Built by Foundry
Our Mission
Blog
Log in
Start for Free
Start for Free
FoundryFoundry
← All Policies

Data Processing Addendum

Last Updated: March 20, 2026

1. Introduction

This Data Processing Addendum ("DPA") is supplemental to, and made pursuant to, the Terms of Service by and between Playpen Games, Inc., doing business as "Built by Foundry" ("Foundry"), and Creator. This DPA applies to Foundry's Processing of Personal Data under the Terms of Service and Creator Partnership Program Agreement between Foundry and Creator (together, the "Agreement") for Foundry's provision of the Services.Creator enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Affiliates.This DPA becomes legally binding upon Creator entering into the Agreement.

2. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement.2.1 "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where "control" means direct or indirect ownership of more than 50% of the voting interest.2.2 "Applicable Data Protection Laws" means all privacy, data protection, and information security laws and regulations applicable to a party's Processing of Personal Data, including (where applicable) the CCPA, GDPR, UK GDPR, and Swiss Federal Act on Data Protection.2.3 "End User Data" means the Personal Data of End Users that Foundry Processes on behalf of Creator through the operation of the App, including subscription events, usage data, device information, and any other data collected through the App.2.4 "Service-Generated Data" means usage data, metadata, Performance Data, and analytics generated through the use of the Services, including data processed by Foundry's AI and machine-learning systems for Automated Optimization. This DPA applies to Service-Generated Data to the extent it constitutes Personal Data.2.5 "Personal Data" means "personal data," "personal information," "personally identifiable information," or similar terms as defined in and governed by Applicable Data Protection Laws.2.6 "Processing" or "Process" means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.2.7 "Security Incident" means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data being Processed by Foundry. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.2.8 "Subprocessor" means any third party authorized by Foundry to Process Personal Data, including AI and machine-learning service providers.

3. General

3.1 This DPA forms part of the Agreement and except as expressly set forth herein, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will govern with respect to data protection matters.3.2 Any liabilities arising under this DPA are subject to the limitations of liability in the Agreement.3.3 This DPA will be governed by the governing law provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.3.4 This DPA will remain in effect until, and automatically terminate upon, deletion of Personal Data or expiration or termination of the Agreement.

4. Relationship of the Parties

4.1 Foundry as Processor

The parties acknowledge and agree that with regard to the Processing of End User Data, Creator may act as a controller or processor and Foundry is a processor. Foundry will Process End User Data in accordance with Creator's instructions as outlined in Section 6.

4.2 Foundry as Controller

To the extent that any Service-Generated Data is considered Personal Data, and as to Creator's account information, payment information, and other data Foundry collects directly from Creator, Foundry is the controller and will Process such data in accordance with its Privacy Notice.

4.3 AI Processing

Creator acknowledges that Foundry's AI and machine-learning systems Process End User Data and Service-Generated Data as part of Automated Optimization. Such Processing is conducted by Foundry as a processor (for End User Data) and as a controller (for Service-Generated Data) in accordance with this DPA and the Privacy Notice. Foundry's third-party AI providers are Subprocessors and are contractually bound to use data only for providing the requested services and are prohibited from using it to train their own general-purpose models.

5. Compliance with Law

Each party will comply with its obligations under Applicable Data Protection Laws with respect to its Processing of Personal Data.

6. Role and Scope of Processing

6.1 Creator Responsibilities

Creator is solely responsible for obtaining and maintaining all necessary consents prior to providing content, brand materials, or other data to Foundry. Creator has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents and permissions necessary under Applicable Data Protection Laws for Foundry to lawfully Process data for the purposes contemplated by the Agreement, including for Automated Optimization.

6.2 Creator Instructions

Foundry will Process End User Data only in accordance with Creator's documented lawful instructions, except where required by Applicable Data Protection Laws or where Foundry believes Creator's instructions violate Applicable Data Protection Laws (in which case Foundry will notify Creator). By entering into the Agreement, Creator instructs Foundry to Process End User Data to: (a) provide the Services, including building, publishing, operating, and optimizing the App; (b) perform Automated Optimization as described in the Agreement; (c) perform Foundry's legal obligations and defend legal claims; and (d) any other written instructions acknowledged by Foundry.

7. Subprocessing

7.1 Creator specifically authorizes Foundry to use its Affiliates as Subprocessors, and generally authorizes Foundry to engage Subprocessors (including third-party AI providers) to Process End User Data. Foundry will: (a) enter into a written agreement with each Subprocessor imposing data protection obligations substantially similar to those in this DPA; and (b) remain liable for compliance with this DPA and for any acts or omissions of a Subprocessor that cause Foundry to breach its obligations.7.2 A list of Foundry's current Subprocessors, including their functions and locations, will be available at builtbyfoundry.io/policies/subprocessors and may be updated from time to time.7.3 If Foundry appoints new Subprocessors or makes changes concerning the addition or replacement of Subprocessors, such changes will be posted to the Subprocessor page. Creator will have seven (7) calendar days from the date of the update to object. If Creator objects to a Subprocessor appointment, Creator may, as its sole and exclusive remedy, terminate the Agreement for convenience.

8. Security

8.1 Security Measures

Foundry will implement and maintain technical and organizational security measures designed to protect Personal Data from Security Incidents and to preserve the security and confidentiality of Personal Data ("Security Measures"), as described in Schedule 2.

8.2 Creator Responsibility

Creator is responsible for: (a) reviewing the information made available by Foundry relating to data security and making an independent determination as to whether the Services meet Creator's requirements under Applicable Data Protection Laws; (b) securing account authentication credentials and devices used to access the Services; and (c) maintaining backups of Creator-provided content.

8.3 Security Incident

Upon becoming aware of a confirmed Security Incident, Foundry will notify Creator without undue delay unless prohibited by applicable law. Such notice will describe, to the extent possible, the details of the Security Incident and the steps taken to mitigate potential risks. Creator is solely responsible for complying with Security Incident notification laws applicable to Creator and fulfilling any third-party notification obligations. Foundry's notification of a Security Incident will not be construed as an acknowledgement of fault or liability.

9. Audits and Compliance

The parties acknowledge that Creator must be able to assess Foundry's compliance with this DPA insofar as Foundry is acting as a processor. Foundry uses internal and external auditors to verify the adequacy of its security measures. In the event Applicable Data Protection Laws require an audit, Foundry will work with Creator in good faith, subject to reasonable confidentiality controls, to comply with legally compelled audit requirements. If Foundry is unable to comply with an audit requirement, Creator may, as its sole and exclusive remedy, terminate the Agreement for convenience.

10. Impact Assessments

Foundry will provide reasonable cooperation to Creator in connection with any data protection impact assessment or consultations with regulatory authorities that may be required under Applicable Data Protection Laws, at Creator's expense if such cooperation requires significant resources.

11. Data Subject Requests

Foundry will, upon Creator's request and at Creator's expense, provide Creator with reasonable assistance to comply with obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights (such as rights of access, rectification, erasure, restriction, portability, and objection) where Creator cannot reasonably fulfill such requests independently. If Foundry receives a request from a Data Subject relating to their Personal Data, Foundry will advise the Data Subject to submit their request to Creator, and Creator will be responsible for responding.

12. Return or Deletion of Personal Data

12.1 Upon termination of the Agreement, Foundry will initiate its purge process to delete or anonymize Personal Data within a commercially reasonable timeframe. Creator may request, within sixty (60) days of termination, that Foundry return such Personal Data. Termination of the Agreement serves as an instruction for Foundry to delete all End User Data within a commercially reasonable timeframe.12.2 Notwithstanding the foregoing, Foundry may retain Personal Data if required by law, and such data will remain subject to this DPA.

13. International Provisions

13.1 Processing in the United States

Creator acknowledges that Foundry's primary processing facilities are in the United States. Foundry may transfer and Process data in the United States and anywhere else where Foundry and its Subprocessors maintain data processing operations. Foundry will ensure such transfers comply with Applicable Data Protection Laws and this DPA.

13.2 Cross-Border Transfer Mechanism

To the extent that Creator's use of the Services requires a transfer mechanism to lawfully transfer Personal Data from a jurisdiction (such as the EEA, UK, or Switzerland) to Foundry in the United States, the terms of Schedule 3 (Cross-Border Transfer Mechanisms) will apply.

13.3 Jurisdiction-Specific Terms

To the extent Foundry Processes Personal Data protected by Applicable Data Protection Laws in a jurisdiction listed in Schedule 4, the jurisdiction-specific terms therein will apply in addition to this DPA.

Schedule 1: Subject Matter and Details of Processing

1. Nature and Purpose of Processing

Foundry will Process Personal Data as necessary to provide the Services under the Agreement, including building, publishing, operating, and optimizing Apps on behalf of Creators. Foundry does not sell Personal Data and does not share end-user information with third parties for those third parties' own business interests.(a) End User Data. Foundry will Process End User Data as a processor in accordance with Creator's instructions as outlined in Section 6 of this DPA.(b) Service-Generated Data. Foundry will Process Service-Generated Data as a controller for operating, improving, and optimizing the Services, powering Automated Optimization, and for other lawful business purposes such as analytics, benchmarking, and reporting.

2. Processing Activities

(a) End User Data: Provision of App-related services, subscription management, payment processing, push notifications, analytics, and Automated Optimization (pricing experimentation, onboarding refinement, conversion testing, feature development, performance monitoring, and audience engagement analysis).(b) Service-Generated Data: Operating and improving the Platform, powering AI and machine-learning systems, providing analytics and reporting to Creators, and benchmarking across the portfolio in aggregated and de-identified form.

3. Duration of Processing

(a) End User Data: For the duration of the Agreement, until Creator elects to delete such data or until termination, at which point Foundry will delete or anonymize within a commercially reasonable timeframe.(b) Service-Generated Data: Foundry may retain, use, and disclose Service-Generated Data after termination for the purposes set forth above, subject to confidentiality obligations. Foundry will anonymize or delete Personal Data within Service-Generated Data when no longer required.

4. Categories of Data Subjects

(a) End User Data: End Users who download, install, or use Apps built through the Platform.(b) Service-Generated Data: Creators with Platform accounts and End Users.

5. Categories of Personal Data

(a) End User Data: Device identifiers, IP addresses, subscription and transaction data, usage and engagement data, session data, and any other data collected through the App as determined by its functionality.(b) Service-Generated Data: Name, email address, account preferences, payment information, Performance Data, and content of communications with Foundry.

6. Sensitive Data

Creators are prohibited from directing Foundry to collect sensitive data or special categories of data through Apps unless expressly agreed in writing. Service-Generated Data does not contain sensitive data.

Schedule 2: Technical and Organizational Security Measures

1. Encryption. Personal Data is encrypted in transit and at rest.2. Access Controls. Role-based access controls restrict access to Personal Data based on job function and business need. Unique credentials are required. Access is promptly removed upon role change or termination.3. Confidentiality. Foundry's agreements contain strict confidentiality obligations. Subprocessors are required to sign confidentiality provisions substantially similar to those in Foundry's agreements.4. Availability and Resilience. Backups are maintained within encrypted environments. Best practices are employed for resiliency and recovery. Recovery tests are conducted at least annually.5. Monitoring and Logging. Foundry monitors access to applications and resources that process or store Personal Data, including user activity, administrator activity, and network activity. Logs are centrally managed and preserved in accordance with regulatory requirements.6. Physical Security. Foundry uses certified data centers that meet ISO 27001, PCI DSS, and SOC 2 requirements. Physical controls include 24/7 monitoring, surveillance, visitor logs, and stringent entry requirements.7. Secure Development. Development teams employ secure coding practices focused on mitigating OWASP Top Ten risks. All changes are peer-reviewed prior to deployment. Development, testing, and production environments are logically segmented.8. AI System Security. Foundry implements security controls specific to its AI and machine-learning systems, including access restrictions on model endpoints, input validation and prompt safety mechanisms, monitoring for adversarial inputs, and contractual prohibitions on third-party AI providers using Foundry data for general-purpose model training.9. Assessments. Foundry conducts internal and external assessments to verify effectiveness of technical and organizational measures.10. Data Minimization and Retention. Foundry processes only the data necessary to provide the Services. Data is retained only as long as required for the purposes described in this DPA and in compliance with Applicable Data Protection Laws.11. Subprocessor Controls. When Foundry engages a Subprocessor, the Subprocessor must: (a) protect Personal Data to the standard required by Applicable Data Protection Laws; (b) notify Foundry of Security Incidents; (c) delete data when instructed; (d) not engage additional subprocessors without authorization; and (e) not process data in a manner that conflicts with Creator's instructions to Foundry.

Schedule 3: Cross-Border Data Transfer Mechanisms

1. "Standard Contractual Clauses" means the 2021 Standard Contractual Clauses approved by the European Commission in decision 2021/914.2. For data transfers from the EEA, UK, and Switzerland that are subject to the Standard Contractual Clauses, the following modules apply:(a) Module One (Controller to Controller) applies where Creator is a controller of Service-Generated Data and Foundry is a controller of Service-Generated Data.
(b) Module Two (Controller to Processor) applies where Creator is a controller of End User Data and Foundry is a processor of End User Data.
(c) Module Three (Processor to Processor) applies where Creator is a processor of End User Data and Foundry is a sub-processor of End User Data.3. For each Module, where applicable:(i) In Clause 7, the optional docking clause will not apply.
(ii) In Clause 9, Option 2 will apply. The time period for prior notice of Subprocessor changes is set forth in Section 7.3 of this DPA.
(iii) In Clause 11, the optional language will not apply.
(iv) In Clause 17 (Option 1), the Standard Contractual Clauses will be governed by Irish law.
(v) In Clause 18(b), disputes will be resolved before the courts of Ireland.
(vi) In Annex I, Part A: Data Exporter is Creator; Data Importer is Foundry ( privacy@builtbyfoundry.io). By entering into the Agreement, both parties are deemed to have signed the Standard Contractual Clauses as of the Effective Date.
(vii) In Annex I, Part B: The categories of data subjects, personal data, sensitive data, frequency, nature, purpose, and period of processing are as described in Schedule 1.
(viii) In Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority.
(ix) Schedule 2 of this DPA serves as Annex II of the Standard Contractual Clauses.4. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA, the Standard Contractual Clauses will prevail.

Schedule 4: Jurisdiction-Specific Terms

1. California

(a) "Applicable Data Protection Laws" includes the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA").(b) With respect to End User Data, Foundry is a "service provider" under the CCPA.(c) Foundry will not: (i) sell Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than providing the Services; or (iii) retain, use, or disclose Personal Data outside of the direct business relationship between Foundry and Creator.(d) The parties acknowledge that Foundry's access to End User Data does not constitute part of the consideration exchanged by the parties under the Agreement.(e) To the extent Service-Generated Data is considered Personal Data, Foundry is the "business" with respect to such data and will Process it in accordance with its Privacy Notice.

2. European Economic Area

(a) "Applicable Data Protection Laws" includes the General Data Protection Regulation (EU 2016/679) ("GDPR").(b) When Foundry engages a Subprocessor, it will: (i) require the Subprocessor to protect Personal Data to the standard required by the GDPR, including providing sufficient guarantees to implement appropriate technical and organizational measures; and (ii) require the Subprocessor to process data only in a country with an adequate level of protection or on terms equivalent to the Standard Contractual Clauses.(c) Neither party will be responsible for GDPR fines issued against the other party by a regulatory authority in connection with the other party's violation of the GDPR.

3. Switzerland

(a) "Applicable Data Protection Laws" includes the Swiss Federal Act on Data Protection.(b) Subprocessor obligations mirror those set forth in Section 2 (EEA) above.

4. United Kingdom

(a) References to GDPR in this DPA are deemed to include the UK GDPR and Data Protection Act 2018.(b) Subprocessor obligations mirror those set forth in Section 2 (EEA) above.
Playpen Games, Inc. d/b/a Built by Foundry
2261 Market Street STE 86046, San Francisco, CA 94114
privacy@builtbyfoundry.io