Data Processing Agreement
Last updated: February 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Humanizer PRO ("Processor", "we", "us") and the user ("Controller", "you") and governs the processing of personal data in connection with the Humanizer PRO text humanization service available at texthumanizer.pro.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined under GDPR (Article 4(1)).
- Processing: Any operation performed on personal data, including collection, storage, use, transmission, and deletion.
- Data Subject: The individual whose personal data is processed.
- Sub-processor: Any third party engaged by the Processor to process personal data on behalf of the Controller.
2. Scope and Purpose of Processing
The Processor processes personal data solely for the purpose of providing the Humanizer PRO text humanization service, which includes:
- Receiving and processing text submitted by the Controller for humanization.
- Authenticating users and managing accounts.
- Tracking word usage and enforcing subscription limits.
- Processing payments for subscription plans and word bundles.
2.1 Categories of Data Subjects
Users of the Humanizer PRO service, including individuals who create accounts and submit text for processing.
2.2 Types of Personal Data Processed
| Data Type | Purpose | Retention |
|---|
| Email address | Account creation, authentication, communication | Duration of account |
| Name (if provided) | Account personalization | Duration of account |
| Text content submitted | Humanization processing | Transient; not stored after processing unless saved to history |
| Usage statistics | Service delivery, billing enforcement | Duration of account |
| Payment information | Subscription and billing (via Stripe) | Managed by Stripe; not stored by Processor |
| Authentication tokens | Session management, OAuth access | Session duration or token expiry |
3. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country.
- Ensure that persons authorized to process personal data have committed themselves to confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS/HTTPS) and at rest.
- Assist the Controller in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, portability, restriction, objection).
- Assist the Controller in ensuring compliance with data protection impact assessments and prior consultation obligations.
- At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless storage is required by law.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits.
- Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach.
4. Sub-processors
The Controller provides general authorization for the Processor to engage the following sub-processors. The Processor will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|
| Supabase (Supabase Inc.) | Database hosting, user authentication | United States (AWS) |
| Rephrasy | Text humanization API processing | United States |
| Stripe (Stripe Inc.) | Payment processing | United States |
| Resend (Resend Inc.) | Transactional email delivery | United States |
| Replit (Replit Inc.) | Application hosting | United States |
Each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
5. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), the Processor ensures that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy decisions by the European Commission, where applicable.
- The EU-US Data Privacy Framework, where the sub-processor is certified.
6. Security Measures
The Processor implements the following technical and organizational security measures:
- Encryption in Transit: All data is transmitted via HTTPS/TLS.
- Encryption at Rest: Database storage is encrypted via Supabase (AES-256).
- Access Control: Role-based access control with least-privilege principles; admin access protected by separate credentials.
- Authentication: OAuth 2.1 with PKCE for MCP integrations; Supabase Auth with JWT for web sessions.
- Rate Limiting: API rate limiting to prevent abuse (30 requests/minute per IP on MCP endpoints).
- Data Minimization: Only data necessary for service delivery is collected and processed.
- Incident Response: Documented procedures for breach detection, containment, and notification.
7. Data Subject Rights
The Processor will assist the Controller in fulfilling data subject requests, including:
- Right of Access: Providing copies of personal data upon request.
- Right to Rectification: Correcting inaccurate data.
- Right to Erasure: Deleting personal data and associated records.
- Right to Data Portability: Exporting data in a machine-readable format.
- Right to Restriction: Restricting processing upon request.
- Right to Object: Ceasing processing upon valid objection.
Requests will be responded to within 30 days of receipt.
8. Data Breach Notification
In the event of a personal data breach, the Processor will:
- Notify the Controller without undue delay, and no later than 72 hours after becoming aware of the breach.
- Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
- Cooperate with the Controller in notifying the relevant supervisory authority and affected data subjects where required.
9. Audit Rights
The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor will cooperate with such audits and provide access to relevant information, systems, and premises upon reasonable notice.
10. Duration and Termination
This DPA remains in effect for the duration of the Controller's use of the Humanizer PRO service. Upon termination:
- The Processor will, at the Controller's choice, delete or return all personal data within 30 days.
- The Processor may retain data where required by applicable law, with continued confidentiality obligations.
11. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. The Processor will be liable for damage caused by processing that does not comply with this DPA or applicable data protection law.
12. Governing Law
This DPA is governed by the laws applicable to the Terms of Service. For data subjects in the EEA, the provisions of GDPR shall apply in addition to any local laws.