Data Processing Agreement
Last updated: January 2025
Agreement Overview
This Data Processing Agreement (DPA) outlines how Precedent processes your personal data in compliance with GDPR, CCPA, and other applicable privacy regulations. By using our service, you acknowledge and agree to this data processing agreement.
Data Controller & Processor
Data Controller
You (the User) are the data controller for your personal Gmail data. You determine the purposes and means of processing your personal data.
- • You own and control your Gmail account
- • You decide what data to share with Precedent
- • You can revoke access at any time
- • You determine how your data is used
Data Processor
Precedent acts as a data processor, processing your personal data only for the purposes you have authorized.
- • We process data only for stated purposes
- • We follow your instructions as data controller
- • We implement appropriate security measures
- • We assist with your data protection rights
Legal Basis for Processing
Primary Legal Basis
We process your personal data based on the following legal grounds:
Consent (Article 6(1)(a) GDPR)
You explicitly consent to our processing of your Gmail data for email analysis and prioritization services.
Legitimate Interest (Article 6(1)(f) GDPR)
Processing is necessary for our legitimate interest in providing email management services, balanced against your privacy rights.
Contract Performance (Article 6(1)(b) GDPR)
Processing is necessary for the performance of our service contract with you.
Data Processing Details
Categories of Personal Data
Gmail Data
- • Email content (subject, body, sender, date)
- • Email metadata (labels, folders, read status)
- • Thread information and conversation history
- • Contact information from email headers
Account Data
- • User profile information
- • Communication preferences
- • Service usage patterns
- • Feedback and interaction data
Processing Purposes
- Email analysis and urgency scoring using AI
- Learning user communication patterns and preferences
- Sending notifications via SMS or Slack
- Applying Gmail labels and organizing inbox
- Providing customer support and service improvements
Data Retention & Cross-Border Transfers
Data Retention Policy
Email Content
Maximum 21 days, then fetched fresh from Gmail when needed
Learning Patterns
While account is active, deleted within 24 hours of closure
Account Data
While account is active, deleted within 24 hours of closure
Usage Analytics
Anonymized and aggregated, retained for service improvement
International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place:
- • Standard Contractual Clauses (SCCs) for EU data transfers
- • Adequacy decisions where applicable
- • Appropriate technical and organizational measures
- • Data minimization and purpose limitation principles
Your Data Protection Rights
GDPR Rights (EU Users)
Access Rights
- • Right to access your personal data
- • Right to receive a copy of your data
- • Right to information about processing
Control Rights
- • Right to rectification of inaccurate data
- • Right to erasure ("right to be forgotten")
- • Right to restrict processing
- • Right to object to processing
Portability Rights
- • Right to data portability
- • Right to receive data in structured format
- • Right to transmit data to another controller
Consent Rights
- • Right to withdraw consent
- • Right to opt-out of processing
- • Right to lodge complaints with supervisory authority
CCPA Rights (California Users)
Information Rights
- • Right to know what personal information is collected
- • Right to know how personal information is used
- • Right to know who personal information is shared with
Control Rights
- • Right to delete personal information
- • Right to opt-out of sale of personal information
- • Right to non-discrimination for exercising rights
Technical & Organizational Measures
Security Measures
Technical Measures
- • AES-256 encryption at rest
- • TLS 1.3 encryption in transit
- • OAuth 2.0 authentication
- • Row-level security in database
- • Regular security audits and testing
Organizational Measures
- • Access controls and user authentication
- • Regular staff training on data protection
- • Incident response procedures
- • Data protection impact assessments
- • Regular compliance reviews
Sub-Processors
We may engage third-party service providers (sub-processors) to assist in providing our services. All sub-processors are bound by appropriate data protection agreements:
Current Sub-Processors
- • Supabase: Database and authentication services
- • Anthropic Claude: Primary AI processing (ephemeral, no data retention)
- • OpenAI GPT-4: Backup AI processing if Claude unavailable (ephemeral, no data retention)
- • Twilio: SMS notification services
- • Google: Gmail API access
- • Slack: Slack API integration (when connected)
Sub-Processor Obligations
- • Bound by data protection agreements
- • Implement appropriate security measures
- • Process data only for authorized purposes
- • Assist with data protection rights
- • Provide notification of any breaches
Data Breach Notification
Breach Response Procedures
In the event of a data breach, we will:
- • Notify affected users within 72 hours (if required by law)
- • Report to relevant supervisory authorities within 72 hours
- • Provide detailed information about the breach
- • Outline measures taken to address the breach
- • Provide recommendations for affected users
- • Conduct post-incident review and improvements
Contact Information
For data protection questions, rights requests, or concerns:
We respond to all data protection inquiries within 48 hours. For GDPR complaints, you also have the right to lodge a complaint with your local supervisory authority.
Changes to This Agreement
We may update this Data Processing Agreement from time to time to reflect changes in our data processing practices, legal requirements, or service functionality. We will notify you of any material changes by email or through our service.