Data Processing Addendum

Effective June 2026. This DPA is incorporated into the Raiz’d Terms of Service for every customer whose use of Raiz’d involves personal data subject to GDPR, UK GDPR, or CCPA/CPRA — no separate signature required. If your procurement process needs a countersigned copy, email legal@raizd.xyz and we’ll execute one.

1. Roles and scope

For personal data you submit to Raiz’d — investor contacts, viewer emails, document contents, engagement analytics — you are the controller (or a processor acting for your own controller) and Raiz’d is your processor. We process this data only to provide the service described in the Terms and per your documented instructions given through the product (e.g. creating a link instructs us to track its views). For our own account records and billing, Raiz’d acts as an independent controller under our Privacy Policy.

2. Details of processing

  • Subject matter & duration — providing the Raiz’d service for the life of your account, plus the deletion window below.
  • Nature & purpose — hosting and rendering documents, recording link-view engagement for you, managing your investor pipeline and updates.
  • Categories of data — names, email addresses, firm names, notes you add, viewer emails (when you enable the email gate), page-level engagement metrics, a coarse AI-agent-vs-human label per view (e.g. “Claude”; never the raw user-agent string), and any personal data contained in documents you upload. We do not collect viewer IP addresses.
  • Data subjects — your investors and prospects, people who view your shared links, your team members.

3. Our obligations

  • Process personal data only on your instructions, unless law requires otherwise (in which case we’ll inform you unless legally prohibited).
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational measures — encryption in transit and at rest, row-level security isolation, private document storage with signed-URL access, encrypted integration credentials — as described on our Trust Center.
  • Assist you, taking into account the nature of processing, with data-subject requests (access, deletion, portability) and with your security and impact-assessment obligations.
  • Notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information reasonably available to us.
  • Make available information reasonably necessary to demonstrate compliance with this DPA, including our subprocessor list and security documentation.

4. Subprocessors

You authorize the subprocessors listed on our Trust Center (currently Supabase, Vercel, Stripe, Resend, and ConvertAPI). We’ll update that page before adding or replacing a subprocessor; if you object on reasonable data-protection grounds and we can’t accommodate you, you may terminate and we’ll delete your data per Section 6. Each subprocessor is bound by data protection obligations no less protective than this DPA.

5. International transfers

Your data is stored in the United States (AWS us-west-1 via Supabase). Where GDPR/UK GDPR applies to a transfer, it is protected by our subprocessors’ EU-approved safeguards — Standard Contractual Clauses and, where certified, the EU-U.S. Data Privacy Framework — as documented in their DPAs.

6. Deletion and return

You can export your data (JSON) and delete your account self-serve from Settings at any time; deletion permanently removes your documents, stored files, links, analytics, and pipeline data. After account deletion or termination, remaining copies are purged from backups in the ordinary course of backup rotation. We’ll also delete or return data on written request to privacy@raizd.xyz.

7. CCPA/CPRA

Where CCPA/CPRA applies, Raiz’d acts as your “service provider”: we do not sell or share personal information received under this DPA, nor retain, use, or disclose it outside the business purpose of providing the service.

8. Liability and order of precedence

This DPA is subject to the limitations of liability in the Terms. If this DPA conflicts with the Terms regarding personal data processing, this DPA controls.

Plain-language summary, not a substitute for your own counsel’s review. Questions: legal@raizd.xyz.