Data Processing Addendum

If you are a business subject to EU/UK data-protection law, this addendum sets out how Moose processes personal data on your behalf as your processor.

Last updated: May 31, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between you (the “Controller”) and ALIP YAXAR LLC, which operates Moose (the “Processor”), and applies where Moose processes personal data on your behalf under EU/UK data-protection law (GDPR Article 28). Version 2026-05-31.

1. Subject matter & duration

Moose processes personal data only to provide the Moose service to you — scheduling and publishing content, automating comment/DM replies, generating captions and images, and reporting on your connected accounts — for as long as your account is active, plus the retention periods described below.

2. Nature & purpose; types of data

Processing covers the data your connected accounts expose (e.g. Instagram messages and comments, account insights) and aggregated website analytics from Google Analytics. For the Managed Outcomes reporting, Moose reads only aggregated GA4 metrics — no individual visitor or customer records are read or stored. Data subjects include your customers and audience who interact with your connected accounts.

3. Processor obligations

Process personal data only on your documented instructions, including this DPA.
Ensure personnel are bound by confidentiality.
Implement appropriate technical and organizational security (encryption at rest for tokens, RLS tenant isolation, least-privilege access).
Engage sub-processors only as listed at /legal/sub-processors, under equivalent obligations, and notify you of changes.
Assist you, where feasible, in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment duties.
Delete or return personal data at the end of the service, except where law requires retention.
Make available information needed to demonstrate compliance and allow for audits.

4. Google user data (Limited Use)

Moose's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements: we do not sell Google user data, do not use it for advertising, do not use it to train generalized AI models, and delete it when you disconnect or revoke access.

5. International transfers

Where personal data is transferred outside the EEA or UK — including to the United States — such transfers rely on appropriate safeguards (for example, the Standard Contractual Clauses) put in place by Moose and its sub-processors.

6. Retention & deletion

Aggregated GA4 snapshots are retained for up to 13 months and then purged automatically. Disconnecting Google Analytics revokes the token at Google and deletes the associated snapshots. Deleting your Moose account erases all of your associated data.