Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (the “Controller”) and HandwriterAI (the “Processor”) where personal data is processed in the course of providing the Service.

1. Subject matter and duration

Processing is limited to what is necessary to provide the Service to you, and continues for the term of your use of the Service plus any post-termination retention required by law.

2. Categories of data

Identifiers (account email, user id), document content (text you author and the resulting PDFs), handwriting samples used to build your font, and operational metadata (timestamps, audit log entries).

3. Sub-processors

The current list of sub-processors is published on our Privacy page. Material changes are announced by in-product notice.

4. International transfers

The Service stores data in the EU (Frankfurt). Where sub-processors transfer data outside the EEA, transfers rely on Standard Contractual Clauses or equivalent safeguards.

5. Security

Data is encrypted in transit (TLS) and at rest. Access to production is restricted to the project owner. Webhooks are signature-verified. Database row-level security is enforced.

6. Data subject rights

We assist Controllers in fulfilling data subject access, rectification, erasure, and portability requests. Account deletion from Settings triggers permanent erasure within 30 days.

7. Breach notification

We will notify affected Controllers without undue delay after becoming aware of a personal data breach affecting their data.

8. Audit rights

On reasonable written notice, we will provide information necessary to demonstrate compliance with this DPA.

9. Contact

privacy@handwriter.app.