1. Scope

This Data Processing Addendum ("DPA") applies to the extent The Punisher processes personal data on behalf of a customer in connection with providing the Service.

1.1 Compliance

This DPA is intended to support compliance with applicable data protection laws, including the GDPR and relevant Spanish data protection requirements, and (where applicable) US privacy obligations.

2. Roles

• Customer: data controller (or business) for customer-provided data.
• The Punisher: data processor (or service provider) for customer-provided data.

3. Processing Details

Typical categories of data and processing may include:

• Account identifiers such as email and authentication claims.
• Design data retrieved from Figma with explicit user consent.
• Screenshots/captures from Edge or Safari sessions with explicit user consent.
• Usage metrics necessary to enforce plan execution limits.
• Email addresses used to deliver service notifications, product updates, and marketing communications (with opt-out available for non-essential emails).

4. Security Measures

We maintain reasonable technical and organizational measures designed to protect personal data, including encryption in transit and access controls.

5. Subprocessors

We may use subprocessors such as:

• Stripe (payments and billing portal).
• Cloud infrastructure providers used to host the Service.
• Figma API services used at the direction of the customer/user.

6. Data Subject Requests

Customers are responsible for responding to data subject requests. We will provide reasonable assistance where required by law and technically feasible.

7. Contact

Operator: PunisherLabsES (V. B. Badiuc). Address: Spain, Málaga, San Andrés 5.

For any questions (support, legal, privacy, security, billing): [email protected]