Skip to main content
Back to The Prompt Fixer™

Data Processing Agreement

Last updated: January 3, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between The Prompt Fixer™ ("Processor", "we", "us") and the organization or individual using our services ("Controller", "you") for the processing of personal data in connection with The Prompt Fixer™ service.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.
  • "Data Subject" means the individual to whom Personal Data relates.

3. Scope of Processing

3.1 Categories of Data Subjects

  • Users of the Controller's organization who access The Prompt Fixer™
  • Individuals whose information may be included in prompts submitted by users

3.2 Types of Personal Data

  • Account information (email address)
  • Usage data (feature usage, timestamps)
  • Content data (prompts and outputs, if stored)
  • Technical data (IP address, device information)

3.3 Purpose of Processing

Personal Data is processed solely for the purpose of providing The Prompt Fixer™ service, including prompt optimization, account management, and service improvement.

4. Processor Obligations

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Not engage Sub-processors without prior authorization (see Section 6)
  • Assist the Controller in responding to Data Subject requests
  • Delete or return all Personal Data upon termination, at the Controller's choice
  • Make available information necessary to demonstrate compliance

5. Security Measures

The Processor implements the following security measures:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Access controls and authentication
  • Row Level Security (RLS) for data isolation
  • Regular security assessments
  • Incident response procedures

6. Sub-processors

The Controller authorizes the use of the following Sub-processors:

Supabase Inc.

Database hosting, authentication, and prompt history storage for logged-in users. Location: United States/EU.

Vercel Inc.

Application hosting, content delivery, and AI Gateway services. Location: Global (edge network).

Stripe Inc.

Payment processing. Location: United States.

Anthropic PBC

AI processing via Anthropic Claude 3.5 Haiku through Vercel AI Gateway with Zero Data Retention (ZDR) enabled. Anthropic is a verified ZDR provider - data is processed transiently and not retained after response generation. Anthropic does not use ZDR-enabled API data for model training. Location: United States.

The Processor will notify the Controller of any intended changes to Sub-processors, providing the Controller an opportunity to object.

7. Data Subject Rights

The Processor will assist the Controller in fulfilling Data Subject requests including: access, rectification, erasure, restriction, portability, and objection. Requests should be submitted to support@thepromptfixer.com.

8. Data Breach Notification

The Processor will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.

9. International Transfers

Personal Data may be transferred to countries outside the European Economic Area. Such transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, or other legally recognized transfer mechanisms.

10. Data Retention

Personal Data is retained only for as long as necessary to provide the service. Upon account deletion or contract termination, Personal Data is deleted within 30 days, except where retention is required by law.

11. Audit Rights

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, either directly or through an appointed third-party auditor, with reasonable notice and during normal business hours.

12. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law or for gross negligence or willful misconduct.

13. Term and Termination

This DPA remains in effect for the duration of the Controller's use of The Prompt Fixer™ services. Upon termination, the Processor will delete all Personal Data within 30 days unless instructed otherwise or required by law to retain it.

14. Contact

For questions about this DPA or to request a signed copy, contact: support@thepromptfixer.com