Last Updated: November 2025
This Data Processing Agreement ("DPA") supplements the Terms of Service and Privacy Policy for TierSync, operated by BuiltByInk. This DPA outlines how we process personal data on your behalf when you use TierSync.
This DPA is designed to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK GDPR.
- "Controller": The entity (you) that determines the purposes and means of processing personal data
- "Processor": BuiltByInk (TierSync), which processes personal data on behalf of the Controller
- "Personal Data": Any information relating to an identified or identifiable natural person
- "Data Subject": The individual whose personal data is being processed
- "Processing": Any operation performed on personal data (collection, storage, use, etc.)
TierSync processes personal data to provide the following services:
- Discord role automation based on subscription status
- Payment processing and subscription management
- Webhook processing from Stripe
- User authentication and account management
- Service delivery and support
- Account Data: Email addresses, passwords (encrypted), account preferences
- Payment Data: Processed through Stripe (we do not store payment card details)
- Discord Data: OAuth tokens, guild IDs, role IDs, user IDs (with your authorization)
- Usage Data: Subscription status, trial periods, access logs
- Technical Data: IP addresses, browser information, session identifiers
TierSync acts as a Data Processor when processing personal data on your behalf. We:
- Process personal data only as instructed by you (the Controller)
- Implement appropriate technical and organizational measures to protect data
- Assist you in fulfilling your obligations under GDPR
- Provide mechanisms for data subject rights requests
As the Data Controller, you are responsible for:
- Ensuring you have a lawful basis for processing personal data
- Obtaining necessary consents from data subjects
- Complying with GDPR requirements applicable to controllers
- Informing data subjects about how their data is processed
- Responding to data subject rights requests
We process personal data only:
- As necessary to provide TierSync services
- In accordance with your instructions (implicit through service usage)
- As required by applicable law
We will not:
- Process personal data for purposes other than providing TierSync
- Sell or rent personal data to third parties
- Use personal data for marketing without consent
- Process personal data in violation of applicable laws
We implement the following security measures:
- Encryption: Sensitive data encrypted at rest using AES-256-GCM
- Transmission Security: All data transmitted over HTTPS/TLS
- Access Controls: Authentication and authorization requirements
- Password Security: Passwords hashed using bcrypt
- Regular Updates: Security patches and updates applied promptly
- Audit Logging: Access and processing activities logged
- Personal data is stored in SQLite databases on secure servers
- Sensitive credentials (tokens, keys) are encrypted before storage
- Data is backed up regularly with appropriate security measures
We use the following sub-processors to provide TierSync:
- Stripe, Inc.: Payment processing and subscription management
- Location: United States
- Purpose: Process payments, manage subscriptions, handle webhooks
- Safeguards: Standard Contractual Clauses, Stripe's DPA
- Discord, Inc.: OAuth authentication and API access
- Location: United States
- Purpose: Authenticate users, retrieve guild/role information
- Safeguards: Discord's Terms of Service and Privacy Policy
We will notify you of any changes to sub-processors. You may object to new sub-processors, but such objection may affect our ability to provide services.
As the Controller, you are primarily responsible for responding to data subject rights requests, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
We will assist you in fulfilling data subject rights requests by:
- Providing access to personal data we process on your behalf
- Correcting or deleting data upon your instruction
- Exporting data in a structured format
- Restricting processing as requested
Data subjects should contact you (the Controller) first. If you require our assistance, contact us at support@tiersync.app with:
- The data subject's request
- Verification of the data subject's identity
- Specific instructions for processing the request
- Active Accounts: Data retained while account is active
- Cancelled Accounts: Data retained for 30 days after cancellation, then deleted
- Webhook Data: Retained for 90 days for audit purposes
- Legal Requirements: Some data may be retained longer if required by law
Upon account cancellation or deletion request:
- Personal data is deleted within 30 days
- Encrypted backups may retain data for up to 90 days
- Deletion is performed securely and irreversibly
In the event of a personal data breach, we will:
- Notify you without undue delay (within 72 hours where feasible)
- Provide details of the breach, including:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
You are responsible for:
- Notifying relevant supervisory authorities if required
- Notifying affected data subjects if required
- Taking appropriate remedial action
Personal data may be transferred outside the EEA/UK to:
- Stripe (United States)
- Discord (United States)
- Our hosting providers
We ensure appropriate safeguards are in place:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions where applicable
- Compliance with applicable data protection laws
You have the right to:
- Request information about our security measures
- Request evidence of compliance with this DPA
- Conduct audits (subject to reasonable notice and confidentiality obligations)
We will:
- Maintain records of processing activities
- Cooperate with supervisory authorities
- Provide reasonable assistance for compliance audits
Our liability under this DPA is subject to the limitations set forth in our Terms of Service. We are not liable for:
- Your failure to comply with GDPR as a Controller
- Processing performed outside our instructions
- Third-party breaches (Stripe, Discord) beyond our control
Upon termination of your TierSync account:
- We will cease processing personal data on your behalf
- We will delete or return personal data as instructed
- This DPA will terminate, but certain obligations (confidentiality, data protection) will survive
This DPA is governed by the laws of the United Kingdom and is subject to the jurisdiction of the courts of England and Wales.
For DPA-related inquiries, contact:
BuiltByInk (TierSync)
Email: support@tiersync.app
Website: https://tiersync.app/legal/support
We may update this DPA to reflect changes in law or our practices. Material changes will be:
- Posted on our website with an updated "Last Updated" date
- Communicated to you via email (where applicable)
- Effective 30 days after posting
---
*This Data Processing Agreement is effective as of the date listed above and applies to all users of TierSync.*