Last updated: January 15, 2025

Table of Contents

🔒 GDPR Compliance Commitment

This Data Processing Agreement ensures our YouTube revenue optimization services comply with GDPR and other data protection laws. We're committed to protecting your data with the same dedication we apply to protecting your revenue.

1. Definitions & Scope

Parties to this Agreement

  • Data Controller: You (the YouTube creator/user) who determines the purposes and means of processing personal data
  • Data Processor: PrimeTime Media, who processes personal data on behalf of the Controller

Key Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data (collection, storage, analysis, etc.)
  • Data Subject: The individual whose personal data is being processed
  • GDPR: General Data Protection Regulation (EU) 2016/679
  • Supervisory Authority: Independent public authority responsible for monitoring GDPR compliance

Scope of Agreement

This DPA applies to all personal data processing activities performed by PrimeTime Media on behalf of users in connection with our YouTube analytics and revenue optimization services.

⚖️ Legal Basis

This agreement supplements our Terms of Service and Privacy Policy, ensuring compliance with GDPR Article 28 requirements for processor agreements.

2. Processing Details

Nature and Purpose of Processing

PrimeTime Media processes personal data solely to provide YouTube analytics and revenue optimization services, including:

  • Analyzing YouTube channel performance metrics
  • Generating revenue optimization recommendations
  • Tracking revenue improvements and attribution
  • Providing personalized insights and benchmarking
  • Processing payments for revenue sharing

Categories of Data Subjects

  • YouTube Creators: Individuals who own or manage YouTube channels
  • Channel Collaborators: Individuals with access to creator accounts
  • Viewers: Individuals whose data is included in YouTube analytics (aggregated only)
  • Website Visitors: Individuals who visit our platform

Categories of Personal Data

Data Category Data Types Processing Purpose
Identity Data Name, email address, username Account management, authentication
Channel Data YouTube analytics, video metrics, revenue data Revenue optimization analysis
Financial Data Payment information, revenue amounts Revenue sharing calculations
Usage Data Platform interactions, feature usage Service improvement, personalization
Technical Data IP address, browser data, device info Security, performance optimization

Duration of Processing

Personal data is processed for the duration of the service relationship and retained according to our data retention schedule, as detailed in Section 11.

3. Controller Obligations

As the Data Controller, you warrant and undertake that:

Legal Basis & Compliance

  • You have a valid legal basis for processing under GDPR Article 6
  • You have obtained necessary consents from data subjects where required
  • You comply with all applicable data protection laws
  • You have provided appropriate privacy notices to data subjects

Processing Instructions

  • Processing instructions are documented in this DPA and our Terms of Service
  • Any additional processing instructions must be provided in writing
  • Instructions must comply with applicable data protection laws
  • You acknowledge that processing outside documented instructions may require separate agreement

💡 Your Data Rights

As a Controller, you maintain full control over your data processing decisions. We process data only according to your instructions and this agreement.

4. Processor Obligations

As the Data Processor, PrimeTime Media undertakes to:

Processing Limitations

  • Process personal data only on documented instructions from you
  • Not process data for our own purposes beyond service provision
  • Immediately notify you if instructions appear to violate GDPR or other data protection laws
  • Not transfer or disclose personal data to third parties except as authorized

Confidentiality & Staff

  • Ensure all personnel processing personal data are bound by confidentiality obligations
  • Provide appropriate data protection training to relevant staff
  • Limit access to personal data to personnel who need it for service provision
  • Maintain records of staff with access to personal data

5. Data Security Measures

🔐 Enterprise-Grade Security

We protect your data with the same level of security we use to protect your revenue information—because both are critical to your success.

Technical Safeguards

  • Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
  • Access Controls: Role-based access with multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and network monitoring
  • Data Backup: Regular encrypted backups with tested restoration procedures
  • Vulnerability Management: Regular security scanning and patch management

⚠️ Shared Responsibility

While we implement robust security measures, you remain responsible for maintaining the security of your account credentials and properly configuring access permissions.

6. Sub-Processors

PrimeTime Media may engage sub-processors to assist in providing our services. All sub-processors are subject to strict data protection requirements.

Current Sub-Processors

Sub-Processor Service Provided Data Location
Amazon Web Services (AWS) Cloud hosting and data storage United States, EU (as configured)
Google LLC YouTube API access and analytics Global (Google infrastructure)
Stripe, Inc. Payment processing services United States, EU

💡 Sub-Processor Accountability

We remain fully liable for the acts and omissions of our sub-processors as if they were our own acts and omissions.

7. International Data Transfers

Transfer Mechanisms

When transferring personal data outside the EEA, we ensure adequate protection through:

  • Adequacy Decisions: Transfers to countries with adequate protection as determined by the European Commission
  • Standard Contractual Clauses (SCCs): EU-approved contract terms for international transfers
  • Binding Corporate Rules: Where applicable for multinational organizations
  • Specific Derogations: Limited circumstances under GDPR Article 49

8. Data Subject Rights

We assist you in fulfilling data subject rights requests under GDPR Articles 15-22:

Rights We Support

  • Right of Access (Article 15): Provide copies of personal data and processing information
  • Right to Rectification (Article 16): Correct inaccurate or incomplete data
  • Right to Erasure (Article 17): Delete personal data when legally required
  • Right to Restrict Processing (Article 18): Limit processing in specific circumstances
  • Right to Data Portability (Article 20): Provide data in machine-readable format
  • Right to Object (Article 21): Stop processing based on legitimate interests

9. Data Breaches

Breach Notification Timeline

  • Immediate: Internal security team notification and breach response activation
  • Within 24 hours: Assessment of breach scope and potential impact
  • Within 72 hours: Notification to you as Data Controller (if breach likely to result in risk)
  • Without undue delay: Support your notifications to supervisory authorities and data subjects

10. Audit & Compliance

Information and Audit Rights

We provide you with all information necessary to demonstrate compliance with GDPR Article 28 obligations:

  • Regular Reporting: Annual compliance reports and security assessments
  • Documentation Access: Access to relevant policies, procedures, and certifications
  • Audit Rights: Right to conduct audits or appoint third-party auditors
  • Inspection Cooperation: Full cooperation with supervisory authority inspections

11. Data Retention & Deletion

Retention Periods

Data Category Retention Period Rationale
Account Data Duration of service + 30 days Service provision and final revenue calculations
YouTube Analytics Duration of service + 90 days Revenue attribution and dispute resolution
Financial Records 7 years after final payment Tax compliance and audit requirements

💚 Data Minimization

We practice data minimization by collecting only data necessary for revenue optimization services and deleting data promptly when no longer needed.

12. Agreement Termination

Data Return & Deletion

Upon termination of processing:

  1. Data Export: We provide your data in portable format within 30 days
  2. Deletion Timeline: All personal data deleted within 90 days unless legally required to retain
  3. Sub-Processor Coordination: Ensure all sub-processors delete data according to agreements
  4. Certification: Written certification of deletion provided upon request

13. Liability & Indemnification

Liability Allocation

  • Controller Liability: You remain liable for your processing decisions and compliance with data protection laws
  • Processor Liability: We are liable for damages caused by processing outside or contrary to lawful instructions
  • Joint Liability: Where both parties contribute to damage, liability is allocated based on responsibility
  • Sub-Processor Acts: We are liable for sub-processor acts as if they were our own

⚖️ Insurance Coverage

We maintain appropriate professional liability and cyber security insurance coverage to support our indemnification obligations under this agreement.

Data Protection Contact Information

For all data protection inquiries, rights requests, and DPA-related questions:

Data Protection Officer: dpo@primetime.media

Privacy Team: privacy@primetime.media

Legal Department: legal@primetime.media

Security Incidents: security@primetime.media

Response Time: We respond to data protection inquiries within 72 hours.

🤝 Partnership in Privacy Protection

This DPA formalizes our commitment to protecting your data with the same dedication we apply to optimizing your revenue. Together, we ensure GDPR compliance while maximizing your YouTube success.