Last updated: 26 June 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Ralf ("Processor", "we", "us") and the customer ("Controller", "you") and applies where we process personal data on your behalf in providing the Service. Where there is a conflict, this DPA prevails over the Terms in respect of the processing of personal data. Terms such as "personal data", "processing", "controller", "processor", "sub-processor" and "personal data breach" have the meanings given in applicable data-protection laws, meaning the UK GDPR and Data Protection Act 2018, the EU GDPR, and applicable US state privacy laws including the California Consumer Privacy Act as amended ("Data Protection Laws").
For personal data we process on your behalf to provide the Service — for example data within accounts you connect, and business-contact data used for outreach you configure — you are the controller and we are the processor. For personal data we process for our own purposes — such as your account and billing data, and data used to operate, secure and improve the Service — we are an independent controller and our Privacy Policy applies. You are responsible for the lawfulness of the personal data you provide and the instructions you give, including having a valid lawful basis to process and to send outreach to recipients.
We will: (a) process personal data only on your documented instructions, including as set out in the Terms, this DPA and the settings you configure, unless required by law; (b) tell you if, in our opinion, an instruction infringes Data Protection Laws; (c) ensure personnel authorised to process personal data are bound by confidentiality; (d) implement appropriate technical and organisational security measures (see section 5); (e) provide reasonable assistance, taking into account the nature of processing, to help you respond to data-subject requests and to meet your obligations on security, breach notification, data-protection impact assessments and prior consultation; and (f) make available information reasonably necessary to demonstrate compliance and allow for audits no more than once a year on reasonable notice, subject to confidentiality, which may be satisfied by third-party reports where available.
You give general authorisation for us to engage the sub-processors listed below to process personal data. We impose data-protection obligations on each sub-processor that are no less protective than this DPA, and we remain responsible for their performance. We will give you at least 30 days' notice before adding or replacing a sub-processor (by updating this page and/or by email). You may object on reasonable data-protection grounds within that period; if we cannot reasonably address your objection, you may terminate the affected part of the Service.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage and backend functions | European Union |
| Vercel | Website and application hosting and delivery | United States / global edge |
| Stripe | Payment processing and subscription billing | United States / Ireland |
| OpenRouter | AI model gateway routing prompts to model providers (including OpenAI, Anthropic, Google and Perplexity) to generate the product's analysis and content | United States |
| DataForSEO | Search, ranking, backlink and domain data | United States / EU |
| Instantly | Delivery of outreach emails you configure, and syncing of replies | United States |
| Ahrefs | Search, backlink, ranking and domain data via its data API | Singapore |
| Resend | Delivery of transactional and service emails (account, notification and verification emails) | United States |
We may update this list as our providers change, with notice as described above.
Where we transfer personal data subject to UK or EU Data Protection Laws to a country without an adequacy decision, we ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Addendum (IDTA) or the EU Standard Contractual Clauses, which are incorporated by reference where applicable.
Taking into account the state of the art, costs and the nature and risk of processing, we maintain appropriate technical and organisational measures, including: encryption of data in transit and, where supported by our infrastructure, at rest; access controls and least-privilege access to production systems; logical separation of customer data and access scoping by account; storage of secrets in a managed secrets store; use of reputable managed cloud infrastructure with regular patching; logging and monitoring; backups with defined retention; and confidentiality obligations on personnel. You are responsible for your own security configuration, access management and credentials.
We will notify you without undue delay after becoming aware of a personal data breach affecting personal data we process on your behalf, and will provide information reasonably available to us to help you meet your notification obligations.
On termination of the Service we will delete or return personal data we process on your behalf within 90 days, except where retention is required by law (such as billing records). Routine backups are deleted in line with our retention cycle.
To the extent the California Consumer Privacy Act (as amended) or similar US state laws apply, we act as a service provider. We will not sell or share personal data, and will not retain, use or disclose it except as necessary to provide the Service or as permitted by law, and we will provide reasonable assistance with consumer-rights requests.
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.
Data-protection and sub-processor questions: hello@ralfhq.com