Legal
Data Processing Agreement
Effective date: April 2026 — Version 1.0
1. Parties
Processor: SvareAI, operated by Fire Up The App LLC, a Massachusetts LLC, 145 Great Rd STE 6 Farm Hill Plaza #1043, Acton MA 01720, USA.
Controller: The customer who accepted the Terms of Service.
By accepting the Terms of Service, the Controller enters into this Data Processing Agreement ("DPA"). Enterprise customers may request a countersigned PDF at privacy@svareai.com.
2. Definitions
Terms used in this DPA have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR"). In particular:
- Personal Data — any information relating to an identified or identifiable natural person.
- Processing — any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
- Controller — the entity that determines the purposes and means of Processing Personal Data.
- Processor — the entity that processes Personal Data on behalf of the Controller.
- Data Subject — the identified or identifiable natural person to whom Personal Data relates.
- Sub-processor — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- SCCs — Standard Contractual Clauses approved by the European Commission for international data transfers.
3. Subject Matter and Nature of Processing
SvareAI reads, classifies, and drafts replies to inbound emails solely to deliver the service described in the Terms of Service. Processing activities include:
- Reading and ingesting inbound email from Gmail and/or Outlook
- Classifying emails by intent, urgency, sentiment, and spam
- Generating AI-drafted reply suggestions
- Storing emails, classifications, drafts, and audit logs
- Transmitting email content to Anthropic PBC for AI inference
- Sending approved replies on behalf of the Controller
4. Types of Personal Data and Data Subjects
Personal Data processed: email addresses, display names, message content and metadata, and information voluntarily included in emails by correspondents.
Data Subjects: email correspondents and the Controller's employees using SvareAI.
Special category data under Article 9 GDPR is not intentionally collected or processed. If such data is incidentally included in email content, it is processed solely as part of the email handling described above.
5. Processor Obligations
SvareAI shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law
- Ensure that all personnel authorised to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures, including TLS encryption in transit, access controls, audit logging, and encrypted credential storage
- Assist the Controller in responding to Data Subject rights requests under Articles 15–22 GDPR
- Notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach
- Support the Controller with data protection impact assessments and prior consultations with supervisory authorities where required
- Make available all information necessary to demonstrate compliance and allow for audits on reasonable notice
- Delete or return all Personal Data within 30 days of termination of the service, unless retention is required by applicable law
6. Controller Obligations
The Controller warrants that:
- It has a lawful basis under applicable data protection law for the Processing of Personal Data under this DPA
- It has provided all required privacy notices to Data Subjects whose Personal Data is processed through the service
- It will not instruct SvareAI to process Personal Data in a manner that would violate applicable law
7. Purpose Limitation
Personal Data processed under this DPA is used solely to deliver the SvareAI service. It is never used to train AI models, for product improvement beyond service delivery, or for marketing purposes.
8. Sub-processors
The Controller grants SvareAI general authorisation to engage Sub-processors to perform specific processing activities. SvareAI will notify the Controller at least 30 days before adding or replacing a Sub-processor, providing an opportunity to object.
| Sub-processor | Purpose | Location | Transfer Basis |
|---|---|---|---|
| Anthropic PBC | AI inference for classification and draft generation | United States | Standard Contractual Clauses |
| Stripe, Inc. | Payment processing and subscription billing | United States | Standard Contractual Clauses |
| DigitalOcean LLC | Cloud infrastructure and hosting | United States | Standard Contractual Clauses |
9. International Data Transfers
SvareAI operates from the United States, which does not have an adequacy decision from the European Commission. Transfers of Personal Data from the European Economic Area to the United States are made in reliance on the Standard Contractual Clauses (EC Decision 2021/914). A copy of the applicable SCCs is available on request at privacy@svareai.com.
10. Data Retention and Deletion
Personal Data is retained for the duration of the Controller's active subscription. All Personal Data is deleted within 30 days of termination of the service. Specific deletion requests may be submitted to privacy@svareai.com and will be actioned within 30 days.
11. Security Measures
SvareAI implements the following technical and organisational measures to protect Personal Data:
- TLS 1.2+ encryption for all data in transit
- Role-based access controls for production systems
- OAuth token and API credential encryption at rest
- Comprehensive audit logging of data access and processing activities
- Infrastructure monitoring and alerting
12. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA excludes or limits liability for negligence, fraud, or any liability that cannot be excluded or limited under applicable law.
13. Governing Law
This DPA is governed by the laws of the Commonwealth of Massachusetts, United States, except to the extent that GDPR or Standard Contractual Clause obligations are governed by the law of the relevant EU Member State.
14. Amendments
SvareAI may update this DPA from time to time. Material changes will be notified to the Controller at least 30 days in advance. Continued use of the service after the effective date of any amendment constitutes acceptance of the updated DPA.
15. Contact
For questions about this DPA, data subject requests, or to request a countersigned Enterprise PDF, contact us at privacy@svareai.com.