Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between TryBuildCo (“Processor,” “we,” “us”), operated at trybuild.co, and you (“Controller,” “Customer”) for the use of TryBuildCo’s services.

This DPA sets out the terms under which we process personal data on your behalf when you use TryBuildCo to validate business ideas. It applies to the extent that we process personal data subject to applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the laws of the Hong Kong Special Administrative Region.

By using TryBuildCo, you agree to the terms of this DPA. If you are entering into this DPA on behalf of a company or organization, you represent that you have the authority to bind that entity.

• Controller — The Customer who determines the purposes and means of processing personal data. In this DPA, the Controller is you (the user of TryBuildCo).
• Processor— TryBuildCo, which processes personal data on behalf of the Controller to provide the Service.
• Sub-processor — A third party engaged by the Processor to assist in processing personal data on behalf of the Controller.
• Personal Data — Any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
• Data Subject — An identified or identifiable natural person whose personal data is processed.
• Processing — Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
• Service— The TryBuildCo platform and all related features, including AI-powered market research, landing page generation, ad campaign management, and validation reporting.
• SCCs— Standard Contractual Clauses as adopted by the European Commission for the transfer of personal data to third countries.

We process personal data solely for the purpose of providing the TryBuildCo Service to you. This includes:

• Generating AI-powered market research reports based on your business idea descriptions
• Creating and hosting landing pages to test your value proposition
• Running and managing ad campaigns on Google Ads and Meta Ads on your behalf
• Collecting and reporting ad campaign performance metrics and landing page visitor analytics
• Processing payments and managing your account
• Sending transactional emails related to your account and campaigns
• Generating and storing PDF validation reports
• Capturing and managing email leads from your landing pages

We will not process personal data for any purpose other than those described in this DPA and our Privacy Policy, unless required by applicable law. If we are required by law to process personal data for another purpose, we will inform you before doing so, unless the law prohibits such notification.

We will process personal data for the duration of your use of the Service, plus any retention period required by applicable law. Specifically:

• Processing begins when you create an account or first submit data to TryBuildCo
• Processing continues for as long as your account remains active
• Upon account deletion or termination, we will delete or return personal data within 30 days, except where retention is required by law (see Section 13)
• Payment records may be retained longer as required by financial and tax regulations

The following categories of personal data are processed through the Service:

• Account data — email address, name, authentication credentials
• Business idea descriptions — text content submitted by the Customer describing their business concept
• AI-generated research data — market research, competitor analysis, and validation insights generated by AI based on submitted ideas
• Landing page content and visitor analytics — page content, visitor events (views, clicks, form submissions), and hashed IP addresses (raw IPs are not stored)
• Ad campaign performance metrics — impressions, clicks, CPC, CTR, conversions from Google Ads and Meta Ads
• Payment data — transaction ID, amount, payment status, and billing email (processed via Stripe; we never store credit card numbers)
• PDF reports — validation reports stored on our servers
• Lead capture emails — email addresses submitted through landing page forms and used for communications

Personal data processed under this DPA relates to the following categories of data subjects:

• Customers— individuals who create a TryBuildCo account and use the Service
• Landing page visitors — individuals who view or interact with landing pages generated by TryBuildCo (analytics data only; IPs are hashed)
• Leads— individuals who submit their email address through a landing page lead capture form

As the Processor, TryBuildCo will:

• Process personal data only on documented instructions from the Controller, unless required by applicable law
• Ensure that persons authorized to process personal data have committed themselves to confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing (see Section 10)
• Not engage another processor (sub-processor) without prior written authorization from the Controller, subject to the sub-processor provisions in Section 9
• Assist the Controller in responding to data subject requests (see Section 12)
• Assist the Controller in ensuring compliance with data security, breach notification, data protection impact assessments, and prior consultation obligations
• At the Controller’s choice, delete or return all personal data upon termination of the Service (see Section 13)
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 14)
• Immediately inform the Controller if, in our opinion, an instruction from the Controller infringes applicable data protection law

As the Controller, the Customer will:

• Ensure that there is a lawful basis for the processing of personal data instructed to TryBuildCo
• Provide clear and documented processing instructions that comply with applicable data protection laws
• Ensure that data subjects have been informed about the processing of their personal data, including through appropriate privacy notices on landing pages
• Where required, obtain valid consent from data subjects before their personal data is processed through the Service
• Not submit any special categories of personal data (as defined in GDPR Article 9) or sensitive personal data through the Service, unless expressly agreed in writing
• Comply with all applicable data protection laws in connection with the use of the Service
• Promptly notify TryBuildCo of any changes to processing instructions or any circumstances that may affect TryBuildCo’s ability to comply with this DPA

The Controller provides general authorization for TryBuildCo to engage the sub-processors listed below. We have entered into data processing agreements with each sub-processor that provide at least the same level of data protection as this DPA.

Notification of changes: We will notify you by email at least 14 days before adding or replacing a sub-processor. The notification will include the sub-processor’s name, location, and the processing activities they will perform.

Right to object: You may object to a new or replacement sub-processor by notifying us in writing at [email protected] within 14 days of our notification. Your objection must include reasonable grounds related to data protection. We will work with you in good faith to find a resolution. If no resolution can be reached within 30 days, either party may terminate the agreement with respect to the affected processing activities.

We implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption in transit: All data transmitted between users, our servers, and third-party services is encrypted using TLS/HTTPS
• Encryption at rest: Database storage is encrypted at rest via Supabase’s managed PostgreSQL infrastructure
• Access controls: Production data access is limited to authorized personnel only, with role-based access controls
• IP address hashing: Landing page visitor IP addresses are hashed before storage; raw IPs are never retained
• Payment isolation: Credit card data is handled exclusively by Stripe and never touches our servers
• Secure authentication: User sessions are managed with secure, httpOnly tokens
• Infrastructure security: Our application server is hosted on Hetzner with firewall rules, SSH key authentication, and regular security updates
• Confidentiality: All personnel with access to personal data are bound by confidentiality obligations

We regularly review and update these measures to address evolving security threats. While we take data security seriously, no system can guarantee absolute security.

In the event of a personal data breach, TryBuildCo will:

• Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
• Provide the Controller with sufficient information to enable the Controller to meet any obligations to report the breach to a supervisory authority or to inform affected data subjects
• Include in the notification, to the extent reasonably available: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach
• Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
• Document all personal data breaches, including the facts, its effects, and the remedial action taken

Breach notifications will be sent to the email address associated with your TryBuildCo account, or to an alternative address you designate for this purpose.

TryBuildCo will assist the Controller in fulfilling its obligations to respond to data subject requests exercising their rights under applicable data protection law. These rights include:

• Right of access
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to restriction of processing
• Right to data portability
• Right to object to processing

If we receive a request directly from a data subject regarding the Controller’s data, we will promptly notify the Controller and will not respond to the request directly unless authorized to do so or required by law.

We will provide reasonable assistance to the Controller in responding to data subject requests, taking into account the nature of the processing. Where our assistance requires significant effort beyond normal operations, we may charge a reasonable fee based on our actual costs.

Upon termination of the Service or upon the Controller’s written request:

• Data return:At the Controller’s request, we will provide a copy of all personal data in a commonly used, machine-readable format (e.g., JSON or CSV) within 30 days
• Data deletion: After providing data return (if requested), or if no return is requested, we will delete all personal data within 30 days of termination, including from backups within 90 days
• Exceptions: We may retain personal data where required by applicable law (such as payment records for tax compliance). We will inform the Controller of any such retention and limit processing to the legally required purposes
• Confirmation: Upon request, we will provide written confirmation that personal data has been deleted

To request data return or deletion, contact us at [email protected].

TryBuildCo is operated from Hong Kong. Personal data may be transferred to and processed in the following regions through our sub-processors:

• Singapore (Supabase — database hosting)
• United States (Stripe, Anthropic, Google Ads, Meta Ads, Resend)
• Germany / Finland (Hetzner — application server hosting)

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries outside those regions that have not received an adequacy decision:

• We rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission, incorporated into our agreements with sub-processors where applicable
• We assess the data protection laws of each destination country and implement supplementary measures where necessary
• For transfers to sub-processors that are certified under recognized frameworks (such as the EU-US Data Privacy Framework), we may rely on those certifications as an additional transfer mechanism

Upon request, we will provide copies of the relevant transfer mechanisms in place with our sub-processors.

The Controller has the right to verify TryBuildCo’s compliance with this DPA. To exercise this right:

• Information requests: TryBuildCo will make available all information reasonably necessary to demonstrate compliance with this DPA upon written request
• Audits:The Controller (or an independent third-party auditor appointed by the Controller) may conduct an audit of TryBuildCo’s processing activities, provided that:
  • At least 30 days’ prior written notice is given
  • The audit is conducted during normal business hours and does not unreasonably disrupt operations
  • The auditor is bound by appropriate confidentiality obligations
  • Audits are limited to once per calendar year
• Costs: Each party bears its own costs for the audit, unless the audit reveals a material breach of this DPA by TryBuildCo, in which case TryBuildCo will bear the reasonable costs of the audit

To request an audit or compliance information, contact us at [email protected].

Each party’s liability under this DPA is subject to the limitations of liability set out in our Terms of Service, except that neither party’s liability for breaches of data protection obligations shall be limited in a way that would prevent a data subject from obtaining effective compensation under applicable data protection law.

Where both parties are responsible for damage caused by processing that infringes applicable data protection law, each party shall be liable for the damage caused by its own processing in accordance with GDPR Article 82.

TryBuildCo shall not be liable for any data breach or loss resulting from the Controller’s failure to comply with its obligations under this DPA or applicable data protection law.

This DPA is governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region, without regard to its conflict of law provisions.

For data subjects located in the European Economic Area, the United Kingdom, or Switzerland, nothing in this DPA limits any rights or obligations under the GDPR or equivalent local data protection legislation. Where there is a conflict between this DPA and GDPR requirements, the GDPR shall prevail to the extent of the inconsistency.

We may update this DPA from time to time to reflect changes in our processing practices, sub-processors, or applicable law. When we make material changes, we will update the “Last updated” date at the top of this page and notify you by email at least 14 days before the changes take effect.

Your continued use of the Service after the changes take effect constitutes your acceptance of the updated DPA.

For questions about this DPA or to exercise any rights described herein, please contact us:

Email: [email protected]
Data Protection Officer: [email protected]
Location: Hong Kong