Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between BattlecardAI ("Processor") and the customer ("Controller") for the provision of competitive intelligence services.

2. Definitions

"Personal Data" means any data relating to an identified or identifiable natural person that is processed by BattlecardAI on behalf of the Controller. "Processing" means any operation performed on Personal Data.

3. Scope of Processing

BattlecardAI processes the following categories of data on behalf of Controllers:

Account information (name, email address)
Competitor intelligence data (publicly available reviews, mentions, pricing information)
User-created content (notes, deals, battlecard annotations)
Usage data (feature usage, login activity)

4. Data Subject Rights

BattlecardAI supports Controllers in fulfilling data subject requests under GDPR including:

Right of Access: Users can export all their data via Profile → Download my data
Right to Erasure: Users can delete their account, which cascade-deletes all associated data
Right to Portability: Data export is provided in machine-readable JSON format

5. Security Measures

BattlecardAI implements appropriate technical and organizational measures including:

Encryption of data in transit (TLS 1.3)
Encrypted session storage
Rate limiting on authentication endpoints
Continuous database backups via Litestream
Error monitoring and incident response

6. Sub-processors

BattlecardAI uses the following sub-processors:

Anthropic (Claude API) — AI analysis of competitor data (US)
Resend — Transactional email delivery (US)
DodoPayments — Subscription billing (EU)
Hetzner — Infrastructure hosting (EU)
Cloudflare — CDN, DNS, and R2 storage (Global)

7. Data Retention

Personal data is retained for the duration of the service agreement. Upon account deletion, all personal data is permanently removed within 24 hours.

8. Contact

For data processing inquiries, contact: [email protected]