Data Protection Addendum
Last updated: February 2026
This Data Protection Addendum (“DPA”) forms part of the Master Subscription Agreement between Provider and Customer.
1. Scope and roles
1.1 Controller processing. Provider acts as independent controller for: account administration, billing and bookkeeping, usage and subscription logs, website operations, and security and fraud prevention.
1.2 Support content processing. When Customer provides files, screenshots, or content containing personal data for support (“Support Content”), Provider processes as processor on behalf of Customer.
1.3 Service data. For the core Service (queries, analysis results), Provider is controller. Queries and publicly available Reddit content are processed by AI providers for real-time analysis (inference only); no AI model training.
2. Processor terms (Support Content)
2.1 Subject matter and duration: Technical support processing, limited to issue resolution. Duration: until issue resolved and content deleted.
2.2 Nature of processing: Technical support, debugging, responding to requests.
2.3 Data types: Names, contact details, and other information contained in Support Content.
2.4 Data subjects: Customer’s personnel and end customers.
2.5 Provider processes Support Content only on Customer’s documented instructions.
2.6 Provider ensures persons authorised to process Support Content are bound by confidentiality obligations.
2.7 Provider implements appropriate technical and organisational security measures.
2.8 Subprocessors. Provider may engage subprocessors for Support Content processing, subject to DPAs and SCCs. Current subprocessors are listed in our Privacy Policy (section 5).
2.9 International transfers. Standard Contractual Clauses are used where required for transfers outside the EEA.
2.10 Deletion. Support Content attachments are deleted within 90 days after issue closure (unless legal retention applies). Support ticket records are retained for 2 years.
2.11 Provider assists Customer in responding to data subject requests relating to Support Content.
2.12 Breach notification. Provider notifies Customer without undue delay upon becoming aware of a personal data breach affecting Support Content.
2.13 Audit. Provider makes available information necessary to demonstrate compliance and allows for audits on reasonable written request.
3. Subprocessors and international transfers
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Stripe | Payments | EU/US | DPA, SCCs |
| Railway | Hosting | EU (Amsterdam-West) | DPA |
| OpenAI | AI analysis | US | DPA, SCCs |
| Anthropic | AI analysis | US | DPA, SCCs |
| Reddit API | Data retrieval | US | No PII sent |
| DataForSEO | Search data | EEA | No PII sent |
| Google Analytics | Analytics | US | Consent, SCCs |
4. Liability and precedence
This DPA supplements the Agreement. Liability is governed by the Agreement’s limitation of liability clause. In case of conflict, this DPA prevails for data protection matters.