Data Processing Addendum

Last updated June 10, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Rebase and the Customer and governs Rebase's processing of personal data on the Customer's behalf.

This DPA applies where Rebase (Collectables Ltd, “Processor”) processes personal data on behalf of the Customer (“Controller”) in providing the service, and where such processing is subject to data-protection laws including the EU/UK GDPR. Capitalized terms not defined here have the meaning in our Terms of Service.

1. Roles & scope

The Customer is the controller and Rebase is the processor of personal data contained in Customer Data (the feedback, tickets, comments, and associated diagnostic context captured through the widget). Rebase processes that data only to provide the service and per the Customer’s documented instructions (including these Terms and configuration choices).

2. Nature & purpose of processing

Capturing on-page feedback; generating and storing structured tickets; syncing tickets to connected issue trackers; enabling collaboration and notifications; and providing support, security, and billing.

3. Categories of data subjects & personal data

  • Data subjects: the Customer’s team members and the end-users of the Customer’s website who submit or are referenced in feedback.
  • Personal data: identifiers (name, email, username), ticket content, and diagnostic context (screenshots, console/network metadata, device/browser information, interaction trail), subject to the masking and scrubbing described in the Privacy Policy.
  • Special-category data: not intended to be processed. The Customer must configure masking to avoid submitting it.

4. Processor obligations

  • Process personal data only on documented instructions from the Controller;
  • Ensure personnel authorized to process data are bound by confidentiality;
  • Implement appropriate technical and organizational measures (Annex II);
  • Assist the Controller with data-subject requests and with security, breach-notification, and impact-assessment obligations, taking into account the nature of processing;
  • Delete or return personal data at the end of the service as described below.

5. Subprocessors

The Customer authorizes Rebase to engage the subprocessors listed on our Subprocessors page. Rebase imposes data-protection obligations on each subprocessor no less protective than this DPA and remains responsible for their performance. Rebase will give notice of intended additions or replacements (via the subprocessor-change notification list), and the Customer may object on reasonable data-protection grounds.

6. International transfers

Where processing involves transferring personal data outside the EEA/UK to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated by reference.

7. Security measures (Annex II)

  • Encryption of personal data in transit (TLS) and at rest;
  • Screenshots stored in access-controlled object storage, served only via short-lived signed URLs;
  • Client-side masking of password, payment, hidden, and customer-marked fields, plus URL/secret scrubbing, before capture;
  • Short-lived, rotated authentication tokens; least-privilege access to production;
  • Logging, monitoring, and regular review of access.

8. Data-subject requests

Taking into account the nature of processing, Rebase will assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to data-subject requests. If a data subject contacts Rebase directly, we will refer them to the relevant Customer.

9. Personal data breaches

Rebase will notify the Controller without undue delay after becoming aware of a personal-data breach affecting Customer Data, and will provide information reasonably available to assist the Controller’s own obligations.

10. Deletion & return

On termination, Rebase will delete or return Customer Data within a reasonable period, except where retention is required by law. Screenshots are deleted on the Customer’s configured schedule (90 days by default). Backups are purged on their normal rotation.

11. Audits

Rebase will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for audits subject to reasonable confidentiality, scope, and frequency limits.

12. Contact

To request a countersigned copy of this DPA or to raise a data-protection matter, email support@rebase.dev.