Your Media StudioPrivacy Policy

Legal

Data Processing Agreement

Effective March 15, 2026 · Last updated March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Your Media Studio ("Processor", "we") and the organisation or individual using our services ("Controller", "you"). It governs the processing of personal data in connection with the Your Media Studio platform.

This DPA applies whenever you upload media plans or other files that may contain personal data, or when we process data on your behalf as part of our service.

1. Definitions

  • Personal Data:Any information relating to an identified or identifiable natural person.
  • Processing:Any operation performed on personal data, including collection, storage, use, and deletion.
  • Controller:The entity that determines the purposes and means of processing personal data.
  • Processor:Your Media Studio, which processes personal data on behalf of the Controller.
  • Sub-processor:Any third party engaged by the Processor to process personal data.
  • GDPR:EU General Data Protection Regulation 2016/679.
  • PDPA:Personal Data Protection Acts of Singapore, Thailand, Philippines, and Malaysia as applicable.

2. Subject Matter and Duration

We process personal data solely to provide the Your Media Studio service: media plan analysis, competitive intelligence, and reporting. We process data for as long as your account is active, or as required by law. Personal data is automatically deleted 12 months after creation. Upon account deletion, data is permanently purged within 30 days.

3. Nature and Purpose of Processing

  • Storing and analysing uploaded media plan files
  • Generating AI-powered analysis scores and recommendations
  • Competitive intelligence research (Share of Search, brand news)
  • Sending transactional emails (analysis results, invitations, OTP)
  • Aggregated, anonymised benchmark analysis (with explicit consent only)

4. Categories of Data Subjects and Data

  • Account holders:Email address, name, subscription plan, usage history
  • Collaborators:Email addresses of users invited to view shared analyses
  • Media plan content:Budget figures, channel allocations, brand names, markets — provided by you

5. Controller Obligations

You confirm that you have the legal basis to share any personal data contained in uploaded files with us for processing. You are responsible for ensuring your use of our service complies with applicable data protection laws in your jurisdiction.

6. Processor Obligations

  • Process personal data only on your documented instructions
  • Ensure all personnel with data access are bound by confidentiality
  • Implement appropriate technical and organisational security measures (AES-256-GCM encryption at rest, TLS in transit)
  • Notify you without undue delay after becoming aware of a personal data breach
  • Assist you in responding to data subject rights requests (access, erasure, portability)
  • Delete or return all personal data upon termination of services
  • Make available all information necessary to demonstrate compliance

7. Sub-processors

We use the following sub-processors. We maintain contractual data protection obligations with each.

Sub-processorPurpose
SupabaseDatabase, authentication, file storage
VercelApplication hosting, serverless functions
GroqAI analysis (LLM inference)
Google (Gemini)Intelligence signals — trends, news
ResendTransactional email delivery
StripePayment processing
Modal LabsML model execution (MMM workers)

We will notify you of any new sub-processors with at least 14 days notice.

8. International Data Transfers

Some sub-processors are located outside your jurisdiction. Where data is transferred outside the EU/EEA or countries without adequate protection, we rely on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms as required by applicable law.

9. Security Measures

  • AES-256-GCM encryption for sensitive data at rest
  • TLS 1.2+ for all data in transit
  • Row-level security — users can only access their own data
  • Automatic deletion of data after 12 months
  • Access controls: production access limited to authorised personnel only
  • Audit logging of all sensitive data operations

10. Data Subject Rights

You may exercise the following rights via your account settings or by emailing privacy@yourmediastudio.com:

  • Right to access — download all your data as JSON
  • Right to erasure — delete your account and all data (30-day grace period)
  • Right to rectification — correct inaccurate personal data
  • Right to portability — receive your data in a machine-readable format
  • Right to object — opt out of anonymised benchmarking at any time

11. Data Breach Notification

In the event of a personal data breach, we will notify affected controllers without undue delay and, where feasible, within 72 hours of becoming aware. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.

12. Termination and Data Return

Upon termination of your account, we will securely delete all personal data within 30 days unless retention is required by applicable law. You may request a data export before account closure.

Questions or DPA Requests

For enterprise DPA execution, data protection queries, or compliance requests:

privacy@yourmediastudio.com
Privacy Policy·DPA·privacy@yourmediastudio.com