Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between PurelySearch LLC ("Processor," "we") and the customer ("Controller," "you") for use of Pickrate (the "Service"). It applies where we process personal data on your behalf and you require a DPA to meet your obligations under the GDPR, UK GDPR, CCPA, or similar laws. If you need a countersigned copy, email privacy@pickrate.io.
1. Roles
For personal data contained in your Service content, you are the Controller and we are the Processor. We process that data only to provide the Service and on your documented instructions (which the agreement and your use of the Service constitute), unless required otherwise by law.
2. Scope of processing
- Subject matter — providing the Pickrate Service.
- Duration — the term of your agreement, plus any legally required retention.
- Nature and purpose — hosting, storing, and processing your inputs to run evaluations and return results, plus account and billing operations.
- Types of data — account identifiers (email), billing identifiers, and the content you submit (prompts, competitor lists, configurations) and results.
- Data subjects — your authorized users and any individuals referenced in the content you submit.
3. Our obligations
- Process personal data only on your documented instructions.
- Ensure people authorized to process the data are bound by confidentiality.
- Implement appropriate technical and organizational security measures (see Trust & Security), including encryption in transit and at rest and least-privilege access.
- Assist you, taking into account the nature of processing, with data-subject requests and with your security, breach-notification, and impact-assessment obligations.
- Notify you without undue delay after becoming aware of a personal-data breach affecting your data.
- On termination, delete or return personal data, except where retention is required by law.
4. Sub-processors
You authorize us to engage the sub-processors listed below to process personal data. The current list also appears on our Trust & Security page. We will update this list and aim to notify you before a new sub-processor that handles personal data takes effect, so you have the opportunity to object on reasonable grounds. We remain responsible for our sub-processors' performance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Primary database and authentication | United States |
| Railway | Application hosting | United States |
| Stripe | Payment processing and billing | United States |
| Resend | Transactional email delivery | United States |
| Inngest | Background job and workflow processing | United States |
| Anthropic | AI model provider (eval engine) | United States |
| OpenAI | AI model provider (eval engine) | United States |
| Google (Gemini API) | AI model provider (eval engine) | United States |
| Google Analytics | Website usage analytics | United States |
| Cloudflare | DNS | United States |
5. International transfers
We and our sub-processors primarily process data in the United States. Where personal data is transferred from the EEA, UK, or Switzerland, the parties will rely on a lawful transfer mechanism (such as the EU Standard Contractual Clauses), incorporated by reference where applicable.
6. Audits
On reasonable written request, and subject to confidentiality, we will make available information necessary to demonstrate compliance with this DPA. Where we hold third-party audit reports or certifications in the future, providing those will satisfy this obligation.
7. Liability and precedence
This DPA is subject to the limitation of liability in our Terms of Service. If there is a conflict between this DPA and the Terms on the processing of personal data, this DPA controls.
8. Contact
PurelySearch LLC — privacy@pickrate.io