DATA PROCESSING AGREEMENT

Last updated April 15, 2026

This Data Processing Agreement ('DPA') forms part of the Terms and Conditions ('Agreement') between SubDownload.com ('Processor', 'we', 'us', or 'our') and you ('Controller', 'you', or 'your') for the use of our services at https://subdownload.com and our API at https://api.subdownload.com (collectively, the 'Services').

This DPA applies where and only to the extent that we process personal data on your behalf as a data processor in the course of providing the Services, and such personal data is subject to data protection laws including the EU General Data Protection Regulation ('GDPR'), the UK GDPR, the California Consumer Privacy Act ('CCPA'), or other applicable privacy regulations.

By using our Services, you agree to the terms of this DPA. If you are entering into this DPA on behalf of an organisation, you represent that you have the authority to bind that organisation to this DPA.

Definitions
Scope and Purpose of Processing
Processor Obligations
Controller Obligations
Data Subject Rights
Sub-Processors
Security Measures
Data Breach Notification
International Data Transfers
Data Retention and Deletion
Audit Rights
Limitation of Liability
Term and Termination
Contact Us

1. DEFINITIONS

In this DPA, the following terms have the meanings set out below:

'Personal Data' means any information relating to an identified or identifiable natural person that is processed by us on your behalf through the Services.
'Processing' means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, combination, erasure, or destruction.
'Controller' means you, the entity that determines the purposes and means of the Processing of Personal Data.
'Processor' means SubDownload.com, which processes Personal Data on behalf of the Controller.
'Sub-Processor' means any third party engaged by the Processor to assist in Processing Personal Data.
'Data Subject' means the identified or identifiable natural person to whom the Personal Data relates.
'Data Breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. SCOPE AND PURPOSE OF PROCESSING

2.1 Nature of the Services. SubDownload.com provides YouTube transcript retrieval and download services, including a web interface and a REST API. In providing these Services, we may process certain Personal Data on your behalf.

2.2 Categories of Data Subjects. The Personal Data processed relates to the following categories of Data Subjects:

Your end users who access the Services through your integration
Your account users and API token holders

2.3 Types of Personal Data Processed. The following types of Personal Data may be processed:

IP addresses
Email addresses (when authenticated via Google Sign-In)
Google account profile information (name, profile picture)
API usage logs (video IDs requested, timestamps, request metadata)
Browser user agent strings
Page view and referrer data

2.4 Purpose of Processing. We process Personal Data solely for the following purposes:

Providing and operating the transcript retrieval Services
Authenticating users and managing accounts
Enforcing usage quotas and billing
Maintaining service security and preventing abuse
Generating aggregated, non-identifying analytics

2.5 Duration of Processing. We process Personal Data for the duration of the Agreement, unless otherwise required by applicable law.

3. PROCESSOR OBLIGATIONS

We shall:

Process Personal Data only on your documented instructions, unless required to do so by applicable law. In such a case, we shall inform you of that legal requirement before processing, unless prohibited by law.
Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement and maintain appropriate technical and organisational measures to protect Personal Data, as described in Section 7.
Assist you, taking into account the nature of processing, in responding to requests from Data Subjects exercising their rights under applicable data protection laws.
Assist you in ensuring compliance with your obligations regarding security of processing, notification of Data Breaches, data protection impact assessments, and prior consultations with supervisory authorities.
At your choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.
Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 11.
Immediately inform you if, in our opinion, an instruction from you infringes applicable data protection laws.

4. CONTROLLER OBLIGATIONS

You shall:

Ensure that you have a valid legal basis for the processing of Personal Data and that any necessary consents or notices have been obtained or provided to Data Subjects.
Provide us with documented processing instructions and promptly notify us of any changes to such instructions.
Ensure that the Personal Data you provide to us for processing is accurate and up to date.
Be responsible for the security of your account credentials, API tokens, and any access you grant to third parties.

5. DATA SUBJECT RIGHTS

5.1 We shall, to the extent legally permitted, promptly notify you if we receive a request from a Data Subject to exercise their rights under applicable data protection law (including rights of access, rectification, erasure, restriction, data portability, and objection).

5.2 We shall provide reasonable assistance to you in fulfilling your obligation to respond to Data Subject requests, taking into account the nature of the processing.

5.3 Data Subjects and users may exercise their rights directly by visiting subdownload.com/dsar or by contacting us at contact@subdownload.com.

6. SUB-PROCESSORS

6.1 Authorised Sub-Processors. You provide general written authorisation for us to engage Sub-Processors. We currently use the following Sub-Processors:

Sub-Processor	Purpose	Location
Google OAuth	User authentication	United States
PostgreSQL (self-hosted)	Data storage	United States
Cloudflare	CDN, DNS, and DDoS protection	Global
Dodo Payments	Payment processing	United States

6.2 Notification of Changes. We shall notify you of any intended changes to the Sub-Processors by updating this DPA. You may object to such changes within 14 days of being notified. If you object and we cannot reasonably accommodate your objection, either party may terminate the Agreement.

6.3 Sub-Processor Obligations. We shall ensure that each Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA.

7. SECURITY MEASURES

We implement and maintain appropriate technical and organisational security measures to protect Personal Data, including:

Encryption in transit — All data is transmitted over TLS/HTTPS.
Authentication and access control — JWT-based authentication, API key management with hashed token storage, and role-based admin access.
Database security — Encrypted connections to PostgreSQL, parameterised queries to prevent SQL injection.
Rate limiting and abuse prevention — IP-based quota enforcement, bot detection, and cooldown mechanisms.
Data minimisation — We only collect data necessary to provide the Services. Traffic logs are automatically purged after 7 days.
Infrastructure security — Cloudflare DDoS protection, firewall rules, and regular security updates.
Soft deletion — User account deletion is reversible (soft delete) to prevent accidental data loss, with permanent deletion available upon request.

8. DATA BREACH NOTIFICATION

8.1 We shall notify you without undue delay (and in any event within 72 hours) after becoming aware of a Data Breach affecting Personal Data processed on your behalf.

8.2 Such notification shall include, to the extent available:

A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected
The name and contact details of our point of contact
A description of the likely consequences of the Data Breach
A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects

8.3 We shall cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of each Data Breach.

9. INTERNATIONAL DATA TRANSFERS

9.1 Personal Data may be processed in the United States, where our servers are located. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure that appropriate safeguards are in place for any transfer of Personal Data outside these regions.

9.2 Where required, we rely on the following transfer mechanisms:

Standard Contractual Clauses (SCCs) as approved by the European Commission
UK International Data Transfer Agreement or Addendum, where applicable
Any other valid transfer mechanism under applicable data protection law

9.3 You may request a copy of the applicable transfer mechanism by contacting us at contact@subdownload.com.

10. DATA RETENTION AND DELETION

10.1 We retain Personal Data only for as long as necessary to fulfil the purposes of processing, unless a longer retention period is required by law.

10.2 Specific retention periods:

Traffic logs — Automatically deleted after 7 days
Usage logs — Retained for the duration of your account for billing and audit purposes
Account data — Retained until account deletion is requested
Page view data — Retained in aggregated form for analytics
IP usage records — Used for quota enforcement only, not linked to personal identity

10.3 Upon termination of the Agreement, or upon your request, we shall delete or return all Personal Data within 30 days, except where retention is required by applicable law.

10.4 You may request deletion of your data at any time by visiting subdownload.com/dsar or by contacting us at contact@subdownload.com.

11. AUDIT RIGHTS

11.1 We shall make available to you, on request, all information reasonably necessary to demonstrate compliance with this DPA.

11.2 You may conduct an audit (or appoint a qualified third-party auditor) to verify our compliance with this DPA, subject to the following conditions:

You must provide at least 30 days' written notice
Audits shall be conducted during normal business hours
Audits shall not unreasonably interfere with our business operations
You shall bear the costs of any audit
Audit frequency shall be limited to once per calendar year, unless a Data Breach has occurred or a supervisory authority requires an additional audit

12. LIMITATION OF LIABILITY

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability for breaches of applicable data protection law to the extent such limitation is not permitted by law.

13. TERM AND TERMINATION

13.1 This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination of the Agreement.

13.2 Sections 7 (Security Measures), 8 (Data Breach Notification), 10 (Data Retention and Deletion), and 11 (Audit Rights) shall survive termination of this DPA.

13.3 Upon termination, we shall comply with Section 10.3 regarding deletion or return of Personal Data.

14. CONTACT US

If you have any questions about this DPA, or if you would like to exercise any of your rights, you may contact us:

By email: contact@subdownload.com
By visiting our data request page: subdownload.com/dsar

DATA PROCESSING AGREEMENT

Last updated April 15, 2026

Definitions
Scope and Purpose of Processing
Processor Obligations
Controller Obligations
Data Subject Rights
Sub-Processors
Security Measures
Data Breach Notification
International Data Transfers
Data Retention and Deletion
Audit Rights
Limitation of Liability
Term and Termination
Contact Us

1. DEFINITIONS

In this DPA, the following terms have the meanings set out below:

'Personal Data' means any information relating to an identified or identifiable natural person that is processed by us on your behalf through the Services.
'Processing' means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, combination, erasure, or destruction.
'Controller' means you, the entity that determines the purposes and means of the Processing of Personal Data.
'Processor' means SubDownload.com, which processes Personal Data on behalf of the Controller.
'Sub-Processor' means any third party engaged by the Processor to assist in Processing Personal Data.
'Data Subject' means the identified or identifiable natural person to whom the Personal Data relates.
'Data Breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. SCOPE AND PURPOSE OF PROCESSING

2.2 Categories of Data Subjects. The Personal Data processed relates to the following categories of Data Subjects:

Your end users who access the Services through your integration
Your account users and API token holders

2.3 Types of Personal Data Processed. The following types of Personal Data may be processed:

IP addresses
Email addresses (when authenticated via Google Sign-In)
Google account profile information (name, profile picture)
API usage logs (video IDs requested, timestamps, request metadata)
Browser user agent strings
Page view and referrer data

2.4 Purpose of Processing. We process Personal Data solely for the following purposes:

Providing and operating the transcript retrieval Services
Authenticating users and managing accounts
Enforcing usage quotas and billing
Maintaining service security and preventing abuse
Generating aggregated, non-identifying analytics

2.5 Duration of Processing. We process Personal Data for the duration of the Agreement, unless otherwise required by applicable law.

3. PROCESSOR OBLIGATIONS

We shall:

Process Personal Data only on your documented instructions, unless required to do so by applicable law. In such a case, we shall inform you of that legal requirement before processing, unless prohibited by law.
Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement and maintain appropriate technical and organisational measures to protect Personal Data, as described in Section 7.
Assist you, taking into account the nature of processing, in responding to requests from Data Subjects exercising their rights under applicable data protection laws.
Assist you in ensuring compliance with your obligations regarding security of processing, notification of Data Breaches, data protection impact assessments, and prior consultations with supervisory authorities.
At your choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.
Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 11.
Immediately inform you if, in our opinion, an instruction from you infringes applicable data protection laws.

4. CONTROLLER OBLIGATIONS

You shall:

Ensure that you have a valid legal basis for the processing of Personal Data and that any necessary consents or notices have been obtained or provided to Data Subjects.
Provide us with documented processing instructions and promptly notify us of any changes to such instructions.
Ensure that the Personal Data you provide to us for processing is accurate and up to date.
Be responsible for the security of your account credentials, API tokens, and any access you grant to third parties.

5. DATA SUBJECT RIGHTS

5.2 We shall provide reasonable assistance to you in fulfilling your obligation to respond to Data Subject requests, taking into account the nature of the processing.

5.3 Data Subjects and users may exercise their rights directly by visiting subdownload.com/dsar or by contacting us at contact@subdownload.com.

6. SUB-PROCESSORS

6.1 Authorised Sub-Processors. You provide general written authorisation for us to engage Sub-Processors. We currently use the following Sub-Processors:

Sub-Processor	Purpose	Location
Google OAuth	User authentication	United States
PostgreSQL (self-hosted)	Data storage	United States
Cloudflare	CDN, DNS, and DDoS protection	Global
Dodo Payments	Payment processing	United States

6.3 Sub-Processor Obligations. We shall ensure that each Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA.

7. SECURITY MEASURES

We implement and maintain appropriate technical and organisational security measures to protect Personal Data, including:

Encryption in transit — All data is transmitted over TLS/HTTPS.
Authentication and access control — JWT-based authentication, API key management with hashed token storage, and role-based admin access.
Database security — Encrypted connections to PostgreSQL, parameterised queries to prevent SQL injection.
Rate limiting and abuse prevention — IP-based quota enforcement, bot detection, and cooldown mechanisms.
Data minimisation — We only collect data necessary to provide the Services. Traffic logs are automatically purged after 7 days.
Infrastructure security — Cloudflare DDoS protection, firewall rules, and regular security updates.
Soft deletion — User account deletion is reversible (soft delete) to prevent accidental data loss, with permanent deletion available upon request.

8. DATA BREACH NOTIFICATION

8.1 We shall notify you without undue delay (and in any event within 72 hours) after becoming aware of a Data Breach affecting Personal Data processed on your behalf.

8.2 Such notification shall include, to the extent available:

A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected
The name and contact details of our point of contact
A description of the likely consequences of the Data Breach
A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects

8.3 We shall cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of each Data Breach.

9. INTERNATIONAL DATA TRANSFERS

9.2 Where required, we rely on the following transfer mechanisms:

Standard Contractual Clauses (SCCs) as approved by the European Commission
UK International Data Transfer Agreement or Addendum, where applicable
Any other valid transfer mechanism under applicable data protection law

9.3 You may request a copy of the applicable transfer mechanism by contacting us at contact@subdownload.com.

10. DATA RETENTION AND DELETION

10.1 We retain Personal Data only for as long as necessary to fulfil the purposes of processing, unless a longer retention period is required by law.

10.2 Specific retention periods:

Traffic logs — Automatically deleted after 7 days
Usage logs — Retained for the duration of your account for billing and audit purposes
Account data — Retained until account deletion is requested
Page view data — Retained in aggregated form for analytics
IP usage records — Used for quota enforcement only, not linked to personal identity

10.3 Upon termination of the Agreement, or upon your request, we shall delete or return all Personal Data within 30 days, except where retention is required by applicable law.

10.4 You may request deletion of your data at any time by visiting subdownload.com/dsar or by contacting us at contact@subdownload.com.

11. AUDIT RIGHTS

11.1 We shall make available to you, on request, all information reasonably necessary to demonstrate compliance with this DPA.

11.2 You may conduct an audit (or appoint a qualified third-party auditor) to verify our compliance with this DPA, subject to the following conditions:

You must provide at least 30 days' written notice
Audits shall be conducted during normal business hours
Audits shall not unreasonably interfere with our business operations
You shall bear the costs of any audit
Audit frequency shall be limited to once per calendar year, unless a Data Breach has occurred or a supervisory authority requires an additional audit

12. LIMITATION OF LIABILITY

13. TERM AND TERMINATION

13.1 This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination of the Agreement.

13.2 Sections 7 (Security Measures), 8 (Data Breach Notification), 10 (Data Retention and Deletion), and 11 (Audit Rights) shall survive termination of this DPA.

13.3 Upon termination, we shall comply with Section 10.3 regarding deletion or return of Personal Data.

14. CONTACT US

If you have any questions about this DPA, or if you would like to exercise any of your rights, you may contact us:

By email: contact@subdownload.com
By visiting our data request page: subdownload.com/dsar

DATA PROCESSING AGREEMENT

TABLE OF CONTENTS

1. DEFINITIONS

2. SCOPE AND PURPOSE OF PROCESSING

3. PROCESSOR OBLIGATIONS

4. CONTROLLER OBLIGATIONS

5. DATA SUBJECT RIGHTS

6. SUB-PROCESSORS

7. SECURITY MEASURES

8. DATA BREACH NOTIFICATION

9. INTERNATIONAL DATA TRANSFERS

10. DATA RETENTION AND DELETION

11. AUDIT RIGHTS

12. LIMITATION OF LIABILITY

13. TERM AND TERMINATION

14. CONTACT US

DATA PROCESSING AGREEMENT

TABLE OF CONTENTS

1. DEFINITIONS

2. SCOPE AND PURPOSE OF PROCESSING

3. PROCESSOR OBLIGATIONS

4. CONTROLLER OBLIGATIONS

5. DATA SUBJECT RIGHTS

6. SUB-PROCESSORS

7. SECURITY MEASURES

8. DATA BREACH NOTIFICATION

9. INTERNATIONAL DATA TRANSFERS

10. DATA RETENTION AND DELETION

11. AUDIT RIGHTS

12. LIMITATION OF LIABILITY

13. TERM AND TERMINATION

14. CONTACT US