Legal

Policies and agreements for PolyRead AI

Data Processing Agreement (DPA)

Last Updated: December 29, 2024

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Apparent Group Limited ("Processor," "we," "us," or "our") and the entity or individual ("Controller," "you," or "your") using PolyRead AI (the "Service").

This DPA applies when we process Personal Data on your behalf in connection with providing the Service.

1. Definitions

"Data Protection Laws" means all applicable laws relating to data protection and privacy, including:
  • General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • UK General Data Protection Regulation
  • California Consumer Privacy Act ("CCPA")
  • Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong
  • Other applicable data protection laws
    • "Personal Data" means any information relating to an identified or identifiable natural person that we process on your behalf through the Service. "Data Subject" means the individual to whom Personal Data relates. "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction. "Sub-processor" means any third party engaged by us to process Personal Data on your behalf. "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

    2. Scope and Purpose

    2.1 Roles of the Parties

  • You (Controller): Determine the purposes and means of processing Personal Data
  • We (Processor): Process Personal Data on your behalf according to your instructions

    • 2.2 Subject Matter and Duration

    ElementDescription
    **Subject Matter**Processing of Personal Data to provide text-to-speech and voice cloning services
    **Duration**For the term of your subscription plus any retention period specified in our Privacy Policy
    **Nature of Processing**Collection, storage, transformation (text to audio), and delivery
    **Purpose**To provide the PolyRead AI Service as described in our Terms and Conditions

    2.3 Types of Personal Data

    We may process the following categories of Personal Data on your behalf:

  • Text content (which may contain personal information)
  • Voice recordings (for voice cloning)
  • Generated audio content
  • Metadata associated with content

    • 2.4 Categories of Data Subjects

    Data Subjects may include:

  • Your employees and contractors
  • Your customers and end users
  • Individuals mentioned in content you process
  • Individuals whose voices are cloned

    • 3. Obligations of the Processor

    3.1 Processing Instructions

    We will:

  • Process Personal Data only on your documented instructions
  • Inform you if we believe an instruction violates Data Protection Laws
  • Not process Personal Data for our own purposes except as permitted by law

    • 3.2 Confidentiality

    We will:

  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Limit access to Personal Data to personnel who need it to perform the Service

    • 3.3 Security Measures

    We implement appropriate technical and organizational measures to protect Personal Data, including:

    Technical Measures:

    MeasureDescription
    Encryption in TransitTLS 1.2+ for all data transfers
    Encryption at RestAES-256 encryption for stored data
    Access ControlsRole-based access with authentication
    Network SecurityFirewalls, intrusion detection, DDoS protection
    Secure DevelopmentSecurity testing, code reviews, vulnerability scanning

    Organizational Measures:

    MeasureDescription
    Employee TrainingRegular security and privacy training
    Background ChecksFor employees with data access
    Access ReviewsPeriodic review of access permissions
    Incident ResponseDocumented procedures for security incidents
    Vendor ManagementDue diligence on sub-processors

    3.4 Sub-Processing

    We will:

  • Not engage a Sub-processor without your prior written authorization (general or specific)
  • Impose data protection obligations on Sub-processors equivalent to this DPA
  • Remain liable for Sub-processor compliance
  • Provide you with a list of current Sub-processors upon request

    • 3.5 Data Subject Rights

    We will:

  • Assist you in responding to Data Subject requests (access, rectification, erasure, etc.)
  • Notify you promptly of any Data Subject requests we receive directly
  • Not respond to Data Subject requests without your authorization (unless legally required)

    • 3.6 Data Protection Impact Assessments

    We will:

  • Assist you with Data Protection Impact Assessments (DPIAs) where required
  • Provide information about our processing activities as needed for your assessments

    • 3.7 Audits and Inspections

    We will:

  • Make available information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits and inspections conducted by you or your auditor
  • Provide audit reports and certifications upon request (subject to confidentiality)

    • 4. Obligations of the Controller

    4.1 Your Responsibilities

    You will:

  • Ensure you have a lawful basis to process Personal Data and share it with us
  • Provide clear instructions regarding the processing of Personal Data
  • Ensure Data Subjects are informed about the processing (through your privacy notice)
  • Obtain necessary consents for voice cloning where required
  • Comply with all applicable Data Protection Laws

    • 4.2 Lawfulness of Instructions

    You warrant that:

  • Your instructions comply with Data Protection Laws
  • You have all necessary rights and consents to share Personal Data with us
  • You will not instruct us to process Personal Data in violation of applicable laws

    • 5. Security Incidents

    5.1 Notification

    In the event of a Security Incident, we will:

  • Notify you without undue delay (and in any event within 72 hours) after becoming aware
  • Provide information about the nature of the incident, categories and numbers of Data Subjects affected, likely consequences, and measures taken

    • 5.2 Incident Response

    We will:

  • Take reasonable steps to mitigate the effects of the Security Incident
  • Cooperate with your investigation of the incident
  • Assist you in meeting your breach notification obligations

    • 5.3 Notification Format

    Security Incident notifications will include:

  • Description of the nature of the incident
  • Contact point for more information
  • Description of likely consequences
  • Description of measures taken or proposed

    • 6. Data Transfers

    6.1 Transfer Mechanisms

    For transfers of Personal Data outside of the EEA/UK, we rely on:

    MechanismDescription
    Standard Contractual Clauses (SCCs)EU-approved contractual terms for transfers
    UK International Data Transfer AgreementFor UK-originated data
    Adequacy DecisionsWhere applicable

    6.2 SCCs Incorporation

    Where transfers are subject to GDPR, the Standard Contractual Clauses (Commission Implementing Decision 2021/914) are incorporated by reference:

  • Module Two (Controller to Processor) applies
  • Annex I (List of Parties) is completed as set out in this DPA
  • Annex II (Technical and Organizational Measures) is as described in Section 3.3

    • 6.3 UK Transfers

    For transfers from the UK, the UK International Data Transfer Addendum applies in addition to or instead of SCCs as required.

    7. Data Retention and Deletion

    7.1 Retention Period

    We will retain Personal Data only for as long as necessary to provide the Service and comply with our legal obligations.

    7.2 Upon Termination

    Upon termination of your subscription, we will:

  • Delete or return all Personal Data within 90 days (at your choice)
  • Certify deletion upon request
  • Retain only what is required by law

    • 7.3 Deletion Requests

    You may request deletion of specific Personal Data at any time by contacting privacy@polyreadai.com.

    8. Sub-Processors

    8.1 Current Sub-Processors

    We use the following Sub-processors:

    Sub-ProcessorPurposeLocation
    Google Cloud PlatformCloud infrastructure and hostingUSA/Global
    Amazon Web ServicesCloud infrastructureUSA/Global
    Stripe, Inc.Payment processingUSA
    MongoDB, Inc.Database hostingUSA/Global
    ClerkUser authenticationUSA
    SendGrid/PostmarkTransactional emailUSA

    Note: This list may be updated. Current list available at polyreadai.com/legal/sub-processors

    8.2 Sub-Processor Changes

    We will:

  • Notify you of any intended changes to Sub-processors at least 30 days in advance
  • Provide you the opportunity to object to new Sub-processors
  • Where you object, we will work to address your concerns or you may terminate

    • 8.3 Sub-Processor Notifications

    You can subscribe to Sub-processor change notifications by:

  • Emailing privacy@polyreadai.com with "Subscribe to Sub-processor Updates"
  • Checking polyreadai.com/legal/sub-processors periodically

    • 9. Liability

    9.1 Limitations

    Each party's liability arising from or related to this DPA is subject to the limitations in the Terms and Conditions.

    9.2 Indemnification

    Each party agrees to indemnify the other for losses arising from the indemnifying party's breach of this DPA or Data Protection Laws.

    10. Term and Termination

    10.1 Term

    This DPA is effective from the date you start using the Service and continues until the relationship terminates.

    10.2 Survival

    Sections relating to confidentiality, data deletion, and liability survive termination of this DPA.

    11. Modifications

    We may update this DPA to:

  • Reflect changes in Data Protection Laws
  • Add new Sub-processors
  • Improve our data protection practices

    • Material changes will be notified to you at least 30 days before taking effect.

    12. Contact Information

    For questions about this DPA or our data processing practices:

    Apparent Group Limited
  • Privacy Contact: privacy@polyreadai.com
  • DPO Contact: dpo@polyreadai.com
  • Address: Flat/RM 05-06, 18/F, Hollywood Plaza, 610 Nathan Road, Kowloon, Hong Kong

    • Annex I: List of Parties

    Data Exporter (Controller)

  • Name: As specified in your account registration
  • Address: As specified in your account
  • Contact: Your account email
  • Role: Controller

    • Data Importer (Processor)

  • Name: Apparent Group Limited
  • Address: Flat/RM 05-06, 18/F, Hollywood Plaza, 610 Nathan Road, Kowloon, Hong Kong
  • Contact: privacy@polyreadai.com
  • Role: Processor

    • Annex II: Description of Processing

    ElementDescription
    **Categories of Data Subjects**End users, individuals in content, voice subjects
    **Categories of Personal Data**Text content, voice recordings, generated audio, metadata
    **Special Categories of Data**None intentionally processed; may be present in user content
    **Processing Operations**Storage, transformation (TTS), delivery, backup
    **Frequency**Continuous during subscription
    **Retention**Duration of subscription + 90 days

    Annex III: Technical and Organizational Measures

    (See Section 3.3 of this DPA for detailed security measures)
    By using PolyRead AI, you acknowledge and agree to this Data Processing Agreement.