Legal · GDPR notice

GDPR notice

Last updated 2026·04·29

This document is a template last updated 2026-04-29. Contact hello@itsmurphy.com — review with legal counsel before relying on it.

01Roles under the GDPR

Murphy can act as a processor when an agency customer decides why and how creator, campaign, brand, and workspace data is processed. Murphy can also act as a controller for its own account administration, billing, security, marketing, and product improvement data.

The exact role should be confirmed in the customer agreement and data processing addendum. This notice explains the intended operational model for a French and EU SaaS serving professional influencer agencies.

02Processing instructions

When Murphy acts as processor, it processes personal data only on documented customer instructions, including configuration choices in the workspace, support requests, authorized integrations, and contractual terms.

If an instruction appears unlawful or conflicts with platform restrictions, Murphy may pause the requested action and ask for clarification. Customers remain responsible for having a lawful basis to invite creators, publish media kits, and share campaign reports.

03Categories of data subjects

Data subjects may include agency employees, creators, creator representatives, brand contacts, prospective customers, support requesters, and website visitors. The product is built for professional use and is not intended for children.

Creator-related data can include professional profile information, social handles, audience metrics, campaign participation, content metadata, disclosure status, and audit events generated by Murphy.

04Security measures

Murphy uses technical and organizational measures such as encrypted transport, access controls, production access restrictions, monitoring, audit logging, backup practices, incident response, and least-privilege administration.

OAuth-only platform connection is a core security measure: creators authorize official platform access and do not share passwords with Murphy or agencies through the product.

05Sub-processing and transfers

Murphy may use sub-processors for EU hosting, database operations, email delivery, observability, support, billing, and security. Sub-processors should be bound by written data protection terms and reviewed before production use.

Murphy intends to host production data in the European Union. If data is transferred outside the European Economic Area, appropriate safeguards such as adequacy decisions, standard contractual clauses, transfer impact assessments, or supplementary measures should be used.

06Assistance with rights and DPIAs

Murphy should assist customers with data subject requests where the customer is the controller and the request concerns workspace data. Assistance may include export, correction, deletion, restriction, and information about processing operations.

Where legally required, Murphy should also provide reasonable information for data protection impact assessments, prior consultation, audit questionnaires, and security reviews related to creator data and campaign compliance workflows.

07Breach notification

Murphy should notify affected customers without undue delay after becoming aware of a personal data breach involving customer data. Notices should include known facts, likely consequences, measures taken, and recommended customer actions where available.

Customers remain responsible for assessing whether notification to a supervisory authority, creators, brands, or other individuals is required in their role as controller.

08Deletion, return, and contact

At the end of service, Murphy should delete or return customer personal data according to the contract, product capabilities, and legal retention obligations. Active OAuth tokens should be revoked or deleted when no longer needed. For GDPR questions, contact hello@itsmurphy.com.