Data Processing Agreement

Last updated: 18 May 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service.

It governs the processing of personal data by BandTools on behalf of users who use the service to manage newsletter subscribers.

BandTools is operated by BandTools Ltd.
Company No. 17139464.
Registered in England and Wales.
Registered office: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ.
ICO Registration No. ZC142997.

This DPA is split into sections:

  1. Definitions
  2. Scope and Purpose
  3. Data Processed
  4. Obligations of BandTools
  5. Sub-processors
  6. International Transfers
  7. Data Breach Notification
  8. Data Subject Requests
  9. Data Retention and Deletion
  10. Audit Rights
  11. Governing Law

1.Definitions

  • “Controller” means the BandTools user who determines the purposes and means of processing subscriber personal data.
  • “Processor” means BandTools, which processes subscriber personal data on behalf of the Controller.
  • “Data Subject” means a newsletter subscriber whose personal data is processed.
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Sub-processor” means a third party engaged by BandTools to process personal data on its behalf.
  • “Applicable Data Protection Law” means the UK Data Protection Act 2018, the UK GDPR, the EU GDPR, and any other applicable data protection legislation.

Top

2.Scope and Purpose

BandTools processes personal data on behalf of its users (Controllers) for the following purposes:

  • Storing and managing newsletter subscriber lists
  • Sending newsletters and transactional emails (subscription confirmations) to subscribers
  • Processing subscription and unsubscription requests
  • Moderating newsletter content for prohibited material prior to sending
  • Fetching content from external RSS or Atom feeds configured by the Controller to create newsletters on the Controller’s behalf (automatic newsletters feature)
  • Transmitting subscriber data and account information to third-party applications authorised by the Controller via API access tokens, as instructed by the Controller
  • Transmitting event data (including subscriber email addresses and newsletter metadata) to external endpoints configured by the Controller via webhooks, as instructed by the Controller

The duration of processing is for the period during which the Controller maintains an active BandTools account.

Top

3.Data Processed

The categories of personal data processed and the data subjects concerned are:

  • Data subjects: Newsletter subscribers of the Controller
  • Categories of personal data: Email addresses, subscription status, subscription confirmation timestamps
  • Special categories of data: None. BandTools does not intentionally process special categories of personal data as defined in Article 9 of the UK GDPR

Top

4.Obligations of BandTools

As a Processor, BandTools shall:

  • Process personal data only on documented instructions from the Controller (i.e. through use of the BandTools service), unless required to do so by applicable law
  • Ensure that persons authorised to process personal data have committed themselves to confidentiality
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of personal data at rest and in transit
  • Assist the Controller in responding to data subject requests (see section 8)
  • Assist the Controller in ensuring compliance with obligations relating to security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities
  • At the choice of the Controller, delete or return all personal data upon termination of the service, and delete existing copies unless applicable law requires storage
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR

Top

5.Sub-processors

BandTools uses the following sub-processors to deliver the service. Each sub-processor is contractually bound to process data in accordance with applicable data protection law:

  • Backblaze B2 (EU Central): Database backup storage
  • Bunny Fonts (EU): Web font delivery for subscriber-facing pages. Operates a zero-logging policy with no personal data storage
  • Hetzner (EU): Hosting infrastructure
  • Honeybadger (US): Error tracking and application monitoring
  • Lemon Squeezy (US): Payment processing
  • Mailgun (EU): Email delivery
  • MaxMind (local database, no data transmission): IP geolocation for localised pricing
  • OpenAI Platform (US): Content moderation

The Controller provides general authorisation for BandTools to engage additional sub-processors. BandTools will update the sub-processor list in its Privacy Policy before engaging any new sub-processor, giving the Controller the opportunity to object. If the Controller objects to a new sub-processor and the objection cannot be reasonably resolved, either party may terminate the agreement.

API access tokens: Where the Controller generates API tokens and provides them to third-party applications, those applications are not sub-processors of BandTools. The Controller acts as the Data Controller for any personal data retrieved via the API and is responsible for ensuring an appropriate legal basis and adequate data protection measures are in place with the authorised application.

Webhook endpoints: Where the Controller configures webhooks to transmit event data to external services, those external services are not sub-processors of BandTools. The Controller acts as the Data Controller for any personal data transmitted via webhooks and is responsible for ensuring an appropriate legal basis and adequate data protection measures are in place with the receiving service.

Top

6.International Transfers

BandTools primarily processes data within the European Economic Area (EEA) and the United Kingdom. Where personal data is transferred to sub-processors outside the EEA/UK, the following safeguards apply:

  • Honeybadger (US): Processes error tracking data that may include IP addresses and request metadata. Subject to the EU-US Data Privacy Framework.
  • OpenAI Platform (US): Processes newsletter content for moderation purposes only. No subscriber personal data is sent to OpenAI. Subject to the EU-US Data Privacy Framework.

All other sub-processors process data within the EEA/UK.

Top

7.Data Breach Notification

In the event of a personal data breach, BandTools shall:

  • Notify the Controller without undue delay, and in any event no later than 72 hours after becoming aware of the breach
  • Provide sufficient information for the Controller to meet its obligations to report the breach to the relevant supervisory authority and to affected data subjects
  • Co-operate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach

Top

8.Data Subject Requests

BandTools provides the following tools to assist Controllers in responding to data subject requests:

  • Right of access: Controllers can view and export all subscriber data at any time
  • Right to rectification: As the only personal data stored is the email address, rectification is achieved by the Controller deleting the existing subscriber record and the data subject re-subscribing with the correct email address
  • Right to erasure: Controllers can delete individual subscribers or their entire account and all associated data
  • Right to data portability: Controllers can export subscriber data in CSV format

If BandTools receives a request directly from a data subject, it will promptly redirect the data subject to the relevant Controller, unless legally required to respond directly.

Top

9.Data Retention and Deletion

BandTools retains subscriber personal data for the duration of the Controller’s account. Upon account deletion:

  • All newsletter subscription records linking the Controller to their subscribers are permanently deleted immediately, severing the Controller's access to subscriber data. Subscriber records that are also associated with other Controllers remain in the system under those Controllers
  • All newsletters and associated content are permanently deleted
  • Encrypted database backups containing the data may persist for up to 30 days before being overwritten in the normal backup rotation cycle

Individual subscribers can be deleted at any time by the Controller. Subscribers can also remove themselves by using the unsubscribe link in any newsletter.

Top

10.Audit Rights

BandTools shall make available to the Controller, on request, all information necessary to demonstrate compliance with the obligations set out in this DPA and in Article 28 of the UK GDPR. BandTools shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

Top

11.Governing Law

This DPA is governed by the laws of England & Wales. Any disputes arising from this DPA will be resolved exclusively in the courts of England & Wales.

Top

This DPA forms part of the Terms of Service.

By using BandTools to manage newsletter subscribers, you agree to this Data Processing Agreement.