Data Privacy & our DPA⁡𝅶‍‍𝅺⁡‍𝅴⁡𝅴𝅹‍‍⁢𝅵‍‍⁡​⁡‍⁠⁡​⁡‍‍𝅹𝅴𝅺‍‍‍𝅷‍‍𝅳⁡‍⁠‍‍⁢𝅵‍‍𝅳⁡⁣⁡⁣⁡​⁡⁢⁢𝅵‍𝅺‍𝅺𝅸‌⁡‍𝅶⁠⁡⁣𝅴𝅹⁡‍𝅸⁡​⁡‍⁠⁡​⁡‍‍𝅸‍⁡‍𝅹⁡​⁡‍⁠⁡​⁡‍‍𝅹𝅴𝅺‍𝅺⁢𝅺𝅹⁡⁣⁠𝅹⁡⁣‍𝅺⁠⁣𝅴⁡⁣‍𝅺⁢𝅳⁣⁣⁢⁡⁢​⁣⁢​⁢⁣‍𝅸⁠⁢⁢⁢​⁠‍𝅸⁢⁣⁢‍⁢⁢𝅳‍𝅸‍‍⁢⁠⁢⁢‍𝅸⁢⁣⁠⁢⁢⁢⁢⁢‌⁢⁠‍⁢​⁢​⁢⁢𝅺𝅷𝅺⁢‌𝅷⁠⁢𝅸⁠𝅹‍𝅸⁣⁡⁣‍‍‍⁡𝅸

As a data Processor, Prepr handles personal data exclusively on the documented instructions of our customers, who act as Controllers. Every processing activity we perform is designed to meet the highest standards of EU data protection. This includes strict GDPR compliance, robust security measures, transparent use of sub-processors, and full support for data subject rights.

This page provides an overview of how Prepr processes and protects customer data under the GDPR and under the terms of our Data Processing Agreement (DPA v2.2).

The Controller determines the purpose and means of the processing and is responsible for:

• establishing the lawful basis,
• deciding which personal data is collected,
• defining data retention periods,
• handling communication with data subjects.

Prepr processes personal data only on the Controller’s documented instructions and never for its own purposes. Prepr does not determine:

• how long customer data is retained,
• what personal data is collected,
• how personal data is used or shared.
  

• IP address
• Pages requested
• Referrer
• Browser type
• Request date and time

This is the basic data set up to use personalization features in Prepr. All processed data is defined by the Controller during implementation.

• Name
• Email address
• Account creation date
• Last activity timestamps
• Events & tags

All optional fields are defined by the Controller during implementation.

Controllers must:

• Identify the lawful basis for processing
• Define the purposes and means of processing
• Handle data subject requests (DSARs)
• Maintain their own GDPR compliance measures

Prepr:

• Processes data only on documented instructions
• Implements appropriate technical and organizational measures
• Ensures confidentiality for all staff
• Assists Controllers with GDPR obligations
• Provides transparency and supports audits
  

Prepr maintains strong security measures aligned with ISO standards.

• ISO 27001:2015, ISO 9001:2015, ISAE 3402 Type II
• Redundant, multi-datacenter hosting within the Netherlands
• Auto-scalable Kubernetes architecture

• Encryption in transit (TLS/HTTPS)
• Encryption at rest
• Nightly backups
• Disaster recovery capabilities

• API key management
• Intrusion detection and threat monitoring
• Protections against SQLi, XSS, DDoS

• RBAC
• Two-factor authentication
• SSO integrations (Azure, Google, SAML)
• Confidentiality obligations for all employees

For more details, see our Security page.

Prepr engages trusted sub-processors to deliver certain components of our service (e.g., infrastructure, CDN, monitoring).

All sub-processors:

• are bound by the same or stricter GDPR obligations,
• are continuously assessed for security and compliance,
• may only be used after notifying customers where required.

A full list of sub-processors is available on our website.

All customer data is stored and processed within the European Union.

Prepr does not process or transfer personal data outside the EU without explicit written approval from the Controller.

Prepr automatically deletes inactive customer profiles after 90 days of inactivity unless refreshed by a SignUp event.

Upon termination, Controllers may choose to:

• have their data returned, or
• have all data securely deleted.

Prepr deletes remaining copies in accordance with legal requirements.

Prepr helps Controllers fulfil GDPR requests.

• Right of access → export customer data in JSON
• Right to erasure → delete customer profiles instantly
• Right to rectification → update via UI or API
• Right to restriction/objection → manage via configuration

Any DSAR addressed directly to Prepr is forwarded to the Controller.

Prepr also provides support for DPIAs where required.

Prepr will notify the Controller without undue delay, with a target of 48 hours after discovering a breach.

The Controller is responsible for contacting:

• supervisory authorities, and
• affected data subjects,when required under the GDPR.
  

All Prepr employees are subject to strict confidentiality obligations.

Only staff who require access for operational purposes can access personal data, and all access is logged and monitored.

Prepr provides Controllers with:

• access to the information needed to verify GDPR compliance,
• the ability to request audits under the terms of the DPA,
• transparency around security controls and processing activities.

Audit procedures follow the DPA terms.

Prepr notifies customers in advance of significant changes to:

• sub-processors,
• data center locations,
• key security measures,
• service architecture.
  

The current version of the Prepr Data Processing Agreement (v2.2, November 2025) is available for download.

For any questions about privacy or the DPA:

• Operational questions: [email protected]
• Legal & compliance: [email protected]