Data Processing Agreement

Last updated: July 5, 2026

1. Introduction

This Data Processing Agreement ("DPA") supplements the Terms of Service between Pineapple Proxy ("Processor," "we," "us") and the customer ("Controller," "you") who uses our Service. This DPA applies only to the extent that:

  • You are established in the European Economic Area (EEA), the United Kingdom, or Switzerland, or you process personal data of individuals located in those regions; and
  • The personal data you provide to us (such as your account email address or end-user information you submit) is processed by us as part of providing the Service to you.

Important: This DPA does not apply to data transmitted through, or accessed via, third-party proxy servers listed on our Service. We do not process, control, or have visibility into such data. This DPA covers only the personal data you directly provide to Pineapple Proxy as part of your use of our platform.

2. Definitions

Capitalized terms used in this DPA have the meanings given in the Terms of Service or under applicable data protection law. In addition:

  • "Personal Data" means any information relating to an identified or identifiable natural person that we process on your behalf in connection with the Service.
  • "Processing" means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, and deletion.
  • "Sub-processor" means any third party engaged by us who processes Personal Data on your behalf in connection with providing the Service.
  • "Applicable Data Protection Law" means the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection, and any implementing or successor legislation.

3. Roles and Responsibilities

3.1 Your Obligations as Controller

You, as the Controller, determine the purposes and means of processing Personal Data. You warrant and represent that:

  • You have a lawful basis under Applicable Data Protection Law for all Personal Data you provide to us for processing
  • You have provided all required notices to, and obtained all necessary consents from, data subjects whose Personal Data you provide to us
  • The Personal Data you provide is accurate, relevant, and limited to what is necessary
  • Your instructions to us regarding the processing of Personal Data comply with Applicable Data Protection Law

3.2 Our Obligations as Processor

As Processor, we shall:

  • Process Personal Data solely on your documented instructions as set forth in these Terms and this DPA, unless required otherwise by applicable law (in which case we will inform you of that legal requirement before processing, unless prohibited by law)
  • Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
  • Implement and maintain the technical and organizational security measures described in Section 6
  • Assist you, to the extent reasonably possible and at your expense, in fulfilling your obligations to respond to data subject rights requests
  • Assist you, to the extent reasonably possible and at your expense, in conducting data protection impact assessments and prior consultations with supervisory authorities
  • Notify you without undue delay if we determine that your processing instructions violate Applicable Data Protection Law

4. Details of Processing

The nature, scope, and purpose of our processing of Personal Data on your behalf is limited to what is necessary to provide, maintain, and secure the Service as described in the Terms of Service and our Privacy Policy.

CategoryDetails
Subject matterProvision of proxy data, API, and related services
Data subjectsYour authorized users and account holders
Categories of Personal DataEmail address, hashed password, IP address, API usage logs, payment transaction records, and any profile information you choose to provide
Purpose of processingAccount management, authentication, service delivery, billing, security, and abuse prevention
Duration of processingAs specified in our Privacy Policy

5. Sub-processors

You provide general authorization for us to engage the sub-processors listed below to assist in providing the Service. We maintain an up-to-date list of sub-processors on this page. We will notify you by updating this page or by email of any additions or replacements of sub-processors at least 14 days in advance. You may object to a new sub-processor by notifying us in writing; if we are unable to accommodate your objection, you may terminate the affected Service without penalty.

Current Sub-processors

Sub-processorPurposeLocationSafeguard
Hetzner Online GmbHInfrastructure hosting (servers, storage, networking)Germany / EUEU-based; adequacy
Stripe, Inc.Payment processing, subscription management, invoicingUnited StatesEU-US DPF certified; SCCs
NowPayments / ChangeNOWCryptocurrency payment processingSeychelles / EU infrastructureSCCs where applicable

Authentication and identity management services are self-hosted on our EU-based infrastructure and are not sub-processed. We do not use third-party analytics or marketing platforms that process Personal Data on our behalf.

6. Technical and Organizational Security Measures

We implement and maintain the following measures to protect Personal Data, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing:

  • Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
  • Access control: Role-based access with multi-factor authentication; principle of least privilege for all administrative access
  • Network security: Network segmentation, firewalls, intrusion detection, and DDoS protection
  • Vulnerability management: Regular automated vulnerability scanning and periodic third-party penetration testing
  • Monitoring and logging: Centralized security event monitoring with automated alerting for anomalous activity
  • Business continuity: Regular encrypted backups with tested restoration procedures; documented disaster recovery plan
  • Personnel: Background checks for personnel with access to production systems; regular security awareness training
  • Development: Secure software development lifecycle; code review; dependency vulnerability scanning

7. Personal Data Breach Notification

In the event of a Personal Data breach affecting Personal Data we process on your behalf, we will:

  • Notify you without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach
  • Provide a description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
  • Communicate the name and contact details of our data protection contact point
  • Describe the likely consequences of the breach
  • Describe the measures we have taken or propose to take to address the breach and mitigate its effects
  • Provide any additional information reasonably requested by you to fulfill your breach notification obligations

Notifications will be sent to the email address associated with your account. You are responsible for maintaining an accurate and current email address.

8. Data Subject Rights and Cooperation

Taking into account the nature of the processing, we will provide reasonable assistance to enable you to respond to requests from data subjects exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection). You are responsible for verifying the identity and authority of the individual making such a request.

If we receive a data subject request directly, we will forward it to you without responding to the data subject, unless otherwise required by law.

9. International Data Transfers

Personal Data is primarily processed on infrastructure located in Germany (EU). Where our sub-processors transfer Personal Data outside the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for the recipient country
  • Certification under the EU-US Data Privacy Framework (DPF), where applicable

10. Audit Rights

Upon your written request, no more than once per calendar year and with at least 30 days' prior written notice, you may audit our compliance with this DPA through:

  • Review of our then-current security certifications, attestations, and audit reports (which we will provide at no charge); and/or
  • An on-site audit conducted by a mutually agreed independent third-party auditor, at your sole expense, during normal business hours and subject to our reasonable security and confidentiality requirements.

Any audit findings shall be considered our confidential information and may not be disclosed to third parties without our prior written consent, except as required by law. You shall provide us with a copy of any audit report promptly upon completion.

11. Deletion and Return of Data

Upon termination of your use of the Service, we will delete all Personal Data processed on your behalf within 30 days, except where retention is required by applicable law (e.g., financial records must be retained for 5–7 years per tax regulations). Before deletion, you may request an export of your Personal Data in a standard machine-readable format by contacting privacy@pproxy.tech.

12. Limitation of Liability

The liability provisions set forth in Section 12 of the Terms of Service apply to this DPA in full. To the extent not addressed by the Terms of Service, each party's aggregate liability under this DPA shall be limited as set forth in the Terms of Service. Nothing in this DPA is intended to increase either party's liability beyond what is stated in the Terms of Service.

13. Term and Termination

This DPA takes effect on the date you first use the Service and remains in effect for the duration of your use of the Service and any post-termination period during which we retain Personal Data in accordance with the Terms of Service or applicable law. This DPA automatically terminates upon deletion of all Personal Data by us.

14. Governing Law

This DPA is governed by the laws specified in the Terms of Service. Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.