This addendum applies when you use Summarize Pro on documents containing personal data and you act as controller. It incorporates GDPR Article 28 processor duties.
01Roles and scope
You are the controller of the documents you submit; Summarize Pro is the processor. Processing is limited to producing the summaries and cited claims you request, for the duration of your account.
02Data categories and duration
Whatever personal data your documents contain (you must not submit GDPR Article 9 special-category data, per the terms), plus your account email. Source files are deleted at processing time; summaries persist until you delete them; account data persists until account deletion.
03Subprocessors
Anthropic (model inference, no training on API data), Vercel (hosting, temporary file storage), Supabase (database, EU region), Stripe (billing), Resend (email), Google Analytics (aggregate usage only, no document content). We will announce subprocessor changes on this page at least 14 days before they take effect.
04Security
Encryption in transit everywhere; tokens and sessions stored only as hashes; access to production limited to the operator; source-file deletion implemented in code; per-account isolation on every query.
05International transfers
Database storage is in the EU. Where subprocessors process data in the United States, transfers rely on the mechanisms in their data processing terms (EU-US Data Privacy Framework participation or standard contractual clauses, as applicable to each).
06Assistance, audit, deletion
We assist with data subject requests affecting data we hold, notify you without undue delay of a personal data breach affecting your data, make this page and our records available to demonstrate compliance, and on termination delete the account and all associated data.