Effective Date: August 1st, 2023
- The Parties agree to enter into this DPA for the purposes of ensuring compliance with applicable Data Protection Laws. User enters into this DPA on behalf of itself and on behalf of its authorized Affiliates. AppLovin may receive Personal Data through User’s use of the Services and, in consideration of the mutual obligations set out herein, the Parties agree to comply with the following provisions with respect to any Personal Data processed through the Services. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In addition to the terms defined in the Agreement and above, the following terms shall have the following meanings for the purposes of this DPA:
- “Adequate Jurisdiction” means a country which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as determined by the European Commission in the case that GDPR applies, and as determined by the UK Information Commissioner’s Office in the case that the UK GDPR applies.
- “Affiliates” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a Party.
- “Approved Addendum” means the template addendum (version B.1.0) issued by the United Kingdom International Commissioner’s Office (ICO) and laid before the United Kingdom Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of such addendum.
- “CCPA” means the California Consumer Privacy Act of 2018, Cal Civ. Code §1798.100 et seq., and all implementing regulations, as amended from time to time, such as by the California Privacy Rights Act of 2020 (“CPRA”).
- “Data Protection Laws” means EU Data Protection Law, the CCPA, the Brazilian General Personal Data Protection Law, No. 13,709/2018 (the “LGPD”), and any other legislation protecting natural persons’ right to privacy with regard to the processing of Personal Data to the extent applicable to a Party’s Processing of Personal Data under the Services.
- “Data Subject Rights” means the rights granted to Data Subjects under Data Protection Laws.
- “EU Data Protection Law” means the GDPR, the e-Privacy Directive and national implementing legislation and the Swiss Federal Data Protection Act.
- “GDPR” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“EU GDPR”) and, where applicable, the “UK GDPR” as defined in the Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019.
- “Member State” means a member state of the European Economic Area, together with Switzerland and the United Kingdom.
- “SCCs” means (a) with respect to data transfers from the European Union to third countries that are not deemed adequate jurisdiction by the European Commission, Module 1 (controller to controller) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 (the “EU SCCs”); (b) with respect to data transfers from the United Kingdom, Module 1 (controller to controller) of the EU SCCs as further amended by Part 2: Mandatory Clauses of the Approved Addendum (the “UK Mandatory Clauses”), together with any other necessary conforming changes to the EU SCCs (collectively, the “UK SCCs”); and (c) any updated, revised, or separate clauses relating to data transfer requirements of the GDPR issued from time to time by the European Commission, UK Information Commissioner’s Office, any other applicable data protection authority, or other body with competent authority and jurisdiction.
- “Shared Personal Data” means Personal Data Processed by a Party to the extent such Party received that Personal Data from the other Party (that other party, the “Sharing Party” under this definition) in connection with the performance of the Agreement. For the avoidance of doubt, a Party is also deemed to “receive” Personal Data from a Sharing Party where the Sharing Party grants access to such Personal Data to the receiving Party.
- “Transparency Notices” has the meaning given to it in clause 3.2(a).
- The terms “Controller,” “Process,” “Processor,” “Data Subject,” and “Personal Data,” shall have the meanings given in EU Data Protection Law. To the extent Data Protection Laws use different terms to cover concepts similar to those covered under the aforementioned bold terms in this Section 2.13, then “Controller,” “Process,” “Processor,” “Data Subject,” and “Personal Data” shall have the meaning assigned to those different terms under such Data Protection Laws.
- DATA PROCESSING; INDEPENDENT CONTROLLERS
- AppLovin and User: (a) are independent Controllers with regard to the Shared Personal Data; and (b) will individually determine the purposes and means of its processing of Personal Data.
- Each Party shall, with respect to the Processing of any Shared Personal Data, comply with Data Protection Laws, including as follows:
- each Party shall provide all applicable notices to Data Subjects as required under Data Protection Laws for the lawful Processing by it of Shared Personal Data (“Transparency Notices“). User shall disclose its use of the Services and how AppLovin Processes Personal Data in its Transparency Notices. For example, for Users that have embedded AppLovin advertising Services in their mobile applications, this can be done by including the following language in the User’s Transparency Notices: “We work with AppLovin to deliver ads in our mobile application. For more information about AppLovin’s collection and use of your information visit: https://www.applovin.com/privacy/”;
- each Party shall provide all required mechanisms for, and give effect to, applicable Data Subject Rights pursuant to Data Protection Laws and respond to inquiries by governmental authorities;
- neither Party shall Process the Shared Personal Data for any purpose other than as set out in its Transparency Notice and unless such Processing is also authorized under Data Protection Laws and the Agreement;
- each Party shall ensure that all of its employees engaged in the Processing of such Shared Personal Data act consistently with this DPA;
- each Party shall implement technical and organisational security measures to prevent (i) the accidental, unlawful, or unauthorized destruction, loss, alteration, or disclosure of, or access to, Shared Personal Data or (ii) any other security incident that amounts to a “personal data breach” (as such term or similar term, such as “breach of the security system” or “data breach,” is defined under Data Protection Laws) of Shared Personal Data (in either case of (i) and (ii), a “Data Breach”); and
- each Party agrees that any agreement with a subprocessor shall comply with the Data Protection Laws.
- Each Party shall in particular, unless prohibited under applicable law, notify the other without undue delay (i) of any requests to exercise Data Subject Rights received by that Party regarding the Shared Personal Data, to the extent such notices are required under Data Protection Law; (ii) about regulatory inquiries involving the Processing of Shared Personal Data, and (iii) any Data Breach involving the Shared Personal Data to the extent resulting in material destruction, loss, alteration, or disclosure of, or access to, that Shared Personal Data.
- User represents and warrants it has provided (and shall maintain) all required notices and obtained all necessary permissions and consents required under the Data Protection Laws from the relevant Data Subjects on behalf of AppLovin to lawfully permit AppLovin to process Personal Data as contemplated in the Agreement.
- Where consent is the lawful basis for processing Personal Data or otherwise required for the use of the Services, User represents and warrants that it shall, at all times, make available, maintain, and make operational on the User’s properties: (i) a mechanism for obtaining such consent from Data Subjects in accordance with the requirements of the Data Protection Laws; and (ii) a mechanism for Data Subjects to withdraw such consent (opt-out) in accordance with the Data Protection Laws.
- With respect to the CCPA, (i) the Shared Personal Data is disclosed to AppLovin for the limited and specified purposes of enabling AppLovin (or its demand partners) to bid on advertising inventory, serve Advertisements in connection with the Services, and optimize the Services, as further set forth in AppLovin’s Transparency Notices; (ii) AppLovin shall comply with the CCPA, including by providing the same level of privacy protection as required of Businesses under the CCPA; (iii) User may take reasonable and appropriate steps to ensure that AppLovin Processes Shared Personal Data in a manner consistent with User’s obligations under the CCPA; (iv) AppLovin shall notify User promptly after AppLovin makes a determination that it can no longer meet its obligations under the CCPA; and (v) User may, upon notice, take reasonable and appropriate steps to stop and remediate the unauthorized Processing of Shared Personal Data.
- In the event of any conflict or discrepancy between the SCCs, the Agreement, and this DPA, the following order of precedence will apply: (i) the SCCs, (ii) this DPA, and (iii) the Agreement.
- This DPA does not alter the limitations of liability set out in the Agreement.
- This DPA will become effective on the date User has accepted the Agreement or the date on which the User started to use the Services. This DPA will terminate simultaneously and automatically upon the termination or expiration of the Agreement.
- To the extent required by Data Protection Law, this DPA will be governed by the laws of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the jurisdiction set forth in the Agreement.
- INTERNATIONAL TRANSFERS
- The Parties agree that the SCCs shall apply to the transfer of, including access to, Shared Personal Data:
- in the case of a transfer from User to AppLovin, where the processing of the Shared Personal Data by the User is subject to EU Data Protection Law or the LGPD; or
- in the case of a transfer from AppLovin to User, where:
- the User is not established in an Adequate Jurisdiction;
- the Processing of the Shared Personal Data is subject to EU Data Protection Law or the LGPD or AppLovin is otherwise contractually required to enter into the SCCs.
- For the purposes of the SCCs:
- Annex 1.A (List of Parties) shall be deemed to incorporate the information in Schedule I;
- Annex 1.B (Description of Transfer) shall be deemed to incorporate the information in Schedule III;
- Annex 1.C (Competent Supervisory Authority) shall be deemed to refer to the supervisory authority identified in Schedule II;
- Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in Schedule II;
- The optional language within clause 7 of the SCCs does not apply;
- The optional language within clause 11(a) of the SCCs does not apply;
- Pursuant to clause 17, the SCCs will be governed by the laws of Ireland;
- Pursuant to clause 18(b) of the SCCs, the Parties shall resolve disputes under the SCCs before the courts of Cyprus;
- In relation to Table 4 referenced in the UK Mandatory Clauses, neither Party will be entitled to terminate the Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses; and
- For data exporters established within Brazil (for purposes of transfers of Shared Personal Data under the LGPD), the SCCs shall be governed by the laws of the Federative Republic of Brazil. Further, for such transfers under the LGPD, the applicable Data Protection Law shall be understood as the LGPD and the supervisory authority is the National Data Protection Authority in Brazil (ANPD).
- The Parties agree that the SCCs shall apply to the transfer of, including access to, Shared Personal Data:
Contractual party and Role
Address of the party, contact person’s name, position and contact details and, where applicable, of its data protection officer and/or representative in the EU
Activities relevant to the data transferred under these Clauses
Address: 1100 Page Mill Road, Palo Alto, CA 94304 USA
E-mail: [email protected]
|Personal Data is transferred from AppLovin to the User in the course of providing the Services.|
|User(Controller)||As specified in the Agreement.||Personal Data that is made available to AppLovin in connection with the use of the Services by the User.|
Information deemed incorporated into the SCCs
User is the data exporter to the extent User provides and processes Personal Data of EU and UK Data Subjects in connection with the use of the Services.
AppLovin is the data exporter to the extent AppLovin transfers Personal Data of EU and UK Data Subjects to User in connection with the Services.
AppLovin is the data importer to the extent User qualifies as data exporter according to what is set out above.
User is the data importer to the extent AppLovin is the data exporter according to what is set out above.
List of Parties: Relevant information regarding “Data exporter” and “Data importer” under this Schedule I and Schedule II are incorporated by reference herein.
Description of Transfer: Relevant information from Schedule III below is incorporated by reference herein.
Competent Supervisory Authority: The competent supervisory authority shall be determined based on the situation applicable to the data exporter under clause 13 of the Model Clauses (e.g., if the data exporter is established in an EU member state, or falls under GDPR Article 3(2) and has an appointed representative under GDPR Article 27(1), or falls under GDPR Article 3(2) and has not appointed a representative under GDPR Article 27(1)), except that, in the case of the UK SCCs, the competent supervisory authority under the UK SCCs will be the UK Information Commissioner.
Technical and Organisational Measures:
Data importer will implement and maintain appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services.
Where AppLovin acts as the data importer, those measures shall be set forth in an AppLovin security statement. Data importer will make that statement available to data exporter upon request.
DESCRIPTION OF THE TRANSFER
Categories of data subjects whose data is transferred
The personal data transferred concern the following categories of data subjects:
- Individuals who are end-users of User’s mobile application(s).
- Individuals who are User’s marketing and business contacts.
- Individuals whose navigation of a mobile application has triggered an advertising bid request.
- Individuals who are User’s employees, agents, or representatives in AppLovin’s online platform.
Categories of data transferred
The personal data transferred concern the following categories of data:
Mobile device advertising identifiers (e.g., IDFA/Google Ad ID, IP address);
Device data such as make, model, operating system, device properties and settings, coarse location data;
Click attribution data and transactional data;
Business contact and billing information (e.g., name, email address, billing address, telephone number, VAT number, bank account number to the extent considered personal data).
Sensitive data transferred (if applicable)
The personal data transferred concern the following categories of sensitive data:
The frequency of the transfer
In the case that AppLovin and the User agree to Services embedded on a live mobile application(s), the transfer will take place in real time every time an end-user accesses and navigates the application(s).
Nature of the processing and Purpose of the transfer(s) and further processing
The Personal Data is Processed for the purpose of providing the Services in accordance with the Agreement, including all permissible purposes set forth in the respective data importer’s Transparency Notice.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The Parties will have access to certain Shared Personal Data for as long as the User maintains active Services. AppLovin will maintain Personal Data for up to two (2) years.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing
The Personal Data transferred may be disclosed only to the following recipients or categories of recipients:
Service providers that AppLovin uses to provide the Services and those described in its Transparency Notice.
Service providers that User uses to implement, operate, and optimize the Services and those described in its Transparency Notice.
The duration of Processing will align with the data retention period described above.