Data Processing Agreement

Last updated: 2026-04-01 (UTC) — Version 1.0

This DPA applies to customers in the EU, UK, and other jurisdictions where GDPR or equivalent data protection law requires a data processing agreement. By using TidyImports, you agree to this DPA as part of our Terms of Service.

1. Parties

Data Controller	You (the customer), the organisation or individual that uploads data to TidyImports.
Data Processor	Mind's Eye Technologies Ltd, New Zealand — operator of TidyImports (tidyimports.com).

2. Scope and purpose

This DPA governs the processing of personal data that may be contained in CSV files uploaded to TidyImports for the purpose of data cleaning, column mapping, and validation. The processor processes personal data only as described in this DPA and as instructed by the controller.

3. Nature of processing

TidyImports processes uploaded CSV files to:

Parse, clean, and normalise data (Sheet Cleaner tool)
Map column headers to CRM field names and validate data readiness (CRM Mapper tool)
Validate CSV structure, check for schema violations and data quality issues (CSV Validator tool)

Processing is ephemeral. Uploaded file contents and processing artifacts are held in temporary storage and automatically deleted within 1 hour of upload. No personal data from uploaded files is retained in long-term storage.

4. Categories of data subjects and personal data

The categories of personal data processed depend entirely on the content of files uploaded by the controller. Typical use cases involve business contact data (names, email addresses, phone numbers, company names). TidyImports does not inspect or categorise the personal data beyond what is necessary for the processing operations described above.

5. Processor obligations

Mind's Eye Technologies Ltd (processor) agrees to:

Process personal data only on documented instructions from the controller (i.e. the processing operations described in these terms).
Ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
Implement appropriate technical and organisational security measures, including encryption in transit (HTTPS), restricted database access, and periodic security reviews.
Not engage sub-processors for the processing of uploaded file contents. (Stripe is a sub-processor for billing data only — see Privacy Policy.)
Assist the controller in responding to data subject rights requests to the extent possible given the nature of the processing.
Delete all personal data from uploaded files within 1 hour of processing, with no copies retained.
Notify the controller without undue delay upon becoming aware of a personal data breach affecting uploaded file contents.
Provide reasonable assistance to the controller in conducting data protection impact assessments where required.

6. International data transfers

TidyImports servers are located in the United States (Hostinger International Limited, Boston, Massachusetts, USA). The United States does not currently hold a general EU adequacy decision. Data transfers from the EU/EEA to TidyImports are made under the EU Standard Contractual Clauses (SCCs, 2021 version, Module 2: Controller to Processor), which are incorporated by reference into this DPA. By accepting this DPA, both parties agree to be bound by the SCCs.

For UK customers: Data transfers from the UK to TidyImports are made under the UK International Data Transfer Addendum (IDTA) to the EU SCCs, which is incorporated by reference. The controller represents that it has assessed the transfer and is satisfied the SCCs/IDTA provide sufficient protection in the circumstances.

Note: uploaded file data is processed ephemerally and deleted within 1 hour — it is not retained in the United States beyond the active processing session. The primary data retained in the US is account metadata (name, email) and job records (file statistics, not file contents).

7. Data retention

Uploaded file contents: deleted within 1 hour of processing (automatic, no action required from the controller).
Account data and job metadata: see the Privacy Policy.

8. Audit rights

The controller may request, at most once per year, written confirmation that processor obligations are being met. Requests should be sent to info@tidyimports.com. On-site audits are not available for individual customers at the current pricing tier.

9. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

10. Termination

This DPA remains in effect for the duration of the Terms of Service. Upon termination, the processor will delete all personal data from uploaded files (already covered by the 1-hour TTL). Account data deletion may be requested per the Privacy Policy.

11. Contact

Data protection enquiries: info@tidyimports.com
Mind's Eye Technologies Ltd
New Zealand
(Service operated via servers in the United States — Hostinger International Limited, Boston, MA, USA)