DATA PROCESSING

Last updated March 18, 2024 

Subject to our Terms of Service https://wordpress.com/tos/1 (“Terms of Service” or “Agreement”), we (the folks at Automattic) process Personal Data on behalf of the users of those services (“You” or “User”). We act as the processor under applicable Data Protection Laws, and our users act as the controllers. That Personal Data is called “Controller Data,” as described below.

“Data Protection Laws” means all privacy, security, and data protection laws and regulations that apply to the Personal Data processed by the processor under the Agreement, including, as applicable, the GDPR, Member State laws implementing the GDPR, and the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”), each as amended.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons concerning the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC.

“Personal Data” means any information relating to an identified or identifiable natural person or otherwise deemed personal information or personal data (or similar variations of those terms) under Data Protection Laws.

This Data Processing Addendum (“Addendum”) to our Terms of Service explains our data protection obligations and rights as a processor of the Controller Data and our Users as the controllers. Other than the data protection obligations and rights in this Addendum, your Agreement with Automattic will cover everything else.

Please see below to determine which entity your Agreement is with, which depends on where you reside and which Services (as defined in the Terms of Service) you use. We use the term “Designated Countries” to refer to Australia, Canada, Japan, Mexico, New Zealand, Russia, and all European countries.

All Automattic Services (excluding WooCommerce)

• If you reside outside of the Designated Countries: Automattic Inc.
• If you reside in the Designated Countries: Aut O’Mattic A8CIreland Ltd.
• WooCommerce Services (such as WooCommerce, WooCommerce Payments, WooCommerce Shipping, MailPoet, and any products or services purchased from WooCommerce.com.)
• If you reside outside of the Designated Countries: WooCommerce, Inc.
• If you reside in the Designated Countries: WooCommerce Ireland Ltd.

Each of the above is referred to as “Automattic” or “we” in this Addendum.

1. Role of the Parties
   1. 1.1.Concerning the processing of the Controller Data, Automattic is the processor, and the User is the controller. For purposes of this DPA, references to “processor” and “controller” shall be replaced with any corresponding terms with analogous meanings defined under Data Protection Laws (for example, “service provider” and “business” under the CCPA).
2. Scope of the Processing
   1. 2.1.Automattic shall process the Controller Data on behalf of and in accordance with the instructions of the User as specified in Section 2.4. If Automattic is legally required to process Controller Data for another purpose, Automattic will inform the User of that legal requirement unless the law prohibits Automattic from doing so.
   2. 2.2.Automattic certifies that it will not: (a) collect, retain, use, disclose, or otherwise process the Controller Data for any purpose other than as necessary for the specific purpose of performing the services on behalf of the User; (b) collect, retain, use or disclose the Controller Data for a commercial purpose other than providing the services on behalf of the User; (c) process the Controller Data outside of the direct business relationship between User and Automattic; (d) combine the Controller Data with any other Personal Data Automattic collects (directly or via any third party) other than as expressly permitted for processors under Data Protection Laws; or (e) “sell” or “share” (each as defined by the CCPA)  the Controller Data.
   3. 2.3.Automattic processes Controller Data to provide Automattic’s website creation and management services to our Users. Controller Data is comprised exclusively of Personal Data relating to data subjects who use a User’s website, including a User’s customers, subscribers, followers, employees, or other administrative users. Controller Data does not include content or Personal Data collected by Automattic about any of the foregoing persons in that person’s capacity as a user of WordPress.com or another service provided directly to the person by Automattic.
   4. 2.4.
      The type of Controller Data processed by Automattic depends on the services and features that the User decides to implement for the User’s website and may include username and credentials; name; contact information, such as e-mail address, physical address, and telephone number; billing information, such as credit card data and billing address; website usage information, IP address, and other technical data such as browser type, unique device identifiers, language preference, referring site, the date and time of access, operating system, and mobile network information; approximate location data (from IP address); personal information discussed in the content of the site or any content you upload, information regarding interactions with the website, such as “comments,” poll responses, “ratings,” and “likes”; and other information directly provided to the User’s website by a visitor to the website, such as contact form submissions.
      
      The duration of processing corresponds to the duration of the Agreement, described in the Terms of Service.
   5. 2.5.The instructions of the User are, in principle, conclusively stipulated and documented in the provisions of this Addendum. Individual instructions that deviate from the stipulations of this Addendum or impose additional requirements shall require Automattic’s written agreement. Automattic will immediately inform the User if, in Automattic’s opinion, an instruction from the User infringes applicable data protection law.
   6. 2.6.The user shall comply with its obligations under Data Protection Laws. The User is responsible for the lawfulness of the processing of the Controller Data. In case third parties assert a claim against Automattic based on the unlawfulness of processing Controller Data or any other violation of Data Protection Law by User, the User shall release Automattic from any and all such claims.
   7. developing, optimizing, and providing its services to the User as well as to other users of the service, provided that if such data is“deidentified” (as defined under Data Protection Law), Automattic will take reasonable measures designed to ensure such data cannot be associated with a natural person and will commit to maintaining this data in deidentified form and not attempt to reidentify this data except to assess the sufficiency of the deidentification. The parties agree that the Controller Data rendered. depersonalized or aggregated as above-mentioned are no longer classified as Controller Data in terms of this Addendum and that Automattic is instructed by User to depersonalize Controller Data in accordance with this clause.

1 If you use our Crowdsignal service, the Crowdsignal Terms and Conditions at https://crowdsignal.com/terms also apply. If you use Akismet, the Akismet Terms of Use at https://akismet.com/tos/ also apply. If you use Day One, the Day One Terms of Use at https://dayoneapp.com/terms-of-use/ also apply. If you use Pocket Casts, the Pocket Casts Terms of Use at https://support.pocketcasts.com/article/terms-of-use-overview/ also apply. If you use Frontity, the Frontity Terms of Use at https://frontity.org/legal/ also apply.