Loading
Last updated: April 27, 2026
When you use DoWorkWithAI, we process some personal data on your behalf (your name, your email, your progress, anything you type into a lesson). This Addendum explains how we process it, who our sub-processors are, where data lives, and what rights you have. It applies on top of our Terms of Service and Privacy Policy.
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer” or “Controller”) and DoWorkWithAI (“we,” “us,” or “Processor”). It governs our processing of Personal Data on your behalf in connection with the Service.
Capitalized terms not defined here have the meaning given in our Terms of Service or Privacy Policy. “Personal Data,” “Processing,” “Controller,” “Processor,” “Sub-processor,” and “Data Subject” have the meanings given to them under the EU/UK GDPR and equivalent state privacy laws (CCPA/CPRA in California, VCDPA in Virginia, CPA in Colorado, and similar statutes), as applicable.
For Personal Data you provide to us through your use of the Service (account data, lesson progress, prompt drafts, support messages), you are the Controller and we are the Processor. We process Personal Data only:
Categories of Personal Data we process on your behalf: name, email, hashed password, payment metadata (Stripe handles card data; we never see it), lesson and module progress, prompt drafts and saved prompts, support messages, IP address and device metadata for security and analytics.
Categories of Data Subjects: you (the account holder) and any authorized end users you grant access to under your subscription.
We use the following Sub-processors to deliver the Service. We remain responsible to you for their performance under this DPA.
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel | Application hosting and CDN | United States |
| Supabase | Database, authentication, file storage | United States |
| Stripe | Payment processing and subscription billing | United States |
| Resend | Transactional email (receipts, password resets) | United States |
| Groq | Inference for the AI Learning Buddy (no training on your data) | United States |
| Vercel Analytics & Speed Insights | Aggregate, privacy-preserving usage analytics | United States |
We will give reasonable notice (via email to your account address or an update to this page) before adding or replacing a Sub-processor. If you reasonably object to a new Sub-processor on data-protection grounds, you may terminate your subscription and we will provide a pro-rated refund for the unused portion.
We maintain technical and organizational measures appropriate to the risk, including:
Personal Data is stored and processed in the United States. If you or your users access the Service from outside the US, your data will be transferred to and processed in the US. Where a transfer of Personal Data from the EEA, UK, or Switzerland to the US would otherwise be restricted, we rely on the Standard Contractual Clauses (SCCs) and any applicable supplementary measures. Customers who require a counter-signed SCC addendum may request one at the contact below.
We will provide reasonable cooperation and assistance, taking into account the nature of the processing, to help you respond to requests from Data Subjects to exercise their rights under applicable data-protection law — including rights of access, correction, deletion, restriction, portability, and objection. Where it is technically feasible for you to action the request directly through your account (for example: editing your profile, deleting your account, exporting your saved prompts), you should do so first.
We will notify you without undue delay (and in any event within 72 hours of becoming aware) of any confirmed Personal Data Breach affecting Personal Data we process on your behalf. The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it.
On reasonable written request and not more than once per year (except where required by law), we will make available information necessary to demonstrate compliance with this DPA, including the Sub-processor list above, our security measures, and any third-party attestations or reports we hold. For customers above a contractual threshold or where required by applicable law, we will negotiate a bilateral on-site or remote audit on commercially reasonable terms.
On termination of your subscription, you may export your account data through the Service. After 90 days of inactivity following termination, we will delete or de-identify Personal Data we process on your behalf, except where retention is required by law (for example, transaction records required by tax or financial-reporting rules).
Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in our Terms of Service.
In the event of a conflict between this DPA and the Terms of Service or Privacy Policy, this DPA controls with respect to the processing of Personal Data on your behalf.
For a counter-signed DPA, an SCC addendum, a security questionnaire response, or any other data-protection question, contact support@doworkwithai.com.