Data Processing Agreement

Version 1.0 · Effective date: 1 June 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Numlock Studio, a business registered in New Zealand ("Processor"), and applies where LinksWatch processes personal data on your behalf.

This DPA is designed to satisfy the requirements of GDPR Article 28, the UK GDPR, and equivalent obligations under the NZ Privacy Act 2020.

1. Definitions

Personal Data — any information relating to an identified or identifiable natural person processed through LinksWatch, including visitor click data (pseudonymous identifiers, approximate location, device type, referrer).
Controller — you, the LinksWatch customer who determines the purposes and means of processing.
Processor — Numlock Studio, operating LinksWatch as a data processor on your behalf.
Sub-processor — a third party engaged by the Processor to assist in processing Personal Data.

2. Subject matter and nature of processing

The Processor provides a URL shortening and link analytics platform. Processing activities include:

Recording click events on your short links (timestamp, pseudonymous visitor ID, country, city, device type, browser, OS, referrer)
Storing and serving your short link destination URLs and associated metadata
Performing automated uptime checks on your destination URLs
Sending transactional email notifications on your behalf

3. Duration

Processing continues for the duration of your LinksWatch subscription. On termination or account deletion, Personal Data is deleted in accordance with the retention policy in the Privacy Policy, unless retention is required by law.

4. Processor obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller (as set out in the Terms of Service and this DPA), unless required to do so by applicable law
Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations
Implement appropriate technical and organisational security measures (TLS encryption, access controls, regular security reviews)
Not engage a Sub-processor without the Controller's prior general authorisation (see Section 5)
Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability)
Notify the Controller without undue delay on becoming aware of a Personal Data breach affecting Controller data
Delete or return all Personal Data on request at the end of the service relationship
Provide reasonable assistance with audits or inspections, including making available information demonstrating compliance

5. Sub-processors

The Controller grants general authorisation to engage the following Sub-processors. We will provide at least 10 days' notice before adding or replacing a Sub-processor.

Sub-processor	Purpose	Location
Supabase	Database and authentication	AWS us-east-1 (USA)
Vercel	Application hosting and edge functions	Global CDN
Stripe	Payment processing	USA
Resend	Transactional email delivery	USA

6. International transfers

Personal Data is processed in the United States via the Sub-processors listed above. These transfers are made on the basis of Standard Contractual Clauses (SCCs) where required by GDPR, or under the NZ Privacy Act 2020 for transfers from New Zealand. Each Sub-processor is subject to appropriate data transfer mechanisms.

7. Security measures

The Processor implements the following technical and organisational measures:

TLS encryption for all data in transit
Encrypted storage at rest (Supabase/AWS encryption)
Row-level security policies limiting data access to authorised users
Access controls with role-based permissions (super_admin, org_admin, member)
Automated retention policies (click data pruned after 90 days; link check data pruned after 90 days)
Dependency security scanning and regular codebase security reviews

8. Data subject rights

As Controller, you are responsible for fulfilling data subject rights requests from your end users. The Processor will provide reasonable assistance. Requests for data export can be satisfied via the Analytics CSV export feature in the dashboard. Requests for erasure can be satisfied via the account deletion feature in Settings, or by contacting our contact form.

9. Personal data breach notification

The Processor will notify the Controller within 72 hours of becoming aware of a Personal Data breach that affects Controller data, to the email address associated with the Controller's account. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

10. Governing law

This DPA is governed by the laws of New Zealand, subject to any mandatory requirements of applicable EU/UK data protection law where the Controller is established in those jurisdictions.

11. Contact

For data protection queries, contact us at our contact form.
Numlock Studio, New Zealand.