Skip to main content
Capgo logo

Data Processing Agreement

Last updated: June 10, 2026

Definitions

  • In the course of providing the Capgo service to user pursuant to the agreement, Capgo may process service data on behalf of user.
  • In this Data Processing Agreement ("DPA"), "Data Protection Legislation" means the General Data Protection Regulation (Regulation (EU) 2016/279), and all other applicable laws relating to processing of service data and privacy that may exist in any relevant jurisdiction.
  • "data controller", "data processor", "data subject", "personal data" and "processing" shall be interpreted in accordance with applicable Data Protection Legislation.
  • The parties agree that user is the data controller and that Capgo is its data processor in relation to service data that is processed in the course of providing the service.

Privacy and security of your service data

We take measures to protect and secure your data through backups, redundancies, encryption, and access controls. When you use Capgo live updates, Capgo processes update-related data needed to operate, maintain, and support the service.

You entrust us with your service data and we take that trust to heart. You agree that Capgo may process your data as described in our data policy and for no other purpose. We do our best to deserve that trust by being open about who we are, how we work, and keeping an open door to your feedback.

You own all right, title, and interest to your app and update data. We obtain no rights from you to that data. We do not collect and analyze personal information to sell advertisements. We don't sell or share your service data to advertising companies, and we don't abuse your users' privacy.

The purpose of Capgo is to deliver Capacitor live updates without advertising tracking, hardware-derived identifiers, or tracking users across apps, websites, or Capgo customers.

Capgo minimizes data collection. We process only the operational data needed for live-update delivery, update eligibility, monthly active device de-duplication, support, abuse prevention, and operational reliability.

Capgo uses a randomly generated, app-scoped device identifier for live-update operation, update eligibility, de-duplication of monthly active devices, support, abuse prevention, and operational reliability. It is not an advertising ID, is not derived from hardware identifiers, and is not used to track users across apps, websites, or Capgo customers. We treat this identifier as pseudonymous personal data where GDPR applies and protect it through TLS, encryption at rest, access controls, and our DPA/subprocessor controls.

The group of data subjects affected by the processing of their data under this agreement includes end-users of the controller's apps or services that make use of the service provided by the processor.

You can find more information about our processing of your service data and what types/categories of data we collect on your behalf in our publicly available data policy. Data Policy.

Organizational and technical security measures

For security, we use TLS in transit, encryption at rest where applicable, access controls, private networking, backups, and operational safeguards designed to protect service data. Access is limited to authorized personnel who need it for support, abuse prevention, and operational reliability.

Capgo is fully open source software which means that our source code is available and accessible on GitHub so anyone can check it out and audit it. You can read it, inspect it and review it to understand how it works and to ensure it keeps service data private and secure.

With more than 500+ GitHub stars, there are a lot of eyes on our code and it is this transparency and openness that means that open source products can be more trustworthy than proprietary and closed source products. Our software is updated several times per week and on our GitHub page we also have a way for people to report any security vulnerabilities.

Processor's obligations with respect to the controller

  • Capgo will process service data only in accordance with instructions from customer through the settings of the service, i.e. (a) to operate, maintain and support the infrastructure used to provide the service; (b) to comply with customer's instructions and processing instructions in their use, management and administration of the service; (c) as otherwise instructed through settings of the service. Capgo will only process service data in accordance with the agreement.
  • Capgo shall notify customer without undue delay if, in Capgo's opinion, an instruction for the processing of service data given by customer infringes applicable Data Protection Legislation.
  • Capgo shall guarantee the confidentiality of service data processed hereunder.
  • We as humans can access your data to help you with support requests you make and to maintain and safeguard Capgo to ensure the security of your data and the service as a whole. Capgo shall ensure that all Capgo personnel required to access the service data are trained in GDPR and data privacy, informed of the confidential nature of the data and comply with the obligations sets out in this agreement.
  • Capgo shall implement and maintain appropriate technical and organisational security measures designed to protect the service data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the service data and having regard to the nature of the service data which is to be protected.
  • We do work with sub-processors. With each vendor, we assess their commitment to privacy and we sign a data processing agreement with them that include the controller-processor Standard Contractual Clauses. Any such subcontractors will be permitted to process data only to deliver the services Capgo has retained them to provide, and they shall be prohibited from using data for any other purpose. Capgo shall notify the controller when modifying the list of subprocessors using our in-app notifications, email and/or blog. The controller is able to legitimately object and may terminate the agreement.
  • If Capgo becomes aware of any accidental, unauthorised or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by Capgo in the course of providing the service, it shall without undue delay (not later than 48 hours after having become aware of it), notify customer by email and provide customer with a description of the incident as well as periodic updates to information about the incident, including its impact on customer content. Capgo shall additionally take action to investigate the incident and reasonably prevent or mitigate the effects of the incident.
  • Capgo shall not on its own authority rectify, erase or restrict the processing of service data that is being processed on behalf of the controller (unless this is required by law or the Processor Terms of Service), but shall only do so on documented instructions from the controller and in accordance to the data retention rules associated to the controller subscription plan.
  • Capgo shall assist the controller in complying with the obligations concerning the security of personal data. Capgo will also provide assistance to the controller for DPIAs. Where a data subject asserts their rights as a data subject, this request will be forwarded to the controller without delay.

Customer undertakings and Capgo assistance

  • Customer warrants that it has all necessary rights to provide Capgo with service data for processing in connection with the provision of the Capgo Services.
  • Customer shall comply at all times with Data Protection Legislation in respect of all service data it provides to Capgo pursuant to the Agreement.
  • Customer understands, as a controller, that it is responsible (as between customer and Capgo) for:
    1. determining the lawfulness of any processing, performing any required data protection impact assessments, and accounting to regulators and individuals, as may be needed;
    2. providing relevant privacy notices to data subjects as may be required in your jurisdiction;
    3. implementing your own appropriate technical and organizational measures to ensure and demonstrate processing in accord with this DPA;
    4. notifying any relevant regulators or authorities of any incident as may be required by law in your jurisdiction.

Liability and Indemnity

  • Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.

Are customers required to sign the Capgo DPA?

In order to use our products and services, you need to accept our DPA. By using our product you are agreeing to our terms of service, and you are automatically accepting our DPA and do not need to sign a separate document. We provide the same privacy rights and protection to all customers.

Can a customer share the Capgo DPA with its customers?

Yes. The DPA is a publicly available document and customers who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.

Do customers need to notify anyone upon accepting our DPA?

No. You are not required to notify us or any third party upon accepting our DPA though, as mentioned above, you are free to do so.

Contact Us

If you have any questions about this Privacy Policy, You can contact us: