UserBoostBETA

Data Processing Agreement

Last Updated: September 1, 2025

In plain English, because legalese helps no one.

This Data Processing Agreement (DPA) explains how UserBoost handles data when you use our service. We keep things simple and transparent because trust matters.

1Key Terms

Data Controller (you): You decide what data to send us and why. You own your users' data. That's you.

Data Processor (us): We process data on your behalf to provide our service (track events, send nudges). That's us.

2What Data We Process

We only process what you send us via our SDK or API:

  • User identifiers: user_id, email, or external_id (whatever you choose to send)
  • Event names: signup_completed, profile_created, etc.
  • Event metadata: timestamps, custom properties you attach
  • Context data: browser info, IP address (for fraud prevention)

⚠️ We do NOT collect passwords, payment card data, or other sensitive information. If you accidentally send us sensitive data, contact us immediately at support@userboo.st

3How We Use Your Data

We use your data only to:

  • Provide the service: Track user events, visualize funnels, trigger automated nudges
  • Send emails: Deliver recovery emails to stuck users (only when you configure it)
  • System operations: Debug issues, monitoring, security

✓ We NEVER:

  • • Sell your data to third parties
  • • Use it for our own marketing or profiling
  • • Share it with advertisers
  • • Train AI models on your data (unless you explicitly opt-in)

4Subprocessors (Third-Party Services)

We use trusted infrastructure providers to deliver our service:

Amazon Web Services (AWS)

Purpose: Database hosting, data storage
Location: US East (Virginia)
Compliance: SOC 2, GDPR, ISO 27001

Resend / Customer.io

Purpose: Email delivery (transactional and recovery emails)
Compliance: GDPR compliant

Supabase (Postgres)

Purpose: Real-time database and authentication
Location: US East (Virginia)
Compliance: SOC 2, GDPR

We'll notify you before adding new subprocessors that handle your data.

5Data Security Measures

We take security seriously. Here's what we do:

  • Encryption in transit: All API requests use HTTPS (TLS 1.2+)
  • Encryption at rest: Database encryption via AWS RDS
  • Access control: Row-Level Security (RLS) ensures you only see your data
  • API keys: Securely hashed, never stored in plain text
  • Monitoring: Automated alerts for suspicious activity
  • Regular updates: Dependencies patched weekly

Note: We're a small team and not yet SOC 2 certified. We follow best practices and will pursue formal compliance as we grow.

6Data Retention

  • Event data: Retained for 90 days by default. Need a different retention period? Request changes via the contact form in your dashboard (up to 1 year).
  • Account data: Retained while your account is active.
  • Email logs: Kept for 30 days for deliverability tracking.
  • After deletion: All data permanently deleted within 30 days of account closure.

You can export or delete your data anytime. Use the contact form in your dashboard or email support@userboo.st

7International Data Transfers

Your data is primarily stored in the United States (AWS US East region). If you're in the EU/EEA:

  • • We rely on Standard Contractual Clauses (SCCs) for GDPR compliance
  • • All subprocessors are vetted for GDPR compliance before use
  • • You can request a copy of our SCCs at support@userboo.st

8Your Responsibilities (Data Controller Obligations)

As the Data Controller, you must:

  • Get user consent: Ensure you have legal basis to send us user data
  • Avoid sensitive data: Don't send passwords, payment info, or protected health information
  • Handle data requests: Respond to your users' GDPR/CCPA requests (we'll help with deletion/export)
  • Secure your API keys: Keep your keys private and rotate them if compromised

9Data Subject Rights (GDPR & CCPA)

Your users (data subjects) have rights. We'll help you fulfill them:

  • Right to access: Export user data via dashboard or API
  • Right to deletion: Delete user data on request (contact support)
  • Right to rectification: Update user data via API
  • Right to portability: Export in JSON format

To exercise these rights on behalf of your users, email support@userboo.st with the user ID.

10Data Breach Notification

If we discover a data breach that affects your users, we will notify you within 72 hours via email and provide:

  • • Nature of the breach
  • • Data affected
  • • Steps we're taking to mitigate
  • • Recommendations for you to notify affected users (if required)

11Termination & Data Return

When you close your account:

  • Export first: Download your data before deletion (we won't keep backups)
  • 30-day grace period: We retain data for 30 days in case you change your mind
  • Permanent deletion: After 30 days, all data is irreversibly deleted

12Contact & DPA Requests

For questions, DPA execution, or data requests:

📧support@userboo.st

If you need a signed DPA for compliance (e.g., enterprise requirements), we'll provide one within 5 business days.

← Back to Home