Data Processing Addendum
This Data Processing Addendum (the "DPA") forms part of the agreement between you (the customer) and Argus Grape (the "Service") and governs the processing of personal data that Argus Grape carries out on your behalf when you use the platform.
Effective June 12, 2026 · v2026.06.0
Roles and scope
This DPA applies whenever Argus Grape processes personal data on your behalf in the course of providing server-side affiliate tracking and viral-contest services. For that data — clicks, conversions, and affiliate records relating to your campaigns — you act as the controller and Argus Grape acts as your processor. You determine the purposes and means of the processing; we process only to deliver the Service to you.
Separately, Argus Grape is an independent controller for personal data of its own account holders and marketing contacts (for example, your team members and billing details). That processing is described in our Privacy Policy and is outside the scope of this DPA. Where the controller or the data subjects are in the European Economic Area or the United Kingdom, the GDPR (or UK GDPR) applies to the processing described here and Argus Grape acts as a processor. Where the processing involves the personal information of California residents (or residents of similar US states), the CCPA/CPRA applies and Argus Grape acts as a "Service Provider". This DPA is incorporated into and subject to our Terms of Service (the "Terms"); where it conflicts with the Terms on the subject of data protection, this DPA prevails.
Subject-matter and duration
The subject-matter of the processing is the personal data contained in the click, conversion, and affiliate data that you submit to or generate through the Service. Processing lasts for as long as your account is active and you continue to use the Service, and it ends on termination of the Terms, subject to the return-and-deletion provisions below. We do not retain customer personal data longer than necessary to provide the Service and meet our legal obligations.
Nature and purpose of processing
Argus Grape processes the data solely to operate the Service on your behalf: generating click identifiers at the edge tracker and redirecting end users to your campaign destinations; computing salted hashes used for fraud detection and per-IP rate limiting; reconciling conversions from signed webhooks; and calculating and splitting commissions across a multi-level referral tree. We do not process the data for our own purposes, for advertising, or to build cross-customer profiles.
The tracker appends a click identifier (argus_cid) to your destination URLs and stores click records keyed by that identifier and a salted ip_hash and device_fingerprint. The plaintext IP address is never stored — only the salted SHA-256 hash. Clicks exceeding the rate threshold are silently flagged shadow_banned; conversions reconciled from shadow-banned clicks are auto-rejected as a fraud control.
Categories of data subjects and personal data
The data subjects are the affiliates who share your tracking links and the end users who click those links and sometimes convert. The categories of personal data are minimized and largely pseudonymized: at the click layer we hold no names, no email addresses, and no plaintext IP. The table below summarizes the data processed on your behalf.
| Category | Examples | Form |
|---|---|---|
| Click identifiers | Click id (128-bit), argus_cid, affiliate id | Pseudonymous token |
| Device signal | Salted device_fingerprint, user_agent, accept_language | Hashed / technical metadata |
| Network signal | Salted ip_hash — plaintext IP never stored | Salted SHA-256 hash |
| Conversion data | Conversion amount, external reference, status, timestamp | Transactional record |
| Affiliate / referral | Affiliate id, position in the referral tree, commission amounts | Identifier + financial |
You are responsible for ensuring you have a lawful basis to instruct us to process this data and for the accuracy of the data you submit. You must not submit special categories of personal data to the Service.
Processor obligations
Argus Grape will: (a) process the personal data only on your documented instructions, including this DPA, the Terms, and your configuration of the Service, unless required to do otherwise by law (in which case we will inform you unless prohibited); (b) ensure that personnel authorized to process the data are bound by confidentiality; and (c) implement appropriate technical and organizational measures to protect the data, as described in our Security policy — including salted hashing of IP and device signals, encryption in transit, access controls, and per-IP rate limiting. If we believe an instruction infringes data-protection law, we will notify you.
Sub-processors
You authorize Argus Grape to engage sub-processors to deliver the Service. We impose data-protection obligations on each sub-processor no less protective than those in this DPA, and we remain responsible for their performance. We maintain the current list of sub-processors and will notify you of any intended addition or replacement so you have a reasonable opportunity to object on legitimate grounds.
| Sub-processor type | Purpose |
|---|---|
| Cloud hosting provider | Compute and edge tracking infrastructure |
| Managed PostgreSQL | Primary data store, including the referral tree |
| Managed Redis | Rate limiting and ephemeral state |
| Stripe | Payment processing and conversion webhooks |
International transfers
Where processing under this DPA involves transferring personal data outside the European Economic Area, Argus Grape will ensure an appropriate transfer mechanism is in place — typically the European Commission's Standard Contractual Clauses (SCCs) or another safeguard recognized under the GDPR — together with any supplementary measures required to maintain an essentially equivalent level of protection.
CCPA / US service-provider terms
To the extent Argus Grape processes personal information of California residents on your behalf, Argus Grape is a Service Provider under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"). With respect to that personal information, Argus Grape will: (a) not sell or share the personal information within the meaning of the CCPA; (b) not retain, use, or disclose the personal information for any purpose other than the business purpose of providing the Service specified in the Terms, or as otherwise permitted by the CCPA; (c) not retain, use, or disclose the personal information outside the direct business relationship between the parties; and (d) not combine the personal information with personal information it receives from, or on behalf of, other persons, or collects from its own interaction with the consumer, except as permitted by the CCPA.
Argus Grape certifies that it understands the restrictions in this section and will comply with them. These US service-provider terms apply alongside the GDPR processor obligations above; where both apply to the same processing, Argus Grape will meet the requirements of each.
Data subject requests
Taking into account the nature of the processing, Argus Grape will assist you by appropriate technical and organizational measures, insofar as possible, in responding to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection). Because click-layer data is pseudonymized — keyed to a device_fingerprint and ip_hash rather than to a directly identifying record — locating a single data subject may require information that only you, as controller, can supply. If a data subject contacts us directly, we will refer them to you unless legally required to respond.
Personal data breach
Argus Grape will notify you without undue delay after becoming aware of a personal data breach affecting data processed on your behalf, and will provide the information reasonably available to help you meet your own notification obligations. We will cooperate with you and take reasonable steps to mitigate the breach. Reports and disclosures are coordinated as described in our Security policy.
Audit
Argus Grape will make available to you the information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. To protect the confidentiality and security of our systems and other customers' data, audits are subject to reasonable notice, confidentiality undertakings, and frequency limits, and we may satisfy audit requests by providing existing documentation or third-party reports where available.
Return and deletion on termination
On termination or expiry of the Terms, Argus Grape will, at your choice, return or delete the personal data processed on your behalf, and delete existing copies, unless retention is required by law. Where you do not make a choice within a reasonable period, we will delete the data in the ordinary course. Hashed values such as ip_hash and device_fingerprint are deleted with the associated click records; we do not retain the salts in a form that could re-link deleted data.
Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA does not enlarge those limits; references to a party's liability in the Terms mean the aggregate liability across the Terms and this DPA.
Contact
For questions about this DPA, or to exercise any right or request under it, contact us at legal@argus-grape.com.