Data Processing Agreement
Last Updated: January 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Reangle Terms of Service and governs the processing of personal data under the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws. This DPA applies when you use Reangle to process personal data of data subjects in the EEA, UK, or other jurisdictions with data protection requirements.
2. Definitions
"Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Sub-processor" have the meanings defined in the GDPR. You (the customer) are the Controller, and Reangle is the Processor. Processing includes storing bookmarks, generating drafts, analyzing content, and posting to connected social media accounts.
3. Scope and Duration
This DPA applies to all Personal Data processed by Reangle on your behalf through the service. The duration of processing is the term of your subscription plus 30 days for account deletion. We process data only on your documented instructions via the service interface and API, unless required by law.
4. Processor Obligations
Reangle will: (a) process Personal Data only on your documented instructions; (b) ensure authorized personnel are bound by confidentiality; (c) implement appropriate technical and organizational security measures; (d) engage sub-processors only with your prior authorization; (e) assist you in responding to data subject rights requests; (f) assist you with data security, breach notification, and impact assessments; (g) delete or return all Personal Data upon termination; (h) make available all information necessary to demonstrate compliance.
5. Sub-Processors
5.1 Authorization
You provide general authorization for Reangle to engage sub-processors listed in Appendix B. We will inform you of any intended changes to sub-processors at least 30 days in advance.
5.2 Current Sub-Processors (Appendix B)
The following sub-processors are currently engaged by Reangle:
| Sub-Processor | Purpose | Data Location | Safeguards |
|---|---|---|---|
| Supabase, Inc. | Database & Auth Infrastructure | United States | SOC 2 Type II, ISO 27001, Standard Contractual Clauses (SCCs) |
| Google LLC | AI Content and Image Generation (Gemini Flash) | United States | EU-US Data Privacy Framework, Google Cloud DPA |
| Stripe, Inc. | Payment Processing | United States | PCI-DSS Level 1, Stripe DPA, SCCs |
| Upstash, Inc. | Redis Caching (optional) | United States | SOC 2 Type II, Encryption at rest & in transit |
| Resend, Inc. | Transactional Email | United States | SOC 2 Type II, Encryption in transit |
| Inngest, Inc. | Background Job Processing | United States | SOC 2 Type II, Encryption at rest & in transit |
Last updated: January 2026
5.3 Changes to Sub-Processors
We will notify you of any intended addition or replacement of sub-processors via:
Notification will be provided at least 30 days before the new sub-processor begins processing your Personal Data.
- Email notification to your registered email address
- In-app notification banner
- Update to this DPA page with a changelog entry
You may object to a new sub-processor on reasonable data protection grounds within 30 days of notification. If you object, we will work with you to find a commercially reasonable solution or allow you to terminate the service without penalty.
5.4 Sub-Processor Obligations Flow-Down
We impose data protection obligations on sub-processors that are substantially the same as those imposed on us under this DPA, including requirements for security, confidentiality, and compliance with data protection laws. We remain fully liable to you for the performance of sub-processors.
6. Security Measures
We implement industry-standard technical and organizational measures including: AES-256-GCM encryption at rest; TLS 1.3 encryption in transit; scrypt key derivation for sensitive credentials; role-based access control (RBAC); regular security audits; employee background checks and confidentiality agreements; secure development practices (code review, dependency scanning); incident response procedures; and regular backups with encryption.
7. Data Breach Notification
We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your data. Notification will include: description of the breach; categories and approximate number of affected data subjects and records; likely consequences; measures taken or proposed to address the breach and mitigate harm; and contact information for further inquiries. We will reasonably cooperate with you to investigate and remediate the breach.
8. International Data Transfers
Your Personal Data may be transferred to and processed in the United States where our sub-processors are located. For transfers from the EEA/UK to the US, we rely on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; (b) EU-US Data Privacy Framework certification (where applicable); and (c) additional safeguards including encryption, pseudonymization, and contractual protections. You can request copies of our SCCs and transfer impact assessments at info@reangle.ai.
9. Data Subject Rights
We will reasonably assist you in fulfilling data subject rights requests (access, rectification, erasure, restriction, portability, objection). You can facilitate most requests via Account Settings (export data, delete account). For requests requiring our assistance, contact info@reangle.ai with the data subject's request details. We will respond within 10 business days with the information or actions needed.
10. Contact & DPO
For questions about data processing, to exercise your rights, or to contact our Data Protection Officer, email info@reangle.ai.