests, and transparency reporting.
13. CCPA/CPRA Provisions (California)
Where CreatorStore processes Personal Information (as defined by the CCPA/CPRA) of California residents on behalf of the Creator, CreatorStore acts as a Service Provider (or, where applicable, Contractor) and (a) will not sell or share the Personal Information; (b) will not retain, use, or disclose the Personal Information for any purpose other than the business purposes specified in the Creator agreement, or as otherwise permitted by the CCPA/CPRA; (c) will not retain, use, or disclose the Personal Information outside the direct business relationship between the parties; (d) will comply with applicable obligations under the CCPA/CPRA; and (e) will provide the same level of privacy protection as the CCPA/CPRA requires of Creators as Businesses. CreatorStore certifies its understanding of and agreement to these restrictions.
CreatorStore will notify the Creator if it determines that it can no longer meet its obligations under the CCPA/CPRA. The Creator has the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information.
14. Liability
Each party's liability under this DPA is subject to the limitation of liability and exclusion of damages provisions in the Terms of Service. Nothing in this DPA is intended to limit either party's liability to Data Subjects under Applicable Data Protection Laws where liability cannot be excluded by contract.
15. Precedence and General
In case of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to matters concerning processing of Customer Personal Data. In case of any conflict between this DPA and the SCCs (as applicable), the SCCs prevail.
This DPA is governed by the same law that governs the Terms of Service, except where Applicable Data Protection Laws require otherwise.
This DPA may be updated from time to time in accordance with the change procedure set out in the Terms of Service.
16. Contact
Questions about this DPA:
CreatorStore Labs LLC
30 N Gould St, STE R, Sheridan, WY 82801, USA
Email: [email protected]