This Data Processing Agreement ("DPA") forms part of the Sight Terms of Service between Sight Limited ("Sight") and the customer ("Customer") who has accepted the Terms of Service. This DPA governs the processing of personal data by Sight on behalf of the Customer in connection with the Sight AI visibility platform (the "Service").
This DPA applies to Pro and Enterprise plan customers. It is intended to satisfy the requirements of applicable data protection law, including the New Zealand Privacy Act 2020, the General Data Protection Regulation (GDPR) (EU) 2016/679, and the UK GDPR where applicable.
In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to data processing matters.
Sight acts as a Data Processor when processing personal data that the Customer provides to Sight or that is generated through the Customer's use of the Service — for example, team member email addresses, user account data, and domain analysis records associated with the Customer's account ("Customer Personal Data").
For purposes of operating and improving the Service, managing billing, and conducting its own analytics and security monitoring, Sight acts as a Data Controller of the personal data it processes for its own purposes. This processing is governed by Sight's Privacy Policy.
The subject matter, duration, nature, purpose, and type of Personal Data processed under this DPA are as described in Annex 1 below and in the Privacy Policy.
As the Data Controller, the Customer agrees to:
As a Data Processor, Sight agrees to:
By accepting this DPA, the Customer provides general authorisation for Sight to engage the following sub-processors to assist in providing the Service. Sight remains liable for the acts and omissions of its sub-processors to the same extent it would be liable if it performed those services directly.
| Sub-processor | Purpose | Location |
|---|---|---|
| Perplexity AI, Inc. | AI query processing — domain name queries are transmitted to the Perplexity AI API to generate AI model responses | United States |
| Anthropic, PBC | AI query processing — domain name queries are transmitted to the Anthropic Claude API to generate AI model responses | United States |
| StableServer | Infrastructure hosting — Customer account data and analysis results are stored on servers hosted with StableServer | New Zealand |
| Stripe, Inc. | Payment processing — Customer billing data and subscription management | United States |
Sight will notify Customers of any intended changes to sub-processors (additions or replacements) by updating this DPA and providing at least 30 days' notice by email. Customers who object to a new sub-processor on reasonable data protection grounds may terminate their subscription and receive a pro-rata refund for any unused prepaid period.
Some of Sight's sub-processors are located in the United States. When Customer Personal Data is transferred to the United States for AI query processing (via the Perplexity AI and Anthropic APIs), such transfers are subject to appropriate safeguards including Standard Contractual Clauses (SCCs) as published by the European Commission, where applicable under GDPR.
Sight takes steps to ensure that transfers of personal data outside New Zealand and the EEA are conducted in accordance with applicable data protection law and are subject to appropriate contractual protections.
For Enterprise customers requiring specific transfer mechanism documentation, please contact dpa@onsight.nicobarragan.co.nz.
Sight implements the following technical and organisational measures to protect Customer Personal Data:
Sight will assist the Customer in responding to data subject rights requests received from individuals whose personal data is processed through the Service. These rights include the right to access, rectify, erase, restrict processing, obtain portability of, and object to processing of their personal data.
If Sight receives a data subject rights request directly from a data subject relating to Customer Personal Data, Sight will promptly forward the request to the Customer and not respond directly unless instructed to do so. Sight will provide the Customer with the cooperation and information reasonably necessary to respond to such requests within the legally required timeframes (typically 30 days under GDPR and the NZ Privacy Act).
Upon the Customer's written request, Sight will provide the Customer with information reasonably necessary to demonstrate compliance with this DPA, including Sight's most recent security assessment summary.
The Customer may conduct a data processing audit of Sight's relevant facilities and procedures with a minimum of 30 days' written notice, no more than once per calendar year, and subject to reasonable confidentiality obligations. The costs of any such audit shall be borne by the Customer, unless the audit reveals a material breach of this DPA by Sight.
This DPA remains in force for the duration of the Customer's active subscription to the Service. It terminates automatically upon expiry or termination of the Customer's subscription.
Upon termination of the subscription for any reason, Sight will, at the Customer's election, either delete or return all Customer Personal Data within 90 days of the termination date, except to the extent that Sight is required to retain the data by applicable law or regulation. Sight will confirm deletion in writing upon request.
Provisions of this DPA that by their nature should survive termination (including audit rights and breach notification obligations) shall survive termination of this agreement.
For questions about this DPA, data processing practices, or to exercise rights under this agreement, please contact our data protection contact:
Email: dpa@onsight.nicobarragan.co.nz
Postal address: Sight Limited, Auckland, New Zealand
We aim to respond to all DPA-related inquiries within 5 business days.
Annex 1 — Subject Matter and Nature of Processing: The subject matter of processing is the operation of the Sight AI visibility platform. Processing includes storage of account data (names, email addresses), analysis of domain names provided by the Customer, and generation of AI visibility reports. The duration of processing is the term of the Customer's subscription. The type of personal data includes name, email address, IP address, browser information, and usage data. The categories of data subjects include the Customer's team members and users.