Data Processing Addendum

Last updated: April 28, 2026

This Data Processing Addendum (“DPA”) forms part of, and is incorporated by reference into, the Terms of Service between Franc & Eli, LLC (“tinyposter,” “we”) and the customer identified in the applicable account (“Customer,” “you”). It applies to the extent tinyposter processes Personal Data on your behalf in connection with the tinyposter Service (the “Service”) and in scope of Data Protection Laws (defined below).

You may execute this DPA by signing up for the Service and accepting the Terms. No countersignature is required. If you require a counter-signed copy, email hello@tinyposter.app with your business name and we will return a signed PDF.

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms or in applicable Data Protection Laws.

• Data Protection Laws means the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and any other applicable privacy or data protection laws.
• Personal Data, Controller, Processor, Data Subject, Processing, and Personal Data Breach have the meanings given in the GDPR.
• Customer Personal Data means Personal Data that tinyposter Processes on your behalf as part of the Service.
• Subprocessor means a third party engaged by tinyposter to Process Customer Personal Data.

2. Roles of the parties

For Customer Personal Data, you are the Controller (or a Processor acting on behalf of a third-party Controller) and tinyposter is the Processor. Each party will comply with its respective obligations under Data Protection Laws.

For Personal Data tinyposter collects directly to operate the Service (such as your account email, authentication, billing, and security logs), tinyposter acts as an independent Controller, governed by our Privacy Policy. This DPA does not apply to that processing.

3. Scope and details of processing

The subject matter of the processing is the provision of the Service to you. The duration is the term of your subscription plus any retention period required to delete or return data. Details:

• Nature and purpose: hosting, transmitting, and publishing the content you create through the Service to your connected social platforms; storing scheduled posts; surfacing publish status.
• Categories of Data Subjects: your end users, followers, employees, and any individuals referenced in the content you choose to publish.
• Categories of Personal Data: identifiers and content fields you choose to include in posts (names, handles, images, free-text content), and connected-account identifiers and metadata returned by social platforms.
• Special categories: tinyposter does not require special-category data and you should not submit it. If you do, you remain solely responsible for any additional safeguards required.

4. Customer instructions

tinyposter will Process Customer Personal Data only on your documented instructions, including as set out in the Terms, this DPA, and any configuration choices you make in the Service. Operating the Service in line with the Terms constitutes documented instructions. We will inform you if, in our opinion, an instruction violates Data Protection Laws (without obligation to perform legal advice).

5. Confidentiality

Personnel who process Customer Personal Data are bound by written confidentiality obligations and access Customer Personal Data only on a need-to-know basis.

6. Security

tinyposter will implement appropriate technical and organizational measures to protect Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Current measures include:

• TLS encryption for data in transit;
• encryption at rest for our managed Postgres database via our hosting provider;
• row-level security policies isolating customer data in the database;
• scoped service-role credentials, with secrets stored in our hosting provider's encrypted secret store;
• hashed storage of API/MCP tokens;
• access logging and standard server logs from our hosting and database providers;
• least-privilege access for personnel and use of strong authentication.

7. Subprocessors

You provide a general authorization for tinyposter to engage Subprocessors. Our current Subprocessors are:

Each Subprocessor is bound by data protection terms substantially similar to those in this DPA and appropriate to the processing it performs. We will give you notice (by updating this list and, where you have subscribed to notifications, by email) at least 30 days before adding or replacing a Subprocessor that processes Customer Personal Data. If you reasonably object on data-protection grounds, you may terminate the affected portion of the Service for the remainder of the current billing period and receive a pro-rated refund for unused time.

8. International transfers

Customer Personal Data may be transferred to and processed in the United States and other countries where we or our Subprocessors operate. Where Data Protection Laws require a transfer mechanism, the parties agree that the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor, or Module Three: Processor to Processor as applicable), and the UK Addendum to the SCCs issued by the ICO, are incorporated by reference into this DPA. Optional clauses are deemed not selected; docking clauses apply; governing law and forum default to Ireland (or, for UK transfers, England and Wales) where required; Annexes I.A, I.B, II, and III are populated by Sections 2-7 of this DPA, the Subprocessor list above, and the Customer's account information.

9. Data subject requests

tinyposter will, taking into account the nature of the processing, assist you with appropriate technical and organizational measures (insofar as possible) to respond to requests from Data Subjects to exercise their rights under Data Protection Laws. You can self-serve most actions (export, edit, delete) via your dashboard. If a Data Subject contacts tinyposter directly, we will, where lawful, redirect the request to you.

10. Personal Data Breach

tinyposter will notify you without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting Customer Personal Data. Notification will include the information required under GDPR Article 33(3) to the extent then known. tinyposter will reasonably cooperate with you in investigating and mitigating the breach. Notification of a breach is not, by itself, an admission of fault.

11. Audits

tinyposter will make available the information reasonably necessary to demonstrate compliance with this DPA. Where Data Protection Laws require on-site audits, the parties will agree on scope, timing, and cost in advance, and audits must be conducted during business hours, no more than once per year (except in response to a confirmed material incident or regulator request), under appropriate confidentiality obligations.

12. Deletion or return

On termination of your subscription, you may export Your Content from the dashboard. tinyposter will delete Customer Personal Data within 30 days of termination, except for backups that age out under our normal backup rotation and except where retention is required by law. On request, tinyposter will provide written confirmation of deletion.

13. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms.

14. Order of precedence; changes

In the event of a conflict between this DPA and the Terms with respect to the processing of Customer Personal Data, this DPA controls. Where the SCCs apply and conflict with this DPA, the SCCs control as between those parties. tinyposter may update this DPA on a go-forward basis to reflect changes required by law, regulator guidance, or our processing practices; the “Last updated” date will reflect the most recent change.

15. Contact

For questions about this DPA, to request a counter-signed copy, or to report a privacy concern, email hello@tinyposter.app or write to us at: