Data Processing Agreement (DPA)
Last updated: March 14, 2026
1. Scope and Purpose
This Data Processing Agreement ("DPA") forms part of the Terms of Service between SweepFeed LLC ("Processor"), a Wyoming limited liability company, and you ("Controller"), governing the processing of personal data in connection with the SweepFeed platform.
This DPA applies to all processing of personal data by SweepFeed on behalf of users and partners, and complies with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws
- "Processing" means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction
- "Sub-processor" means any third party engaged by SweepFeed to process personal data on behalf of the Controller
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data
3. Data Processing Details
3.1 Categories of Data Subjects
- Registered users of the SweepFeed platform
- Visitors to the SweepFeed website
- Users of the SweepFeed mobile application
3.2 Categories of Personal Data
- Identifiers (name, email, device IDs, IP address)
- Account credentials (authentication tokens — no passwords stored)
- Payment information (processed by Stripe; SweepFeed does not store full card numbers)
- Usage data (pages visited, sweepstakes interactions, search queries)
- Geolocation data (approximate city/region from IP address)
- Device information (OS, browser, screen resolution)
- Behavioral profiles (inferred interests and engagement patterns)
Data sold through our Data Intelligence marketplace is processed using k-anonymity (k≥20) before delivery. Users who have exercised opt-out rights under applicable privacy laws are excluded from all report datasets prior to anonymization and aggregation.
3.3 Purpose of Processing
- Providing and operating the SweepFeed service
- Personalizing sweepstakes recommendations
- Processing subscription payments
- Operating the DustBunnies rewards program
- Serving relevant advertisements
- Analytics and service improvement
- Generating aggregated, de-identified data intelligence reports for commercial sale to third-party business customers
- Fraud prevention and security
4. Sub-Processors
SweepFeed engages the following sub-processors to provide the Service. Each sub-processor operates under a data processing agreement with SweepFeed that provides protections no less protective than this DPA:
- Google Cloud / Firebase (United States) — Hosting, database (Firestore), authentication, analytics, crash reporting, cloud functions, and storage
- Stripe, Inc. (United States) — Payment processing and subscription billing
- RevenueCat, Inc. (United States) — In-app subscription management and entitlement tracking
- PostHog, Inc. (United States / EU) — Product analytics and feature flagging. Data processed in accordance with user consent preferences
- Google AdMob / AdSense (United States) — Advertising delivery and measurement on mobile and web
- Vercel, Inc. (United States) — Web application hosting and edge delivery
- Mailgun (Sinch) (United States / EU) — Transactional and marketing email delivery
- Twilio, Inc. (United States) — SMS messaging and dedicated phone number provisioning for Pro subscribers
- Arcjet (United States) — Edge security, bot detection, and web application firewall
- Upstash, Inc. (United States) — Serverless Redis caching and rate limiting
- Data Intelligence Customers — Purchasers of aggregated, anonymized data reports. These customers receive only de-identified, aggregated data with k-anonymity safeguards (k≥20). No personal data is shared with Data Intelligence customers
SweepFeed will notify users at least 30 days before adding a new sub-processor via email notification to registered users. Users may object to a new sub-processor by contacting support@sweepfeed.com.
5. Data Security
SweepFeed implements appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls and least-privilege principles
- Regular security audits and vulnerability assessments
- Secure credential management using environment variables and Firebase secrets
- Automated monitoring for suspicious activity
- Employee access limited to personnel who require access to perform their job duties
6. Data Breach Notification
In the event of a Data Breach affecting personal data processed under this DPA, SweepFeed will:
- Notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Provide a detailed description of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach
- Cooperate with users and authorities in investigating and remediating the breach
- Document all breaches, including facts, effects, and remedial actions taken, regardless of whether notification to authorities is required
7. Data Subject Rights
SweepFeed will assist the Controller in fulfilling data subject rights requests, including:
- Right of access — providing copies of personal data
- Right to rectification — correcting inaccurate data
- Right to erasure — deleting personal data upon request
- Right to data portability — exporting data in machine-readable format
- Right to restriction of processing
- Right to object to processing
Requests will be processed within 30 days (or as required by applicable law). Users may submit requests via support@sweepfeed.com.
8. Data Retention
- Active Accounts: Data retained while the account is active
- Account Deletion: Personal data deleted or anonymized within 30 days of account deletion
- Payment Records: Retained for 7 years per tax and accounting requirements
- Server Logs: Retained for 90 days
- Analytics Data: Anonymized after 26 months
9. International Data Transfers
Personal data may be transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, SweepFeed relies on:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
- Data processing agreements with all sub-processors that include equivalent transfer safeguards
- Technical measures (encryption, access controls) to supplement transfer mechanisms
10. Audit Rights
Upon reasonable written request and subject to confidentiality obligations, SweepFeed will make available to the Controller information necessary to demonstrate compliance with this DPA. This may include:
- Documentation of technical and organizational security measures
- Results of third-party security audits or certifications
- Records of data processing activities
Audits will be conducted no more than once per year, with at least 30 days' advance notice, during normal business hours.
11. Term and Termination
This DPA remains in effect as long as SweepFeed processes personal data on behalf of the Controller. Upon termination:
- SweepFeed will delete or return all personal data within 30 days, unless retention is required by law
- SweepFeed will provide written confirmation of data deletion upon request
- Obligations regarding confidentiality and data security survive termination
12. Contact
For questions about this DPA or to exercise any rights, contact us at support@sweepfeed.com.
Questions about this policy? Reach out at support@sweepfeed.com