Data Processing Addendum

Last updated: June 25, 2026

Scope

Short version. This addendum applies when Arcalotl processes member or subscriber personal data for an operator's community.

This Data Processing Addendum ("DPA") supplements the Operator Terms. It applies when Arcalotl processes personal data on behalf of an operator to provide checkout, billing state, subscription management, access automation, retention workflows, member messaging, analytics, support, security, and related Service functionality.

Roles

Short version. The operator is the controller or business for member data. Arcalotl is the processor or service provider for that data.

For member and subscriber personal data processed for an operator's community, the operator determines the purposes and means of processing and Arcalotl processes the data to provide the Service. Arcalotl remains a controller for its own account, analytics, security, support, legal, and fee-collection processing as described in the Privacy Policy.

Processing details

Short version. We process the categories of data needed to run community subscriptions and access automation.

Processing includes hosting, storing, transmitting, retrieving, organizing, analyzing, securing, deleting, and otherwise handling member data as needed to provide the Service.

  • Data subjects. Members, subscribers, purchasers, donors, operator admins, and support contacts.
  • Data categories. Platform identifiers, customer identifiers, subscription records, purchase records, donation records, payment metadata, access state, role or perk state, event logs, support data, and operational metadata.
  • Purposes. Checkout, payment status handling, access automation, billing state, revenue recovery, cancellation flows, analytics, support, security, auditability, and legal compliance.

Instructions

Short version. We process operator-controlled data to provide the Service and follow lawful operator instructions.

Arcalotl will process covered personal data only to provide the Service, as described in the Operator Terms, this DPA, the Privacy Policy, product settings, documented operator instructions, or as required by law. Arcalotl may refuse an instruction if it reasonably believes the instruction violates law, security requirements, platform requirements, or these terms.

Arcalotl will promptly inform the operator if, in Arcalotl's opinion, an instruction infringes applicable data protection law, unless prohibited by law.

For covered personal data processed as a service provider or processor, Arcalotl will not sell or share that data, retain, use, or disclose it outside the business purposes described in this DPA, or combine it with personal data from other customers except as permitted by applicable law.

Confidentiality and security

Short version. We limit access to covered data and use safeguards appropriate for the Service.

Arcalotl requires personnel with access to covered personal data to protect it and process it only as needed for the Service. Arcalotl uses technical and organizational measures designed to protect covered personal data, including access controls, encryption in transit, credential protection, audit events, monitoring, and operational review.

Taking into account the nature of processing and information available to Arcalotl, Arcalotl will provide reasonable assistance with security obligations, personal data breach assessment and notification, data protection impact assessments, and prior consultation with supervisory authorities.

Subprocessors

Short version. We use subprocessors to provide hosting, payments, analytics, monitoring, object storage, and platform integration functionality.

Arcalotl may use subprocessors to provide the Service. Current subprocessors are listed at /subprocessors. Arcalotl remains responsible for its subprocessors' performance of their data protection obligations for covered personal data.

Operators grant Arcalotl general written authorization to use the subprocessors listed at /subprocessors. Arcalotl will give operators at least 30 days' notice before adding or replacing a subprocessor that will process covered personal data, unless shorter notice is required for security, availability, legal, or platform reasons. Operators may object during the notice period on reasonable data protection grounds. Arcalotl will impose data protection obligations on each subprocessor that are no less protective than this DPA for covered personal data.

Operator obligations

Short version. Operators must have a lawful basis to send member data to Arcalotl and to use the workflows they enable.

Operators are responsible for providing required notices, obtaining required rights or consents, honoring privacy choices, and ensuring their instructions to Arcalotl are lawful. Operators must not submit sensitive personal data to the Service unless the feature expressly supports that data and appropriate safeguards are in place.

Data subject requests

Short version. Operators are responsible for responding to member privacy requests. We help where the request concerns data we process for the operator.

If Arcalotl receives a request from a member about covered personal data controlled by an operator, Arcalotl may direct the requester to the operator. Taking into account the nature of the processing, Arcalotl will provide reasonable assistance to operators responding to valid access, correction, deletion, portability, objection, and restriction requests.

Deletion and return

Short version. We delete or anonymize covered data when no longer needed, subject to legal, security, payment, and audit retention needs.

At the end of the Service relationship or upon valid instruction, Arcalotl will delete, anonymize, or return covered personal data where reasonably possible. Arcalotl may retain data where needed for fraud prevention, chargebacks, disputes, taxes, accounting, legal claims, security, backup integrity, event replay safety, or other lawful purposes.

Security incidents

Short version. If a confirmed breach affects covered operator data, we will notify affected operators without undue delay.

Arcalotl will notify affected operators without undue delay after confirming a personal data breach involving covered personal data. Notice will include information reasonably available to Arcalotl to help the operator meet applicable breach notification obligations.

International transfers

Short version. Where transfer safeguards are required, we use lawful transfer mechanisms.

Arcalotl and its subprocessors may process covered personal data in multiple countries. Where applicable law requires transfer safeguards, Arcalotl uses appropriate safeguards such as standard contractual clauses, data processing agreements, or other lawful mechanisms.

Audit information

Short version. We provide reasonable information to help operators assess our processing. Direct audits must be reasonable and coordinated.

Arcalotl will provide reasonable information necessary to demonstrate compliance with this DPA. Any operator audit must be limited to information relevant to covered personal data, avoid disruption to the Service, protect other customers and confidential information, and be subject to reasonable security and confidentiality controls.

Contact

For data protection requests, contact privacy@arcalotl.com.