Data Processing Agreement
Draft · pending review by counsel. The shape below is what creators agree to electronically at signup; the legal language will be tightened before we exit beta.
This DPA forms part of the agreement between SponsorBoard (“Processor”) and the creator account holder (“Controller”) governing how SponsorBoard handles personal data the Controller uploads about their sponsors. Last updated: 2026-05-17.
Scope
This DPA applies whenever the Controller uploads, imports, or otherwise causes SponsorBoard to receive personal data about a third party (typically the Controller's sponsors and their employees). It does not cover personal data SponsorBoard collects directly from the Controller themselves — that's governed by our Privacy Policy.
Subject matter and duration
SponsorBoard processes the personal data described below for as long as the Controller's account is active, plus a 30-day grace period for backups. The processing is necessary to provide the SponsorBoard service: storing sponsor records, sending invite emails, rendering sponsor-facing dashboards, and generating reports.
Categories of personal data
Sponsor contact name, email address, employer/brand affiliation, deal-terms metadata the Controller chooses to record (mention type, amount, notes), and any communications routed through SponsorBoard (e.g. invite emails). Controllers should not upload sensitive categories of data (health, biometric, etc.); SponsorBoard is not designed for that and we will not knowingly process it.
Categories of data subjects
Individuals representing the Controller's sponsors or prospective sponsors.
Processor obligations
SponsorBoard will: (a) only process the data on documented instructions from the Controller, including those given through the platform's normal use; (b) ensure people who can access the data are bound by confidentiality; (c) take appropriate technical and organisational measures (encryption at rest, RLS-scoped queries, principle of least privilege for staff access); (d) not engage a new sub-processor without giving the Controller advance notice and a chance to object; (e) help the Controller respond to data-subject requests; (f) notify the Controller without undue delay of any personal-data breach; (g) on request, delete or return all personal data when the agreement ends.
Sub-processors
SponsorBoard relies on the sub-processors listed in the Privacy Policy (Vercel, Supabase, Resend, PostHog, Anthropic). We'll post a material change to that list at least 30 days before it takes effect; Controllers who reasonably object can terminate the affected workflow without penalty.
Aggregated and anonymized data
SponsorBoard may compute aggregated, de-identified statistics across all Controllers' data — for example median deal sizes by niche, rate benchmarks by channel size, performance trends — and use those aggregates to power product features (such as fair-rate recommendations shown to other Controllers, or a public pricing calculator), and for SponsorBoard's own product marketing. Aggregates are constructed so that no individual Controller, sponsor, or deal can be re-identified, and aggregates derived from cohorts too small to be meaningfully anonymous are suppressed rather than published. The Controller's individual sponsor records, deal terms, and contact lists are not disclosed to other Controllers or third parties through these aggregates.
Introductions and contact-sharing (planned, opt-in only)
If SponsorBoard introduces functionality to broker introductions between creators and sponsors, the Processor will not disclose the Controller's sponsor contact details to any other Controller unless (a) the data subject (the sponsor contact) has affirmatively opted in to receive such introductions, and (b) the Controller has affirmatively opted in to share. Both consents are off by default and revocable at any time. Absent both, sponsor contact details remain accessible only to the Controller that uploaded them and to the Processor for the purpose of providing the service.
International transfers
Most sub-processors are based in the United States. For transfers out of the EEA / UK, SponsorBoard relies on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable). We're evaluating EU-region hosting options as the platform grows.
Data subject rights
The Controller is responsible for handling data-subject requests from their own sponsors. SponsorBoard will provide reasonable assistance — including direct deletion of records on request from the Controller, or, where a sponsor contacts us directly, forwarding the request to the Controller and acting on the resulting instruction.
Liability and conflict
Liability under this DPA tracks the liability cap in the main SponsorBoard terms of service. If anything in this DPA conflicts with the main agreement, this DPA wins for matters of data protection only.
Contact
Email hello@sponsorboard.io for DPA questions or to file a complaint.