Data Processing Addendum

Last Updated: October 12, 2025

This Data Processing Addendum ("DPA") forms part of and is subject to the Zyro Terms of Service or other written agreement between you and Zyro governing your use of the Zyro Services (the "Agreement").

If you are located in, or process personal data of individuals located in, jurisdictions with data protection laws (including but not limited to the European Economic Area, the United Kingdom, Australia, Canada, and certain U.S. states), this DPA sets out how Zyro processes such personal data on your behalf.

1. Roles, Scope and Duration

1.1. Roles. For the purposes of this DPA, you (the customer or account holder) act as the "Controller" of Personal Data and Zyro acts as your "Processor" (or equivalent terms under applicable law) when Zyro processes Personal Data on your behalf in connection with providing the Services.

1.2. Scope. This DPA applies to Zyro's processing of Personal Data submitted to the Zyro Services or collected by the Zyro script and integrations as described in the Agreement, the Privacy Policy, and in this DPA.

1.3. Duration. This DPA remains in force for as long as Zyro processes Personal Data on your behalf under the Agreement and will automatically terminate upon deletion of such Personal Data in accordance with this DPA.

2. Definitions

2.1. "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws, that Zyro processes on your behalf in connection with the Services.

2.2. "Processing" means any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or deletion.

2.3. "Sub-processor" means any third party engaged by Zyro to process Personal Data on your behalf in connection with providing the Services.

2.4. "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including (where applicable) the EU and UK GDPR, Australian Privacy Act and similar laws.

2.5. "Services" means the Zyro platform and related services described in the Agreement, including analytics, heatmaps, user journeys, conversion tracking, AI Copilots, A/B testing, social scheduling and reporting, and related functionality.

3. Subject Matter and Nature of Processing

3.1. Subject Matter. Zyro processes Personal Data to provide the Services, including:

  • Collecting and analyzing behavior on your sites and apps via the Zyro script (pageviews, events, clicks, scroll depth, funnels, experiments).
  • Ingesting data from connected sources such as Google Search Console, YouTube, and supported social platforms.
  • Generating analytics, reports, insights, recommendations, and AI-generated content (briefs, drafts, social posts, etc.).
  • Providing dashboards, alerts, and automation related to growth and conversion optimization.

3.2. Nature and Purpose. Zyro processes Personal Data solely:

  • To perform the Services and obligations under the Agreement.
  • To provide you with analytics, insights, recommendations, and AI outputs tailored to your properties.
  • To maintain, secure, troubleshoot, and improve the Services.
  • To comply with applicable law and respond to lawful requests.

3.3. Types of Personal Data. Personal Data processed may include:

  • Online identifiers and device information (e.g., IP address, user agent, approximate location, device type).
  • Behavioral and interaction data from your sites (e.g., page URLs, click events, scroll depth, navigation paths, conversions, experiment exposures).
  • Account and user data you provide to Zyro (e.g., team member or client names, email addresses, login information).
  • Data returned from connected services where you authorize access (e.g., query and performance data from GSC, social post stats).

3.4. Data Subjects. Personal Data relates to:

  • Visitors and users of your websites, apps, and digital properties where the Zyro script or Service is deployed.
  • Your staff, contractors, and clients who access or are invited into the Zyro account.

4. Controller Instructions

4.1. Zyro will process Personal Data only on your documented instructions, as set out in the Agreement, this DPA, your normal use and configuration of the Services, and any other written instructions agreed by the parties.

4.2. If Zyro is required by applicable law to process Personal Data beyond your instructions, Zyro will inform you of that legal requirement before processing, unless the law prohibits such notice.

4.3. You are responsible for ensuring that your instructions comply with applicable Data Protection Laws. Zyro will promptly notify you if, in its opinion, an instruction infringes such laws (without providing legal advice).

5. Security

5.1. Zyro will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures take into account the nature of the Processing and the risks to individuals.

5.2. Such measures include, where appropriate:

  • Encryption of Personal Data in transit and at rest where reasonably practicable.
  • Access controls, role-based permissions, and least-privilege access to production systems.
  • Logical separation of customer data and safeguards against unauthorized cross-tenant access.
  • Logging and monitoring of system access and security-relevant events.
  • Regular backups and disaster recovery processes.
  • Security-by-design practices in the development and deployment of the Services.

5.3. You are responsible for using the controls available within the Services (such as role-based user management, project/site separation, and configuration options) to protect Personal Data as appropriate for your use case.

6. Sub-processors

6.1. You authorize Zyro to engage Sub-processors to process Personal Data on your behalf for the purposes of providing the Services. Typical Sub-processors include hosting providers, database and logging services, email and notification providers, and AI infrastructure used to generate outputs.

6.2. Zyro will ensure that any Sub-processor is bound by written agreements requiring data protection obligations no less protective than those set out in this DPA, to the extent applicable to the nature of the services provided by the Sub-processor.

6.3. Upon request, Zyro will make available a current list of material Sub-processors used for the Services. Zyro will provide notice (by email, in-app message, or website posting) of any intended addition or replacement of Sub-processors that materially affect Personal Data, providing you an opportunity to object on reasonable data protection grounds.

6.4. If you reasonably object to a new Sub-processor and Zyro cannot reasonably accommodate your objection, you may terminate the affected portion of the Services in accordance with the Agreement.

7. International Transfers

7.1. You acknowledge that Zyro may process Personal Data in countries other than your own, including Australia and other jurisdictions in which Zyro or its Sub-processors operate.

7.2. Where the transfer of Personal Data from your jurisdiction to another country requires additional safeguards under Data Protection Laws (for example, from the EEA or UK to a country lacking an adequacy decision), Zyro will implement appropriate safeguards, such as:

  • Standard contractual clauses (or their successor instruments) as approved or issued by the relevant supervisory authority.
  • Additional technical and organizational measures where appropriate.

7.3. Upon request, Zyro will provide you with information reasonably necessary to demonstrate compliance with applicable data transfer requirements in relation to the Services.

8. Data Subject Requests

8.1. If Zyro receives a request directly from an individual relating to their Personal Data (such as access, correction, deletion, or portability), Zyro will, where the individual appears to be associated with your use of the Services, direct the individual to contact you, unless legally prohibited from doing so.

8.2. Zyro will provide you with reasonable assistance, to the extent possible and at your cost where appropriate, in responding to data subject requests under Data Protection Laws, taking into account the nature of the Processing and the tools available within the Services.

9. Personal Data Breach Notification

9.1. In the event of a confirmed Personal Data Breach affecting Personal Data processed by Zyro on your behalf, Zyro will notify you without undue delay after becoming aware of the breach.

9.2. Such notification will include information reasonably available to Zyro at the time, including:

  • The nature of the breach, including categories and approximate number of affected data subjects and records (where known).
  • The likely consequences of the breach.
  • Measures taken or proposed to address the breach and mitigate possible adverse effects.

9.3. You are responsible for determining whether to notify affected individuals and/or regulators and for making such notifications, except where applicable law expressly requires Zyro to notify directly.

10. Audits and Information

10.1. Upon reasonable written request, Zyro will make available to you information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws in relation to Zyro's role as Processor.

10.2. Where Data Protection Laws require, and only to the extent required, you may conduct or mandate an audit of Zyro's relevant data processing activities. Any such audit:

  • Must be subject to reasonable notice, scope, and frequency.
  • Will be conducted during normal business hours and in a manner that does not unreasonably interfere with Zyro's operations.
  • May be satisfied, in whole or in part, by Zyro's provision of independent audit reports, certifications, or summaries where available.

11. Return and Deletion of Data

11.1. Upon termination or expiration of the Agreement, Zyro will delete or anonymize Personal Data processed on your behalf within a reasonable period, subject to any retention requirements under applicable law, backup retention cycles, or legitimate business needs (such as fraud prevention or accounting).

11.2. Where technically feasible and upon your written request made prior to termination, Zyro will provide you with an export of relevant analytics or content data in a commonly used format, in accordance with the functionality of the Services.

12. Customer Responsibilities

12.1. You are responsible for:

  • Providing all necessary notices and obtaining all necessary permissions and consents required under Data Protection Laws for Zyro to process Personal Data as described.
  • Configuring and using the Services in a manner that complies with Data Protection Laws (including, where needed, IP anonymization, masking, or suppression of fields).
  • Maintaining accurate records of your processing activities as required by applicable law.
  • Ensuring that the Personal Data you collect and submit to the Services is limited to what is necessary for the intended purposes.

13. Relationship to the Agreement

13.1. This DPA forms part of the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA will prevail to the extent of the conflict with respect to the processing of Personal Data.

13.2. Except as modified by this DPA, the terms of the Agreement remain in full force and effect.

Annex 1 – Details of Processing

A. Categories of Data Subjects

  • Visitors and users of your websites, apps, and digital properties where Zyro is installed.
  • Your employees, contractors, and agents who access the Zyro account.
  • Your clients or customers to the extent their information is processed through your use of the Services.

B. Categories of Personal Data

  • Online identifiers (e.g., IP address, cookie or device identifiers, browser and device information).
  • Usage and interaction data (e.g., URLs visited, events, clicks, scroll depth, conversions, experiment assignments).
  • Account profile data (e.g., names, business emails, roles, and settings for users invited to Zyro).
  • Content-related metadata and configuration data you enter into Zyro (e.g., goals, labels, campaign names, briefs, and notes).

C. Special Categories of Personal Data

Zyro does not require and does not intend to process special categories of Personal Data (such as health, biometric or other sensitive data) on your behalf. You agree not to intentionally submit such data to the Services unless permitted by the Agreement and Data Protection Laws and subject to appropriate safeguards agreed in writing with Zyro.

D. Purpose(s) of Processing

  • Providing analytics, user journey insights, and behavioral reporting.
  • Detecting growth opportunities, ranking changes, and conversion bottlenecks.
  • Powering AI Copilots for SEO, content, social, and conversion optimization, including content generation.
  • Operating A/B and bandit tests and reporting on test outcomes.
  • Providing dashboards, alerts, exports, and related functionality described in the Agreement.

E. Duration of Processing

For the duration of the Agreement and any retention period specified therein, subject to deletion and anonymization in accordance with this DPA.

Annex 2 – Security Measures (Summary)

Zyro maintains technical and organizational measures appropriate to the risk of the Personal Data processed. These measures include, in summary:

  • Access control and authentication for production systems, with least-privilege principles.
  • Encryption of data in transit and at rest where reasonably practicable.
  • Segregation of environments and restricted access to sensitive tooling.
  • Backup, recovery and business continuity planning.
  • Logging and monitoring of access and security-relevant events.
  • Change management and deployment controls for production code.
  • Vulnerability management, including patching and remediation processes.
  • Employee confidentiality obligations and security awareness practices.

More detailed information about Zyro's security practices may be made available upon request, subject to reasonable confidentiality obligations.