HotPrompt

Data Processing Addendum

If you use HotPrompt on behalf of an organisation that processes personal data of EU/UK/CA residents through the Service, this DPA forms part of our agreement and supplements the Privacy Policy.

Effective date: May 26, 2026

1. Parties and applicability

This Data Processing Addendum (“DPA”) is entered into between:

  • Customer: the entity that has accepted our Terms of Service for business use, acting as Controller of personal data (or as Processor on behalf of its own Controller); and
  • HotPrompt: the operator of the Service, acting as Processor with respect to the personal data Customer submits to the Service.

This DPA applies to the extent the GDPR, the UK GDPR, the Swiss FADP or the CCPA/CPRA applies to Customer's use of the Service. For consumers and individuals signing up in a personal capacity, this DPA does not apply and the Privacy Policy fully governs.

2. Definitions

Capitalised terms not defined here have the meanings given to them in the GDPR. “Data Protection Laws” means the GDPR, the UK GDPR, the Swiss FADP, the CCPA/CPRA, and any other applicable data-protection law. “Customer Personal Data” means personal data that Customer or its end users submit to HotPrompt for processing.

3. Subject matter and details of processing

FieldDetails
Subject matterProvision of the HotPrompt prompt-optimisation service, including AI-assisted generation, saving and organising of prompts.
DurationFor the term of Customer's subscription, plus the retention windows in Section 6 of the Privacy Policy.
Nature and purposeAuthentication, prompt generation, billing, fraud / abuse prevention, customer support and product analytics.
Categories of data subjectsCustomer's users, contractors and contacts; subjects depicted in any images or video frames Customer chooses to upload.
Categories of personal dataEmail addresses, account credentials (hashed), prompt content, uploaded images and video frames, IP addresses, user-agent strings, usage telemetry and (via Creem) billing metadata.
Special categoriesNot intentionally processed. Customer is responsible for not submitting special-category personal data unless it has a lawful basis to do so.

4. HotPrompt's obligations

HotPrompt will:

  • process Customer Personal Data only on documented instructions from Customer, including those embodied in Customer's use of the Service and these legal documents;
  • ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
  • implement appropriate technical and organisational measures (Annex A) to ensure a level of security appropriate to the risk;
  • assist Customer in responding to data-subject requests and meeting its own obligations under Articles 32-36 GDPR, taking into account the nature of processing;
  • notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data;
  • on termination, delete or return Customer Personal Data within ninety (90) days, except to the extent retention is required by law; and
  • make available all information reasonably necessary to demonstrate compliance with this DPA and allow for audits subject to the limits in Section 7.

5. Customer's obligations

Customer will:

  • have a valid lawful basis under Data Protection Laws for the personal data it submits to the Service;
  • provide all required transparency notices to its data subjects;
  • not submit special-category personal data, children's data, or personal data of EU/UK/CA residents that it has not lawfully obtained;
  • maintain the security of its account credentials and not share its account; and
  • respond to data-subject requests it receives, including by configuring or instructing HotPrompt where assistance is needed.

6. Sub-processors

Customer hereby provides a general written authorisation for HotPrompt to engage the following sub-processors. We will give Customer thirty (30) days' advance notice before adding a new sub-processor that materially affects Customer Personal Data, by updating this page (and Customer may object on reasonable data-protection grounds — see Section 8).

Sub-processorServiceRegionTransfer mechanism
Creem.ioMerchant of Record — payment processing, billing, tax, customer portal, Moderation APIGlobalSCCs (where applicable) + UK IDTA
Cloudflare, Inc.Hosting (Pages / Workers), D1 database, KV store, CDN, DDoS protectionGlobal edgeSCCs + UK IDTA; EU-US DPF certified
kie.aiOpenAI-compatible router to LLM and vision providers (OpenAI, Google, Anthropic and others)GlobalSCCs + upstream provider DPFs / SCCs
Google LLC (Analytics 4)Aggregated product analytics (cookie-based)EU + USEU-US DPF; SCCs

7. International transfers

Where Customer Personal Data is transferred from the European Economic Area, United Kingdom or Switzerland to a country not recognised as providing an adequate level of protection, the parties rely on the European Commission Standard Contractual Clauses (Module 2 or Module 3 as applicable) and the UK International Data Transfer Addendum, which are incorporated by reference. For transfers from Switzerland, the SCCs apply as adapted under the Swiss FADP.

8. Audits

HotPrompt will make available the information described in Article 28(3)(h) GDPR — including security certifications and sub-processor reports — to Customer on reasonable written request, no more than once per twelve-month period (unless required more frequently by a regulator). Where Customer reasonably requires more information, the parties will agree in good faith on an appropriate on-site or remote audit.

9. Objection to new sub-processors

Customer may object to a new sub-processor by emailing [email protected] within thirty (30) days of our notice, on reasonable data-protection grounds. If we cannot reasonably accommodate the objection, Customer may terminate the subscription for convenience and receive a pro-rated refund of any prepaid fees for the unused portion of the term.

10. Liability

The liability provisions of the Terms of Service apply equally to this DPA. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under Data Protection Laws.

11. Changes

We may update this DPA to reflect (a) new sub-processors, (b) regulatory changes, or (c) changes to the technical and organisational measures. Material changes are announced at least thirty (30) days in advance via the on-page sub-processor list.

Annex A — Technical and organisational measures

  • Encryption. TLS in transit for all public traffic; AES-256 at rest where supported by the hosting layer (Cloudflare D1 and KV); hashed passwords (PBKDF2-SHA256 with per-user salt).
  • Access control. Least-privilege production access for the engineering team; multi-factor authentication on administrative consoles; rotation of credentials on personnel change.
  • Network security. All traffic terminates at the Cloudflare edge with WAF and DDoS mitigation; per-route rate limiting; IP-based abuse detection.
  • Application security. Input validation and payload-size caps on every public endpoint; strict CORS; session-cookie hardening (httpOnly, Secure, SameSite=Lax); environment-isolated secrets.
  • Moderation. Creem Moderation API on AI-generation inputs and outputs; upstream provider moderation as a second layer.
  • Logging and monitoring. Application logs (90-day retention) and Cloudflare edge logs available for investigation; alerting on abnormal error rates and abuse signals.
  • Backup and continuity. Cloudflare D1 point-in-time recovery for the production database; KV regional replication.
  • Incident response. Breach notification within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Personal Data; written post-incident report on request.

Contact

DPA enquiries and signed-copy requests: [email protected].