variable

DATA PROCESSING AGREEMENT (DPA)

Effective Date: May 1, 2026 VARIABLE

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between:

VARIABLE (“Variable”, “Processor”)

and

Customer (“Controller”)

and governs the processing of Personal Data in connection with the Services.

1. Purpose & Scope

This DPA applies where Variable processes Personal Data on behalf of the Customer in connection with the Services.

The Services are designed primarily for synthetic, aggregated, and non-identifiable data.

Customer agrees to limit the use of Personal Data accordingly.

2. Roles of the Parties

  • Customer acts as the Controller of Personal Data
  • Variable acts as a Processor when processing Customer-submitted data
  • Variable acts as an independent Controller for:
    • account management
    • billing
    • security and logging
    • platform analytics
    • De-identified Usage Data

Customer determines the purposes and means of Personal Data processing.

Variable processes Personal Data only on documented instructions from Customer, except where required by law.

3. Processing Instructions

Variable will process Personal Data solely to:

  • provide the Services
  • maintain and secure the platform
  • comply with applicable law

Customer instructs Variable to process Personal Data in accordance with:

  • this DPA
  • the Terms of Service
  • Customer’s use of the Services

4. Categories of Data & Data Subjects

Categories of Personal Data (if provided by Customer)

  • Account identifiers (e.g., name, email)
  • User-submitted inputs (only where Customer includes Personal Data)

Data Subjects

  • Customer users
  • End users (only if Customer uploads such data)

5. Prohibited Data

Customer agrees not to upload or process:

  • Health data
  • Biometric data
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Sexual orientation
  • Trade union membership
  • Criminal history

unless explicitly approved in writing by Variable.

Customer also agrees not to upload Personal Data into structured datasets (e.g., CSV, SAV, Parquet) where such use is not strictly necessary.

6. De-Identified Usage Data

“De-identified Usage Data” means data derived from:

  • Customer inputs
  • Generated outputs
  • Metadata
  • Interaction patterns

that has been aggregated and processed such that it cannot reasonably identify an individual.

Variable may use De-identified Usage Data to:

  • improve models
  • evaluate system performance
  • develop new features
  • conduct strategic analysis and product development

De-identified Usage Data is not considered Personal Data.

7. Generated Outputs

Outputs are generated through observed data and probabilistic models and may not reflect real individuals.

Customer acknowledges that outputs:

  • are exploratory and directional
  • may be incomplete or inaccurate
  • should not be treated as factual representations of individuals

8. Inadvertent Personal Data Submission

If Customer inadvertently submits Personal Data:

Variable may, at its discretion:

  • delete such data
  • anonymize such data

without prior notice.

9. Security Measures

Variable implements reasonable technical and organizational measures, including:

  • Encryption in transit
  • Access controls
  • Authentication mechanisms
  • Logging and monitoring

Customer acknowledges that:

  • No system is completely secure
  • Security measures evolve over time

10. Subprocessors

Variable uses the subprocessors listed in Annex II.

Variable will ensure subprocessors are subject to appropriate data protection obligations.

11. International Data Transfers

Customer acknowledges that Personal Data may be processed in the United States and other jurisdictions.

Where applicable, transfers are supported by:

  • appropriate safeguards
  • contractual protections, including references to standard contractual clauses (SCCs)

Customer is responsible for assessing the suitability of such transfers.

12. Data Subject Rights

Variable will, to the extent reasonably possible, assist Customer in responding to:

  • Access requests
  • Deletion requests

Requests may be submitted to: christopher at this domain

13. Security Incidents

Variable will notify Customer of a confirmed Personal Data breach without undue delay.

Notification will include:

  • nature of the incident (if known)
  • mitigation steps taken or proposed

14. Data Retention & Deletion

Upon termination of the Services:

  • Personal Data will be retained for up to 90 days
    • to allow for account restoration or reactivation
  • Data will be deleted earlier upon Customer request

15. Audit Rights

Customer may request reasonable documentation regarding Variable’s data protection practices.

Audit rights are limited to:

  • documentation review
  • written responses

unless otherwise required by law.

16. Liability

Liability is governed by the Terms of Service.

Variable’s obligations are limited to those expressly stated in this DPA.

17. Governing Law

This DPA is governed by the laws of Ontario, Canada.

📎 Annex I — Details of Processing

A. Parties

Controller: Customer

Processor: VARIABLE

B. Subject Matter

Processing of data in connection with:

  • demand modeling
  • simulation
  • segmentation
  • analytics services

provided via the Variable platform and API.

C. Nature of Processing

Processing activities may include:

  • collection
  • storage
  • organization
  • structuring
  • transformation
  • analysis
  • retrieval
  • deletion

D. Purpose of Processing

To enable Customer to:

  • model willingness to pay
  • explore demand curves and segmentation
  • conduct exploratory and directional analysis

The Services are not intended for:

  • identifying individuals
  • profiling real persons
  • making high-stakes decisions

E. Categories of Personal Data

Where provided by Customer:

  • Basic identifiers (e.g., name, email)
  • User-generated inputs (only if containing Personal Data)

F. Categories of Data Subjects

  • Customer employees and users
  • Customer’s end users (if provided)

G. Duration of Processing

Processing occurs:

  • for the duration of the Customer’s use of the Services
  • plus up to 90 days after termination

unless earlier deletion is requested.

H. Special Category Data

Processing of special category data is prohibited unless explicitly approved in writing by Variable.

📎 Annex II — Subprocessors

Variable engages the following subprocessors:

  • Supabase — database, authentication, storage
  • Fly.io — infrastructure hosting and deployment
  • Stripe — billing and payments
  • PostHog — product analytics
  • Google Analytics — traffic analytics
  • Tally — form collection

Each subprocessor processes data only as necessary to provide its service.

📎 Annex III — Security Measures

Variable maintains:

  • Encryption in transit (TLS)
  • Authentication systems
  • Access controls
  • Logging and monitoring