Data Processing Addendum

Last Updated: November 6, 2025

This Data Processing Addendum ("DPA") forms part of the Terms of Use between I Made It Up ("Processor") and you ("Controller") for the use of I Made It Up's services ("Services").

1. Definitions

2. Scope and Purpose

2.1 Application

This DPA applies to the Processing of Personal Data by Processor on behalf of Controller in connection with the Services.

2.2 Processing Activities

Processor shall process Personal Data only:

• To provide the Services as described in the Terms of Use
• To comply with applicable law
• To enforce our terms and policies
• To keep our Services safe and secure
• As otherwise instructed by Controller in writing

2.3 Nature and Purpose of Processing

The nature and purpose of Processing includes:

• Hosting and storing persona data and conversation content
• Generating AI-powered responses using third-party AI models
• Providing authentication and account management
• Processing payments and managing subscriptions
• Providing customer support and service improvements

2.4 Categories of Data Subjects

Data Subjects may include:

• Controller's employees, contractors, and authorized users
• Controller's customers or end users (if applicable)
• Synthetic personas created by Controller (which may reflect characteristics of real individuals)

2.5 Types of Personal Data

Personal Data processed may include:

• Contact information (email addresses, names)
• Account credentials and authentication tokens
• User-generated content (persona descriptions, conversation inputs and outputs, which may contain personal information provided by users)
• Usage data and analytics
• Payment and billing information (processed by Stripe)

Note on AI Processing: When using AI model providers (OpenAI, Anthropic, Google), we send a pseudonymised user identifier for abuse monitoring and your user-submitted content for processing. Your content contains PII only if you choose to input it. AI providers have contractual commitments not to use API data for model training.

3. Duration of Processing

Processor will process Personal Data for the duration of the agreement with Controller, and as required by law or to enforce our terms. Controller may request deletion of Personal Data as described in Section 6 below.

4. Controller and Processor Obligations

4.1 Controller Responsibilities

Controller represents and warrants that:

• It has a lawful basis for Processing Personal Data
• It has provided all necessary notices to Data Subjects
• It has obtained all necessary consents for Processing
• Processing complies with all applicable Data Protection Laws

4.2 Processor Responsibilities

Processor shall:

• Process Personal Data only in accordance with Controller's documented instructions
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational measures (see Section 5)
• Assist Controller in responding to Data Subject requests (see Section 6)
• Notify Controller of Personal Data breaches without undue delay
• Delete or return Personal Data upon termination, unless required by law to retain it

5. Security Measures

Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

5.1 Technical Measures

• Encryption: Data encrypted at rest and in transit using industry-standard encryption (TLS 1.2+)
• Access Controls: Role-based access controls and authentication mechanisms
• Infrastructure Security: Services hosted on Cloudflare's secure infrastructure with DDoS protection
• User ID Hashing: User identifiers hashed before storage to minimize PII exposure

5.2 Organizational Measures

• Regular security assessments and updates
• Incident response procedures
• Vendor security reviews for Sub-processors
• Confidentiality agreements with personnel

6. Data Subject Rights

Processor shall assist Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under Data Protection Laws, including:

6.1 Rights Supported

• Access: Right to obtain confirmation and access to Personal Data
• Rectification: Right to correct inaccurate Personal Data
• Erasure: Right to deletion of Personal Data
• Restriction: Right to restrict Processing
• Portability: Right to receive Personal Data in a structured format
• Objection: Right to object to Processing

6.2 Procedure

Data Subjects may exercise their rights by:

• Contacting Controller directly (Controller's responsibility to verify identity)
• Using self-service tools within the Services (where available)
• Contacting Processor at privacy@imadeitup.ai (Processor will forward to Controller)

7. Sub-processors

7.1 Authorized Sub-processors

Controller authorizes Processor to engage the Sub-processors listed at imadeitup.ai/subprocessors.

7.2 Sub-processor Requirements

Processor ensures that Sub-processors:

• Are bound by data protection obligations no less protective than this DPA
• Implement appropriate security measures
• Process Personal Data only as instructed

7.3 Changes to Sub-processors

Processor will provide at least 30 days advance notice before:

• Adding new Sub-processors
• Making material changes to existing Sub-processors

Notification will be sent via email to the Controller's registered address.

Controller may object to a new Sub-processor on reasonable data protection grounds by notifying Processor in writing within 30 days of notice.

Timing of Implementation: Processor will not begin processing Personal Data with the new Sub-processor until the earlier of:

• (a) Controller's written approval, or
• (b) Expiry of the 30-day objection period without objection from Controller

If Controller objects: Processor will either:

• (a) Not engage the Sub-processor and find an alternative, or
• (b) Allow Controller to terminate the agreement without penalty and provide Controller with a 60-day data export period

Controller's failure to object within 30 days constitutes acceptance of the new Sub-processor.

8. International Data Transfers

8.1 Transfer Mechanisms

To the extent Processor transfers Personal Data from the UK or EEA to countries without an adequacy decision, Processor relies on:

• UK International Data Transfer Agreement (UK IDTA) or UK Addendum to EU Standard Contractual Clauses for transfers from the UK
• Standard Contractual Clauses (2021) approved by the European Commission for transfers from the EEA
• EU-U.S. Data Privacy Framework and UK Extension for sub-processors certified under these frameworks

Transfer Safeguards: All data transferred to the United States is transferred to sub-processors who have implemented appropriate safeguards through one or more of these mechanisms.

8.2 Sub-processor Transfers

Processor ensures that Sub-processors located outside the EEA/UK implement appropriate transfer mechanisms and safeguards.

9. Audits and Compliance

9.1 Audit Rights

Upon reasonable written notice and subject to confidentiality obligations, Processor shall allow Controller to:

• Review Processor's security documentation and certifications
• Submit written questions about Processor's data protection practices
• Review Sub-processor agreements and security measures

9.2 Third-Party Audits

Processor may engage independent third-party auditors to verify compliance. Audit reports may be shared with Controller subject to confidentiality agreements.

10. Data Breach Notification

10.1 Notification Obligation

Processor shall notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.

10.2 Breach Information

Notifications shall include, to the extent known:

• Nature of the breach and categories of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

11. Deletion and Return of Data

11.1 Upon Termination

Upon termination or expiration of the agreement, Processor shall:

• Delete all Personal Data in its possession, unless required by law to retain it
• Ensure that Sub-processors delete Personal Data
• Provide certification of deletion upon request

11.2 Data Export

Before deletion, Controller may request export of Personal Data in a commonly used, machine-readable format.

12. Liability and Indemnification

12.1 Processor Liability

Processor shall be liable for damages caused by Processing only where:

• Processor has not complied with obligations under this DPA, or
• Processor has acted outside or contrary to Controller's lawful instructions

12.2 Limitation

Subject to applicable law, Processor's liability is limited as set forth in the Terms of Use.

13. General Provisions

13.1 Conflict

In the event of conflict between this DPA and the Terms of Use, this DPA shall prevail with respect to Processing of Personal Data.

13.2 Amendments

Processor may amend this DPA from time to time to reflect changes in law or business practices. Material changes will be communicated with at least 30 days notice.

13.3 Severability

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

13.4 Governing Law

This DPA shall be governed by the laws specified in the Terms of Use.

14. Enterprise Customers

For enterprise customers requiring custom data processing terms, additional security controls, or specific compliance requirements (e.g., HIPAA BAA), please contact us at enterprise@imadeitup.ai.

Custom agreements may include:

• Negotiated data residency options
• Additional audit rights and security controls
• Custom retention and deletion policies
• Business Associate Agreements (BAA) for HIPAA compliance
• Specific Sub-processor approval processes

Contact Information

For questions about this DPA or data processing practices:

• Email: privacy@imadeitup.ai
• Enterprise Inquiries: enterprise@imadeitup.ai

← Back to Terms of Use | View Sub-processors