This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Controller") and the FeedPilot operating entity to be confirmed before paid launch (the "Processor") and applies where we process personal data on your behalf in connection with the Service. Where you act as an individual consumer, our Privacy Policy governs and we act as the controller.

1. Roles and scope

The Processor processes personal data only on documented instructions from the Controller, as necessary to provide the Service, and for no other purpose. The subject matter is the classification of feed items you choose to have scored; the duration is the term of your use of the Service.

2. Categories of data and data subjects

• Data subjects: you, the account holder and user of the Service.
• Data: minimal feed-item features (text, author, hashtags, mentions, engagement counts, media metadata, and an optional downscaled frame), account identifiers, and usage metadata. No social passwords, cookies, or session tokens are processed.

3. Sub-processors

The Controller authorizes the Processor to engage sub-processors for model inference, payments, hosting, and authentication. A current list will be maintained and made available, and the Processor will give notice of intended changes so the Controller may object on reasonable data-protection grounds.

4. Security

The Processor implements appropriate technical and organizational measures, including encryption in transit, access controls, least-privilege handling of secrets (server-side only), and data minimization by design. Free, on-device classification keeps item data on your device entirely.

5. International transfers

Where personal data is transferred outside the EEA, the parties rely on an adequacy decision or appropriate safeguards such as the Standard Contractual Clauses, incorporated by reference into this DPA.

6. Data subject requests and assistance

The Processor assists the Controller, taking into account the nature of processing, in responding to data subject requests and in meeting obligations on security, breach notification, and impact assessments. Breaches will be notified without undue delay after becoming aware.

7. Return and deletion

On termination, the Processor will delete or return personal data at the Controller's choice, except where retention is required by law. You can also export or clear local data directly from the extension at any time.

8. Audits

The Processor will make available information necessary to demonstrate compliance and allow for audits in line with applicable law, subject to reasonable confidentiality and security conditions.

To request a countersigned copy once finalized, contact [email protected].