Legal

Data Processing Agreement

Last updated: 30 April 2026

This DPA is a launch template for customers who need processor terms. It should be reviewed and adapted by counsel before paid enterprise or regulated-data use.

Roles

For customer content submitted to run an audit, the customer is generally the controller or business, and Measure Copilot acts as a processor or service provider. For account administration, product analytics, billing metadata, security logs, and service operations, Measure Copilot may act as an independent controller.

Processing instructions

Measure Copilot processes customer content only to provide, secure, support, troubleshoot, and improve the Service; comply with law; enforce terms; and as otherwise instructed by the customer through product use or written agreement.

Categories of data

Customer content may include website URLs, business type, notes, GTM JSON exports, GA4 CSV exports, acquisition CSVs, backend orders exports, tracking plans, extension evidence JSON, and generated audit reports.

Sensitive data

The Service is not designed for regulated or highly sensitive personal data. Customers should avoid submitting passwords, payment card data, health data, government IDs, children's data, or special category data unless a separate written agreement permits it.

Security measures

Measure Copilot uses reasonable technical and organizational measures for the current stage of the product, including encrypted hosting providers, limited internal access, short audit-report retention, and separation of payment processing through Stripe.

Subprocessors

Measure Copilot uses the subprocessors listed on the Subprocessors page. We will update that page when subprocessors materially change.

Deletion and return

Audit records are designed to expire after the stated retention period. Customers may request deletion of account or report data by contacting hi@measurecopilot.com.

Assistance and audits

Measure Copilot will provide reasonable assistance with data subject requests, security questions, and compliance documentation, taking into account the nature of the Service and available information.

International transfers

Customer content may be processed by infrastructure providers in locations where those providers operate. Customers are responsible for determining whether their use requires additional transfer terms, standard contractual clauses, or local addenda.

These documents are launch templates and operational disclosures, not a substitute for legal review. Before selling broadly, have counsel adapt them to your business entity, jurisdictions, payment flow, customer contracts, and data processing obligations.