The Punisher LogoPunisherBack to Home

Data Processing Addendum (DPA)

Last updated: May 11, 2026

1. Scope

This Data Processing Addendum ("DPA") applies to the extent The Punisher processes personal data on behalf of a customer in connection with providing the Service.

1.1 Compliance

This DPA is intended to support compliance with applicable data protection laws, including the GDPR and relevant Spanish data protection requirements, and (where applicable) US privacy obligations.

2. Roles

  • Customer: data controller (or business) for customer-provided data.
  • The Punisher: data processor (or service provider) for customer-provided data.

3. Processing Details

Typical categories of data and processing may include:

  • Account identifiers such as email and authentication claims.
  • Design data retrieved from Figma with explicit user consent.
  • Screenshots/captures from Edge or Safari sessions with explicit user consent.
  • Usage metrics necessary to enforce plan execution limits.
  • Email addresses used to deliver service notifications, product updates, and marketing communications (with opt-out available for non-essential emails).
  • Atlassian OAuth tokens and Jira integration data: when the user connects their Atlassian account, we process a scoped OAuth 2.0 access token (read:jira-work, write:jira-work) to create Jira issues at the user's direction. Tokens are stored securely and used solely for the authorized purpose. Jira project/issue metadata (e.g., project key, issue summary, description) is processed transiently to fulfill the request.

4. Security Measures

We maintain reasonable technical and organizational measures designed to protect personal data, including encryption in transit and access controls.

5. Subprocessors

We may use subprocessors such as:

  • Stripe (payments and billing portal).
  • Cloud infrastructure providers used to host the Service.
  • Figma API services used at the direction of the customer/user.
  • Atlassian (Jira) — used at the direction of the customer/user to create and manage Jira issues. Atlassian processes OAuth tokens and issue data under their own privacy policy and DPA. See our Subprocessors page for the full list.

6. Data Subject Requests

Customers are responsible for responding to data subject requests. We will provide reasonable assistance where required by law and technically feasible.

7. Contact

Operator: PunisherLabsES (V. B. Badiuc). Address: Spain, Málaga, San Andrés 5.

For any questions (support, legal, privacy, security, billing): [email protected]