Data Processing Addendum (DPA)

Last updated: January 2025

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Problem Solving Agency Zenahr Barzani ("Processor", "we", "us") and the user of the SpamSmacker service ("Controller", "you").

This DPA ensures compliance with the General Data Protection Regulation (GDPR), the EU Data Protection Directive, and applicable global privacy laws.

This DPA applies to all processing activities performed on behalf of the Controller in connection with the use of SpamSmacker under the domain spamsmacker.dev.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, such as collection, storage, retrieval, analysis, or deletion.

"Controller" means the user who decides the purposes and means of processing.

"Processor" means the service provider acting on behalf of the Controller.

2. Subject Matter

The Processor provides an online service that scans public YouTube comments for spam, impersonation, and harmful content. This DPA governs all processing of Personal Data required to operate the Service.

3. Roles and Responsibilities

  • The Controller determines which YouTube videos or channels to analyze.
  • The Processor processes data only on documented instructions from the Controller, including those provided through the Service interface.

The Processor shall not process Personal Data for purposes other than:

  • providing the Service,
  • ensuring its security,
  • auditing automated decisions,
  • and meeting legal or regulatory obligations.

4. Categories of Data

The Processor may process:

  • Google OAuth data (email, name, avatar, Google ID)
  • Public YouTube comment text and metadata
  • YouTube channel identifiers
  • IP addresses and device metadata
  • Security and access logs (no raw user IDs stored)
  • Technical data necessary to provide the Service

Billing data is processed exclusively by Paddle.

5. Data Retention

The Processor retains:

  • Public comment data: up to 180 days, then deleted
  • Access logs: up to 90 days
  • Account data: until user deletes their account

Raw comment content is retained only for:

  • auditing moderation decisions,
  • debugging and support,
  • ensuring accuracy of automated detection.

The Processor does not use comment data for machine learning training.

6. Subprocessors

To provide the Service, the Processor engages the following subprocessors:

  • Supabase – authentication, session and database hosting
  • Vercel – infrastructure and deployment
  • Paddle – billing administration
  • Google (YouTube API) – comment retrieval and OAuth permissions

Each subprocessor maintains GDPR-compliant safeguards.

7. International Transfers

Some data may be processed outside the EU. The Processor ensures appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs),
  • GDPR-compliant cloud frameworks,
  • encryption and limited-access controls.

8. Security Measures

The Processor implements:

  • Encryption in transit
  • Role-based access control
  • Infrastructure isolation
  • Regular vulnerability reviews
  • Secure credential and token handling

9. Assistance to Controller

The Processor assists the Controller in meeting GDPR obligations, including:

  • data subject rights requests,
  • deletion or export of data,
  • incident notification,
  • privacy inquiries.

Requests can be made via .

10. Data Subject Rights

Upon request, the Processor will assist the Controller in responding to:

  • access requests,
  • correction requests,
  • deletion requests,
  • objections to processing,
  • portability requests.

11. Confidentiality

All individuals with access to Personal Data are bound by confidentiality obligations.

12. Audits

The Processor shall make documentation available to demonstrate compliance with this DPA. External audits may be requested if required by law.

13. Incident Notification

In the event of a Personal Data breach, the Processor will notify the Controller without undue delay and provide available information to support compliance with legal obligations.

14. Termination and Return of Data

Upon termination of the Service:

  • Account data will be deleted at the Controller's request,
  • All public comment data previously stored will be purged according to retention rules,
  • Backup data will be cleared in accordance with standard purge cycles.

15. Governing Law

This DPA is governed by EU law, with disputes resolved under the jurisdiction of Germany unless local laws require otherwise.

16. Contact

For privacy, compliance, or security inquiries:

By using the Service, you accept this Data Processing Addendum as part of the Terms of Service.

© 2025 SpamSmacker. All rights reserved.
Legal HubTermsPrivacyRefunds