Data Processing Agreement

Last updated: March 6, 2026

1. Purpose & Scope

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between AOVANCY ("Processor") and you ("Controller") and reflects the parties' agreement with regard to the processing of personal data in accordance with Article 28 of the GDPR.

2. Roles of the Parties

For personal data of buyers and end-users that creators process through the platform, the creator acts as Controller and AOVANCY acts as Processor. For personal data AOVANCY collects for its own purposes (account management, billing, analytics), AOVANCY acts as Controller.

3. Processing Details

Subject matter: Provision of the creator monetization platform.
Duration: For the term of the agreement.
Nature & purpose: Storage, hosting, payment processing, email delivery, and analytics.
Categories of data: Identification data, contact data, transaction data.
Data subjects: Creators, buyers, platform visitors.

4. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors. Each is bound by data protection obligations consistent with this DPA:

Vercel Inc. Hosting and content delivery. Located in USA (DPF-certified).
Supabase Inc. Database and authentication. Located in USA / EU.
Whop Inc. Card payment processing, fraud prevention, and creator payouts.
OxaPay. Cryptocurrency payment processing. Located outside the EU; transfers safeguarded by SCCs.
Resend. Transactional and marketing email delivery. Located in USA (DPF-certified).
OpenAI / Anthropic / Google. AI content generation services. Data processed per their respective DPAs.
Cloudflare. CDN and security. Located in USA (DPF-certified).

5. Sub-processor Privacy Policies

Direct links to each sub-processor's privacy policy for your review:

6. International Transfers

All transfers of personal data outside the EEA are safeguarded by Standard Contractual Clauses (SCCs) and, where applicable, EU-US Data Privacy Framework certification.

3. Processing Details

4. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors. Each is bound by data protection obligations consistent with this DPA:

Vercel Inc. Hosting and content delivery. Located in USA (DPF-certified).

Supabase Inc. Database and authentication. Located in USA / EU.

Whop Inc. Card payment processing, fraud prevention, and creator payouts.

OxaPay. Cryptocurrency payment processing. Located outside the EU; transfers safeguarded by SCCs.

Resend. Transactional and marketing email delivery. Located in USA (DPF-certified).

OpenAI / Anthropic / Google. AI content generation services. Data processed per their respective DPAs.

Cloudflare. CDN and security. Located in USA (DPF-certified).