Data processing terms
Binding processor terms under Art. 28 GDPR between you and Reamber GmbH for form submissions collected on your published pages. They are part of the Terms of service.
1. Scope and parties
These data processing terms apply automatically to every user whose published page collects form submissions through the yapp.page form-capture feature. No signature or separate acceptance is needed: they are incorporated into the Terms of service and take effect the moment a page you control captures its first submission.
For the personal data your visitors submit through such forms, you are the controller (Art. 4(7) GDPR) and Reamber GmbH, Barbara-Prammer-Allee 15/2/40, 1220 Vienna, Austria, FN 563424s (Handelsgericht Wien), is your processor (Art. 4(8), Art. 28 GDPR). If you need a countersigned copy of these terms for your records, email [email protected].
2. Subject matter and details of processing
- Subject matter
- Receiving, storing and displaying form submissions made by visitors of your published pages.
- Nature and purpose
- Storage in a database and delivery to you in the dashboard Messages view, including export and deletion on your instruction. We do not use submission data for any other purpose.
- Duration
- For as long as the page exists and you keep the submissions, at the latest until the page or your account is deleted or the page expires.
- Types of personal data
- Whatever fields your form collects (for example name, email address, message text). We do not store your visitors' IP addresses, user-agent strings or referrer headers with submissions; only the form payload is kept.
- Categories of data subjects
- Visitors of your published pages who submit a form.
3. Processing on your documented instructions
We process submission data only on your documented instructions (Art. 28(3)(a) GDPR). Your instructions are given through the service itself: publishing or removing a page with a form, deleting individual or all submissions, exporting them, and setting a retention period in the Messages view. We will not process the data for our own purposes. If we believe an instruction infringes the GDPR or other EU or Austrian data protection law, we will tell you immediately, before proceeding.
4. Confidentiality
Only persons who need access to operate the service are authorised to process submission data, and each of them is bound by a contractual or statutory duty of confidentiality (Art. 28(3)(b) GDPR).
5. Security measures
We implement the technical and organisational measures required by Art. 32 GDPR (Art. 28(3)(c)), appropriate to the risk of the processing described above. They currently include:
- Encryption in transit (TLS) for every page, form submission and dashboard request
- Storage in EU data centres (Hetzner, Germany) with a Data Processing Agreement in place
- Access control: submissions are visible only to the page owner in the dashboard; administrative access is limited to authorised personnel
- Isolation of every published page on its own origin, so one page cannot read another page's data
- Size limits per submission (16 KB) and a cap of 200 stored submissions per page, which bounds the data held
- Deletion tooling: per-submission delete, bulk delete and automatic retention periods you control
6. Sub-processors
You grant a general written authorisation (Art. 28(2) GDPR) for the sub-processors listed below. They process submission data only to the extent described:
| Sub-processor | Role for submission data | Location & safeguards |
|---|---|---|
| Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany | Server hosting and PostgreSQL database where submissions are stored | EU (Falkenstein / Nuremberg). Data Processing Agreement per Art. 28 GDPR in place. |
| Cloudflare, Inc., 101 Townsend St, San Francisco, CA, USA | CDN and TLS termination; submission data passes through Cloudflare in transit only | Global network, EU traffic preferentially routed via EU PoPs. Transfers safeguarded by Standard Contractual Clauses (Art. 46(2)(c) GDPR) and Cloudflare's certification under the EU–U.S. Data Privacy Framework (Art. 45 GDPR). |
Before a new sub-processor processes submission data, or an existing one is replaced, we will notify the email address of your account at least 14 days in advance. If you object, you may delete the affected pages or your account before the change takes effect; continued use after that date counts as acceptance. Each sub-processor is bound by a contract imposing the same data protection obligations as these terms (Art. 28(4) GDPR).
Our other service providers (Google for sign-in, Paddle for payments, Resend for transactional email) do not process your visitors' form submissions and are therefore not sub-processors under these terms; they are listed in the Privacy policy.
7. Assistance with data subject rights
Taking into account the nature of the processing, we assist you in responding to data subject requests (Art. 28(3)(e) GDPR) primarily through the tooling built into the dashboard Messages view: per-submission and bulk deletion (Art. 17), CSV and JSON export for access and portability requests (Art. 15, Art. 20), and a per-page automatic retention setting (Art. 5(1)(e)). If a request cannot be handled with that tooling, contact [email protected] and we will provide reasonable assistance.
8. Personal data breaches
If we become aware of a personal data breach affecting your submission data, we will notify you without undue delay (Art. 33(2) GDPR) at the email address of your account, and will provide the information reasonably needed for your own notification duties under Art. 33 and Art. 34 GDPR, in phases if not everything is known at once. Assessing the risk and notifying the supervisory authority or the data subjects remains your responsibility as controller.
9. Impact assessments and consultations
We provide reasonable assistance with data protection impact assessments (Art. 35 GDPR) and prior consultations (Art. 36 GDPR) insofar as they relate to the processing described here and the necessary information is available to us (Art. 28(3)(f) GDPR).
10. Deletion and return
Submission data is deleted when you delete individual submissions, when a retention period you set expires, when you delete the page, when the page expires, or when your account is closed (Art. 28(3)(g) GDPR). You can export all submissions as CSV or JSON at any time before deletion. After deletion the data cannot be recovered; backups roll off on a fixed schedule.
11. Audit and information
On request we will make available the information necessary to demonstrate compliance with Art. 28 GDPR (Art. 28(3)(h)). We support audits, including inspections, conducted by you or an auditor you mandate: audits require 30 days written notice to [email protected], take place at most once per calendar year during business hours, must not disturb operations disproportionately, and are at your cost. Where a recognised audit report or documentation covering the relevant controls exists, the audit right may be satisfied by providing it.
12. International transfers
Submission data is stored in the EU. Transit through Cloudflare's network can involve transfers to the USA, safeguarded as set out in section 6. We will not transfer submission data to a third country beyond that without ensuring a valid transfer mechanism under Chapter V GDPR.
13. Precedence, term and changes
For the processing of form submissions these terms prevail over the Terms of service in case of conflict. They apply for as long as we process submission data for you and end automatically when that processing ends. We may update these terms; material changes will be announced on this page and by email at least 30 days before they take effect, and the version date below always identifies the current text. Liability follows the Terms of service to the extent permitted by Art. 82 GDPR.
Last updated: