Skip to main content

Data Processing Agreement

How Ripluo processes personal data on your behalf.

Terms of ServicePrivacy PolicyDPASLAAcceptable Use

Effective Date: March 21, 2026 · Last Updated: March 21, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween Ripluo LLC ("Ripluo," "Processor," "we," "our," or "us") and you ("Controller," "you," or "your") and governs Ripluo's processing of personal data on your behalf.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

1. Definitions

  • "Controller" means you, the Ripluo user who determines the purposes and means of processing personal data of your clients, attendees, vendors, and other contacts through the Service.
  • "Processor" means Ripluo LLC, which processes personal data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by Ripluo to process personal data on behalf of the Controller.
  • "Data Subject" means an identified or identifiable natural person whose personal data is processed under this DPA.
  • "Personal Data" means any information relating to a Data Subject that is processed by Ripluo on behalf of the Controller through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "Service" means the Ripluo platform, including the website at ripluo.com and the application at app.ripluo.com.

2. Scope and Purpose of Processing

Ripluo processes Personal Data on behalf of the Controller solely for the purpose of providing the Service as described in the Terms of Service. This includes:

  • Storing and managing event attendee, client, vendor, and sponsor information
  • Facilitating communication between the Controller and their contacts through the Service
  • Processing proposals, contracts, invoices, and payments on behalf of the Controller
  • Generating AI-assisted content (via Buildr AI) based on Controller-provided data
  • Providing analytics and reporting on event and business data

Ripluo shall not process Personal Data for any purpose other than as instructed by the Controller or as required by applicable law.

3. Types of Personal Data Processed

The following categories of Personal Data may be processed through the Service:

  • Contact Information: Names, email addresses, phone numbers, mailing addresses
  • Event-Related Data: RSVP responses, dietary requirements, accessibility needs, seating preferences, meal selections
  • Business Data: Company names, job titles, business addresses, organization affiliations
  • Financial Data: Invoice amounts, payment records, fee structures (full payment card details are processed by Stripe and not stored by Ripluo)
  • Communication Data: Messages, emails, and notifications sent through the Service
  • Document Data: Information contained in proposals, contracts, and other documents created through the Service

4. Categories of Data Subjects

Personal Data processed under this DPA relates to the following categories of Data Subjects:

  • Event attendees and guests
  • Clients and prospective clients of the Controller
  • Vendors and suppliers
  • Sponsors and partners
  • Team members and collaborators invited by the Controller

5. Duration of Processing

Ripluo shall process Personal Data for the duration of the Controller's use of the Service, as governed by the Terms of Service. Upon termination of the Controller's account, Ripluo shall handle Personal Data in accordance with Section 11 of this DPA.

6. Obligations of the Processor

Ripluo shall:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case Ripluo shall inform the Controller of that legal requirement before processing (unless prohibited by law)
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement appropriate technical and organizational security measures as described in our Privacy Policy Section 8
  • Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller, as described in Section 8
  • Assist the Controller in responding to Data Subject requests, as described in Section 9
  • Assist the Controller in ensuring compliance with data security, breach notification, data protection impact assessments, and prior consultation obligations
  • At the Controller's choice, delete or return all Personal Data upon termination, as described in Section 11
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, as described in Section 12

7. Obligations of the Controller

The Controller shall:

  • Ensure that it has a lawful basis for processing Personal Data and for instructing Ripluo to process Personal Data on its behalf
  • Obtain all necessary consents from Data Subjects where required by applicable law
  • Provide clear and documented instructions to Ripluo regarding the processing of Personal Data
  • Comply with all applicable data protection laws in relation to the Personal Data it controls
  • Respond to Data Subject requests and inform Ripluo of any requests that require Ripluo's assistance

8. Sub-processors

The Controller provides general authorization for Ripluo to engage the Sub-processors listed below. Ripluo shall inform the Controller of any intended changes to Sub-processors by updating this DPA and providing at least 30 days' notice via email before the new Sub-processor begins processing Personal Data. The Controller may object to the change within that 30-day period.

If the Controller objects to a new Sub-processor and Ripluo cannot reasonably accommodate the objection, the Controller may terminate the affected Service by providing written notice.

Current Sub-processors

Sub-processorPurposeLocation
StripePayment processing, subscription management, invoicingUnited States
NeonDatabase hosting (PostgreSQL)United States
Google CloudFile and image storageUnited States
AnthropicAI assistant (Buildr) — processes event context for AI-generated contentUnited States
ResendTransactional email deliveryUnited States
Kit.com (ConvertKit)Email marketing and onboarding sequencesUnited States
ReplitApplication hostingUnited States

Ripluo shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA. Ripluo remains fully liable to the Controller for the performance of each Sub-processor's obligations.

9. Data Subject Rights

Ripluo shall assist the Controller in fulfilling its obligation to respond to Data Subject requests to exercise their rights under applicable data protection laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing

If Ripluo receives a request directly from a Data Subject, Ripluo shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required to do so by applicable law.

The Service provides tools that allow the Controller to access, export, correct, and delete Personal Data. For requests that cannot be fulfilled through the Service's built-in features, the Controller may contact Ripluo at support@ripluo.com.

10. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed under this DPA, Ripluo shall:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33
  • Provide the Controller with sufficient information to allow the Controller to meet its obligations to report the breach to the relevant supervisory authority and/or affected Data Subjects
  • Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach

The notification shall include, to the extent known:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
  • The name and contact details of Ripluo's point of contact for further information
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

11. Data Deletion and Return

Upon termination of the Controller's account or upon the Controller's written request:

  • Data Export: The Controller may export their data through the Service's built-in export features (PDF export, data download) prior to account termination
  • Data Deletion: Ripluo shall delete all Personal Data within 30 days of account termination, except where retention is required by applicable law (e.g., billing records retained for up to 7 years for tax compliance)
  • Backup Purge: Copies of Personal Data in backup systems shall be purged within 30 days following deletion from production systems
  • Certification: Upon the Controller's request, Ripluo shall provide written confirmation that Personal Data has been deleted

12. Audit Rights

Ripluo shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA. Ripluo shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

  • The Controller shall provide at least 30 days' written notice of an audit request
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt Ripluo's operations
  • The Controller shall bear the costs of any audit
  • Audit findings and all information obtained during the audit shall be treated as confidential
  • The Controller may conduct no more than one audit per 12-month period, unless required by a supervisory authority or in the event of a Data Breach

13. International Data Transfers

Ripluo is based in the United States. Where Personal Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States or other countries outside of the EEA that have not been deemed to provide an adequate level of data protection:

  • Ripluo relies on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs) adopted by the European Commission, and/or other lawful transfer mechanisms as applicable
  • Ripluo shall ensure that Sub-processors involved in international transfers also have appropriate transfer mechanisms in place
  • The Controller may request a copy of the applicable transfer mechanisms by contacting support@ripluo.com

14. GDPR Article 28 Compliance

This DPA is intended to comply with the requirements of GDPR Article 28 for data processing agreements between controllers and processors. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

Where Ripluo processes Personal Data subject to data protection laws other than the GDPR (including but not limited to the CCPA/CPRA, UK GDPR, Swiss DPA, or Brazilian LGPD), this DPA shall apply to the extent consistent with those laws, and Ripluo shall comply with its obligations as a service provider or processor under such laws.

15. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that neither party's liability for breaches of its data protection obligations shall be limited in a manner that would prevent the other party from being made whole for damages caused by such breaches to the extent required by applicable law.

16. Term and Termination

This DPA shall remain in effect for the duration of Ripluo's processing of Personal Data on behalf of the Controller. It shall automatically terminate when Ripluo ceases to process Personal Data on behalf of the Controller. Sections 10, 11, 12, and 15 shall survive termination of this DPA.

17. Contact Information

For questions about this Data Processing Agreement, contact us at:

Ripluo LLC
Email: support@ripluo.com
Website: ripluo.com

Ready to Transform Your Event Planning?

Join thousands of event professionals who use Ripluo to plan, manage, and execute successful events.

Start Free TrialView Pricing