Last updated: 2026-07-08 · Operator: Light Nova Design Co., Ltd., trading as topadroi
This Data Processing Addendum ("DPA") forms part of the Terms of Service between the Customer ("Controller") and Light Nova Design Co., Ltd., trading as topadroi ("topadroi", "Processor") and applies to Processing of Personal Data on the Controller's behalf.
The Controller determines the purposes and means of Processing. topadroi acts as Processor and Processes Personal Data only on the Controller's documented instructions (these Terms + the Controller's configuration). Where Customer Data is forwarded to a third-party advertising/analytics platform the Controller configures, that platform generally acts as an independent controller or separate processor; the Controller is responsible for its lawful basis with that platform.
Nature/purpose: server-side collection and forwarding of app/web events for conversion measurement and analytics, as instructed by the Controller. The events are full-funnel — they may include the complete sequence of interactions the Controller elects to measure (e.g. page views, content/product views, add-to-cart, checkout, purchases/conversions, and custom events), not only final conversions; the Controller configures, per site, which events are forwarded and to which platforms. Duration: the term of the Service plus the retention period in §7. Data subjects: the Controller's End Users. Categories: online identifiers (app-scoped IDs; IDFA/IDFV/GAID where enabled and consent exists), device/technical data, event and product-interaction data across the full funnel, and any identifiers (e.g. email/phone) the Controller chooses to include; personal identifiers are minimised by SHA-256 hashing on receipt before forwarding. Consent controls: topadroi provides a server-side consent control by which the Controller may instruct topadroi to honour end-user consent signals (Google Consent Mode v2, IAB TCF, CCPA "Do Not Sell"); where a purpose is denied, topadroi skips the relevant platform, strips personal data, and/or applies Limited Data Use. Obtaining and transmitting valid consent remains the Controller's responsibility. Special categories: none permitted (see AUP).
topadroi will: process only on documented instructions (and notify the Controller if an instruction appears to infringe law); ensure authorized persons are bound by confidentiality; implement appropriate technical and organizational security measures (§9); assist the Controller with data-subject requests and with security, breach-notification, and DPIA obligations; notify the Controller without undue delay after becoming aware of a Personal Data Breach; and, at the Controller's choice, delete or return Personal Data at the end of the Service, save as required by law.
The Controller authorizes topadroi to engage sub-processors, including cloud infrastructure providers used to operate the Service and the third-party platforms the Controller configures. topadroi imposes data-protection obligations on sub-processors no less protective than this DPA and remains responsible for their performance. topadroi will give notice of intended changes and allow reasonable objection. The categories of sub-processors are published at /legal/subprocessors.
Where Processing involves cross-border transfer of Personal Data, the parties rely on a lawful transfer mechanism (e.g. EU Standard Contractual Clauses / UK Addendum), incorporated by reference where applicable.
topadroi will make available information reasonably necessary to demonstrate compliance and allow for audits, subject to reasonable confidentiality, scope, and frequency limits.
Personal Data is retained only as long as necessary to provide the Service and per the documented retention schedule, after which it is deleted or anonymized.
topadroi acts as a "service provider"/"contractor" and will not "sell" or "share" Personal Information, nor retain, use, or disclose it except to provide the Service under these Terms.
Encryption in transit (TLS); access controls and least-privilege; tenancy isolation; key-scoped authentication; logging and monitoring; secrets managed outside source control; hashing of personal identifiers performed server-side; regular review of security controls.
Privacy contact: support@topadroi.com