Conversion BoosterConversion Booster
Toggle menu
Start for Free

Data Processing Addendum

Last Updated: 14th April 2026

1. Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between Conversion Booster (ABN 78630438911) ("Conversion Booster", "we", "us", "our") and the customer or organisation using our Services ("Customer", "you", "your").

This DPA applies where Conversion Booster processes personal data on behalf of a Customer in connection with the Conversion Booster website, app, dashboard, tracking tools, analytics platform, reports, recommendations, and related services (collectively, the "Services").

For the purposes of this DPA, the Customer is the Data Controller and Conversion Booster is the Data Processor in respect of Customer Personal Data processed on the Customer's behalf.

2. Purpose of this DPA

This DPA is intended to help the parties meet applicable requirements under the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and related data protection laws where those laws apply to the Services.

This DPA does not replace the Customer's own responsibility to determine whether and how GDPR, UK GDPR, ePrivacy, cookie, electronic communications, marketing, surveillance, or similar laws apply to the Customer's websites, notices, consents, data collection, and use of the Services.

3. Definitions

In this DPA:

  • Controller, processor, data subject, personal data, processing, and supervisory authority have the meanings given to them under applicable data protection laws;
  • Customer Personal Data means personal data that Conversion Booster processes on behalf of the Customer as a processor in connection with the Services;
  • Customer Data means data submitted to, collected through, generated by, or stored in the Services for or on behalf of the Customer;
  • Security Incident means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data; and
  • Subprocessor means another processor engaged by Conversion Booster to process Customer Personal Data on behalf of the Customer.

4. Roles of the Parties

The Customer determines the purposes and means of processing Customer Personal Data and is the Controller of that data. Conversion Booster processes Customer Personal Data only on behalf of the Customer and is the Processor of that data.

Where Conversion Booster processes personal data for its own business purposes, such as account administration, billing, fraud prevention, service security, legal compliance, and customer communications, Conversion Booster may act as an independent controller as described in our Privacy Policy.

Website Visitor Data collected through the Services is designed to be aggregated and non-identifying. To the extent any such data is considered personal data under applicable law, Conversion Booster processes that data as a Processor on behalf of the Customer, except where we are legally required to process it for our own compliance, security, or legal purposes.

5. Scope, Nature, and Purpose of Processing

Conversion Booster processes Customer Personal Data only as reasonably necessary to provide, operate, maintain, secure, support, and improve the Services, including to generate analytics, reports, recommendations, dashboards, and related product features requested by the Customer.

The subject matter, duration, nature, purpose, data subjects, and categories of data are described in Section 21.

6. Customer Instructions

The Customer instructs Conversion Booster to process Customer Personal Data as necessary to provide the Services and in accordance with the agreement, this DPA, the Customer's configuration of the Services, and any other documented written instructions agreed by the parties.

Conversion Booster will process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Customer Personal Data to a third country or international organisation, unless required to do so by applicable law. If applicable law requires processing outside those instructions, Conversion Booster will inform the Customer before processing unless the law prohibits such notice.

Conversion Booster will inform the Customer if, in our reasonable opinion, an instruction infringes applicable data protection law.

7. Customer Responsibilities

The Customer is responsible for:

  • Determining and documenting a valid legal basis for processing Customer Personal Data;
  • Providing all required notices to data subjects;
  • Obtaining and maintaining any required consents, permissions, or opt-ins;
  • Ensuring the Customer's use and configuration of the Services complies with applicable law;
  • Ensuring the Customer is entitled to provide Customer Personal Data to Conversion Booster for processing;
  • Responding to data subject requests unless the Services or this DPA require Conversion Booster assistance;
  • Ensuring Customer instructions are lawful, accurate, and complete;
  • Not using the Services to collect sensitive categories of personal data unless expressly agreed in writing; and
  • Maintaining appropriate privacy, cookie, consent, and tracking notices for any websites or digital properties where the Services are implemented.

8. Confidentiality

Conversion Booster will ensure that persons authorised to process Customer Personal Data are subject to confidentiality obligations or an appropriate statutory obligation of confidentiality.

Access to Customer Personal Data is limited to personnel, contractors, and Subprocessors who need access to provide, secure, support, or maintain the Services.

9. Security Measures

Conversion Booster will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the nature of the data, the risks of processing, and the state of the art.

These measures may include:

  • Encryption in transit and, where appropriate, at rest;
  • Access controls, authentication, and least-privilege access practices;
  • Logical separation of customer data where appropriate;
  • Logging, monitoring, and security review processes;
  • Secure cloud infrastructure and deployment controls;
  • Backup, resilience, and disaster recovery measures appropriate to the Services;
  • Vendor and Subprocessor review processes; and
  • Internal policies and procedures designed to protect Customer Personal Data.

10. Subprocessors

The Customer gives Conversion Booster general written authorisation to engage Subprocessors to process Customer Personal Data for the purposes described in this DPA.

Conversion Booster will impose data protection obligations on Subprocessors that are no less protective in substance than those in this DPA, to the extent applicable to the nature of the services provided by the Subprocessor.

Conversion Booster remains responsible to the Customer for the performance of its Subprocessors' obligations where required by applicable data protection law.

If Conversion Booster adds or replaces a Subprocessor in a way that materially affects the processing of Customer Personal Data, we will provide notice by updating the relevant public documentation, by email, in-app notice, or another reasonable method. The Customer may object on reasonable data protection grounds by contacting us promptly after receiving notice.

11. Assistance with Data Subject Requests

Taking into account the nature of the processing, Conversion Booster will provide reasonable assistance to the Customer, insofar as possible, to help the Customer respond to requests from data subjects exercising rights under applicable data protection laws.

If Conversion Booster receives a data subject request relating to Customer Personal Data, we will, where legally permitted, refer the requester to the Customer or notify the Customer. Conversion Booster will not independently respond to such a request except on the Customer's documented instructions or as required by applicable law.

12. Security Incident Notification and Assistance

If Conversion Booster becomes aware of a Security Incident affecting Customer Personal Data, we will notify the Customer without undue delay after becoming aware of it.

The notice will include information reasonably available to Conversion Booster to help the Customer assess the incident and meet any legal notification obligations, such as the nature of the incident, categories of data affected, likely consequences, and measures taken or proposed to address the incident.

Conversion Booster will take reasonable steps to contain, investigate, and remediate the Security Incident where it is within our control. Notification of a Security Incident is not an admission of fault or liability.

13. DPIAs and Regulatory Assistance

Taking into account the nature of the processing and the information available to Conversion Booster, we will provide reasonable assistance to the Customer with data protection impact assessments, prior consultations with supervisory authorities, and similar regulatory obligations where such assistance relates to processing carried out by Conversion Booster on behalf of the Customer.

14. Deletion or Return of Customer Personal Data

Upon termination of the Services or upon the Customer's documented request, Conversion Booster will delete or return Customer Personal Data within a commercially reasonable period, unless applicable law requires continued storage.

Customer Personal Data may remain temporarily in backups, logs, or disaster recovery systems until those systems are overwritten or cycled in the ordinary course. Conversion Booster may retain limited information where required by law or reasonably necessary for billing records, fraud prevention, dispute resolution, security, compliance, or enforcement of legal rights.

15. Audits and Compliance Information

Conversion Booster will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and commercial sensitivity restrictions.

If required by applicable data protection law, the Customer may request an audit of Conversion Booster's processing of Customer Personal Data. Any audit must be reasonable in scope, frequency, timing, and duration, must not compromise the security or confidentiality of other customers or systems, and must be conducted at the Customer's cost unless applicable law requires otherwise.

The parties will first seek to satisfy audit requests through documentation, security summaries, policies, or third-party audit reports where available.

16. International Transfers

Conversion Booster and its Subprocessors may process Customer Personal Data in Australia, the United States, the European Economic Area, the United Kingdom, and other countries where Conversion Booster or its Subprocessors operate.

Where Customer Personal Data protected by the GDPR or UK GDPR is transferred to a country that does not benefit from an applicable adequacy decision, the parties will use an appropriate transfer mechanism where required by law, such as the European Commission Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, or another lawful transfer mechanism.

Where the Standard Contractual Clauses apply, the parties agree that Module Two (controller to processor) applies to transfers from the Customer as controller to Conversion Booster as processor, unless another module is required by the facts of the transfer.

17. No Sale of Customer Personal Data

Conversion Booster does not sell Customer Personal Data. We process Customer Personal Data only as described in the agreement, this DPA, the Privacy Policy, and the Customer's documented instructions, or as otherwise required by law.

18. Restricted Data

The Services are not intended for processing special categories of personal data, criminal offence data, government identifiers, health data, children's data, payment card numbers, or other highly sensitive personal data unless Conversion Booster expressly agrees in writing.

The Customer must not submit or configure the Services to collect restricted data unless the Customer has obtained Conversion Booster's prior written approval and has implemented all legally required safeguards.

19. Limitation

This DPA is designed to allocate data protection responsibilities between the Customer and Conversion Booster. It does not by itself guarantee that the Customer's use of the Services is compliant with GDPR, UK GDPR, ePrivacy, cookie, or other applicable laws.

The Customer remains responsible for its own legal compliance, including whether notices, consents, opt-outs, records of processing, data protection impact assessments, representative appointments, or other measures are required.

20. Order of Precedence

If there is a conflict between this DPA and the agreement, this DPA will control to the extent of the conflict for matters relating to the processing of Customer Personal Data. If the Standard Contractual Clauses apply and conflict with this DPA, the Standard Contractual Clauses will control to the extent of that conflict.

21. Processing Details

Subject matter: Provision of the Conversion Booster Services to the Customer.

Duration: For the term of the Customer's use of the Services and any additional period required for deletion, backup cycling, legal compliance, dispute resolution, or agreed retention.

Nature and purpose: Hosting, receiving, transmitting, securing, analysing, aggregating, reporting, and otherwise processing Customer Personal Data to provide analytics, dashboards, recommendations, support, account administration, security, and related Services.

Categories of data subjects: Customer personnel, account users, prospective customers, support contacts, website visitors whose data is collected through the Customer's implementation of the Services, and other individuals whose personal data is submitted to or processed through the Services by or on behalf of the Customer.

Categories of personal data: Account contact details, login and authentication metadata, support communications, website and device data, page paths, referrer and campaign parameters, event timestamps, coarse location data, app usage events, click or interaction data, conversion-related events, and other data submitted to or generated through the Services.

Special categories of data: None intended. The Customer must not submit special categories of personal data unless expressly agreed in writing.

Frequency of processing: Continuous or as otherwise initiated by the Customer's use and configuration of the Services.

22. Technical and Organisational Measures

Conversion Booster maintains technical and organisational measures designed to protect Customer Personal Data, including access control, encryption in transit, infrastructure security, vendor management, restricted personnel access, monitoring, backup and recovery measures, and security review practices appropriate to the nature of the Services.

Conversion Booster may update these measures over time, provided that the updates do not materially reduce the overall security of the Services.

23. Contact

If you have questions about this DPA or need to make a data protection request relating to Customer Personal Data, please contact us at:

Conversion Booster (ABN 78630438911)
Email: support@conversionbooster.co