Data Processing Addendum

1. Scope and Roles

This Addendum applies when Priowise processes personal data on behalf of the Customer.

• Customer — Data Controller
• Priowise Limited — Data Processor

2. Nature and Purpose of Processing

Processing includes storing data, retrieving data, AI analysis, and generating reports and recommendations.

Data is never used for advertising or profiling.

3. Lawful Basis and Purpose Limitation

Priowise processes personal data on the basis of contractual necessity — to deliver the services described in the Terms of Service. Data is processed solely for the purpose of providing AI-powered product strategy analysis and recommendations.

Priowise personnel do not access, read, or review Customer content (including strategy inputs, roadmap data, or analysis outputs) unless explicitly requested by the Customer for support or troubleshooting purposes. All such access is logged.

4. Data Categories and Subjects

Possible data categories

• Names
• Email addresses
• Job titles
• Team information
• Roadmap or strategy ownership data

Data subjects may include

• Employees
• Contractors
• Authorized users

Retention periods

• Account and workspace data — retained for the duration of the subscription plus 90 days after termination
• Pipeline analysis outputs — retained for the duration of the subscription plus 90 days after termination
• Anonymised usage analytics — retained for up to 3 years
• Billing records — retained for 7 years (UK legal requirement)

5. Subprocessors

Priowise engages the following subprocessors, each bound by equivalent data protection obligations:

• Anthropic — AI model execution (Claude)
• OpenAI — AI model execution (supplementary)
• Tavily — web search and market intelligence retrieval
• Vercel — hosting and content delivery
• Clerk — authentication and subscription management
• Supabase — application database
• Inngest — background job processing
• PostHog — product analytics
• Brevo — transactional email
• Stripe — payment processing

Priowise will notify Customers of material subprocessor changes and provide a reasonable opportunity to object.

6. Data Transfers

International transfers follow:

• EU Standard Contractual Clauses (SCCs)
• UK International Data Transfer Addendum

7. Security Measures

Security includes:

• Encryption in transit and at rest
• Access control and role-based permissions
• Activity logging
• Backup and recovery systems
• Administrative access to production data is restricted to authorised Priowise personnel and is logged. Customer content is never accessed except upon explicit Customer support request.

8. Data Subject Rights Assistance

Priowise assists Customers with requests involving:

• Access
• Correction
• Deletion
• Restriction
• Portability

9. Data Breach Notification

If a breach occurs, Priowise will notify the Customer without undue delay and provide:

• Breach description
• Affected data scope
• Mitigation actions

10. Termination and Deletion

Upon termination, the Customer may request data return or deletion. Anonymized analytics data may be retained.

11. Audit Rights

Customers may request compliance documentation or conduct audits with reasonable notice (maximum once per year unless required by law).

12. Data Protection Impact Assessment

Priowise has conducted a Data Protection Impact Assessment (DPIA) for its AI agent processing activities, given the systematic use of personal data in automated analysis. The DPIA assessed risks related to data minimisation, AI output accuracy, and third-party subprocessor reliance. Mitigations include: data minimisation in AI prompts, no use of Customer data for model training, and contractual DPA obligations with all subprocessors.

Customers may request a summary of the DPIA findings by contacting privacy@priowise.com.

13. Miscellaneous

This Addendum:

• Forms part of the Terms of Service
• Applies while Priowise processes Customer Data
• Prevails over conflicting provisions regarding data protection

Enterprise customers may request a signed DPA by contacting privacy@priowise.com.