Data Processing Agreement (DPA)
ICONZON Platform
Effective Date: November 2025
This Data Processing Agreement ("DPA") is entered into between the customer using the ICONZON Platform ("Controller") and TCI GROUP LTD("Processor", "we", "us"), operator of the ICONZON Platform.
By using the Platform, the Controller agrees to this DPA in relation to any personal data processed by the Processor on the Controller's behalf. This DPA is intended to meet the requirements of the GDPR and other applicable data protection laws.
1. Definitions
1.1 "Personal Data" means any information relating to an identified or identifiable natural person, as defined in the GDPR.
1.2 "Processing" means any operation performed on Personal Data (e.g. collection, storage, use, disclosure, deletion).
1.3 "Controller" means the entity that determines the purposes and means of Processing (the customer).
1.4 "Processor" means TCI GROUP LTD, which Processes Personal Data on behalf of the Controller.
2. Roles and Scope
2.1 The Controller is the data controller in respect of Personal Data that it and its end users submit to the Platform.
2.2 The Processor acts as a data processor and Processes Personal Data only on documented instructions from the Controller (including via the Platform and the Terms of Use and Privacy Policy).
2.3 This DPA applies to all Processing of Personal Data carried out by the Processor in connection with the provision of the ICONZON Platform.
3. Subject Matter, Nature and Purpose
Processing is carried out for the purpose of providing the ICONZON Platform, including:
- Account and identity management
- Content creation, storage and publishing (e.g. posts, campaigns, creatives)
- Integration with third-party platforms (e.g. Meta, TikTok) as authorised by the Controller
- AI-powered features (content generation, design tools)
- Payment and subscription management
- Security, support and improvement of the Service
Categories of data subjects and types of Personal Data are described in the Platform's Privacy Policy.
4. Duration
Processing continues for the duration of the provision of the Platform to the Controller. Upon termination, the Processor will delete or return Personal Data in accordance with the Controller's instructions and the Privacy Policy, unless retention is required by law.
5. Processor Obligations
5.1 The Processor shall Process Personal Data only on documented instructions from the Controller and in compliance with applicable law.
5.2 The Processor shall ensure that persons authorised to Process Personal Data are bound by confidentiality or appropriate statutory obligations.
5.3 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (e.g. encryption, access controls, monitoring), as further described in the Privacy Policy.
5.4 The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection, etc.) and in ensuring compliance with GDPR obligations relating to security, breach notification and impact assessments, taking into account the nature of the Processing.
5.5 Upon request, the Processor shall make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits, subject to reasonable notice and confidentiality.
6. Sub-processors
6.1 The Controller acknowledges that the Processor may engage sub-processors (e.g. hosting, payment, AI and analytics providers) to perform Processing. The Processor shall use sub-processors that provide sufficient guarantees to implement appropriate technical and organisational measures.
6.2 Where required by law, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors and give the Controller an opportunity to object. A non-exhaustive list of named categories of sub-processors (e.g. Polar for payments, Google and OpenAI for AI/sign-in, UploadThing for files, PostHog where enabled, infrastructure hosting) is published in Section 5.5 of the Privacy Policy. The Processor may provide further detail on request.
6.3 The Processor shall impose on sub-processors data protection obligations no less protective than those in this DPA, including where relevant by way of Standard Contractual Clauses or equivalent mechanisms.
7. International Transfers
Where Personal Data is transferred outside the EEA or the UK, the Processor shall ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses, adequacy decisions) as described in the Privacy Policy.
8. Deletion or Return
At the end of the provision of the Service or upon the Controller's request, the Processor shall delete or return all Personal Data, unless applicable law requires retention. Deletion shall be carried out in accordance with the Processor's data retention and deletion procedures.
9. Contact
For questions about this DPA or data processing: