Trust

Data processing agreement.

When you use cyrqle to run campaigns, we process personal data on your behalf. This page explains that relationship under the GDPR and how to put a signed Data Processing Agreement (DPA) in place. It supplements — and is governed by — our terms of service and privacy policy.

Last updated · 19 June 2026

[01]

Controller and processor

For personal data you upload or generate through campaigns — creator profiles, audience signals, deliverables and attribution events — you are the data controller and Content & Emotion S.L. (operating as “cyrqle”) is the data processor. We process that data only on your documented instructions, which are the use of the platform itself plus any written instruction you give us.

For data where we determine purposes and means — your account, billing, security and our own analytics — cyrqle acts as an independent controller, governed by our privacy policy.

[02]

Scope and duration of processing

  • Subject matter: provision of the cyrqle Creator Commerce OS.
  • Duration: for the term of your agreement, plus the retention windows in our privacy policy.
  • Nature & purpose: discovery, activation, orchestration, attribution and compensation of creator-led commerce.
  • Data subjects: creators, your team members and campaign contacts.
  • Categories of data: identifiers, profile and audience data, content metadata, performance and payout metadata.
[03]

Sub-processors

You authorise cyrqle to engage the sub-processors listed on our sub-processors page. Each is bound by data-protection terms no less protective than this DPA. We will give you prior notice of any new sub-processor so you can object on reasonable data-protection grounds.

[04]

Security measures

cyrqle maintains appropriate technical and organisational measures, described on our security page — including encryption in transit and at rest, least-privilege access, audit logging and a documented incident-response process. We notify you without undue delay after becoming aware of a personal-data breach affecting your data.

[05]

International transfers

cyrqle is EU-first; primary data residency is in the EU. Where processing requires a transfer outside the EEA — for example to AI inference providers — we rely on the EU Standard Contractual Clauses (SCCs) and supplementary measures including encryption.

[06]

Assistance and data-subject rights

We assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your obligations under Articles 32–36 GDPR. On termination, we delete or return personal data at your choice, subject to legal retention obligations.

[07]

How to put a DPA in place

Our standard DPA incorporates the EU SCCs and is available on request. To execute one, email privacy@cyrqle.app with your legal entity name and registered address, and we will return a copy for signature. Enterprise customers can request redlines through their account contact.