Legal

Data Processing Agreement

Last updated: 2026-05-27 · Effective: 2026-05-27
This DPA forms part of the Terms of service for any customer subject to GDPR, UK GDPR, or equivalent regimes. By using Trend Co-Pilot to process personal data of EU/UK data subjects, you and we accept this DPA. Email privacy@trend-copilot.com for a counter-signed copy.

Contents

1. Definitions

  • "Customer" — you, the publisher using the service.
  • "Processor" — Trend Co-Pilot.
  • "Personal Data" — as defined under GDPR Art. 4(1).
  • "Data Subject" — your account holders, your readers (if applicable), and any individuals whose personal data appears in articles you generate.
  • "Sub-processor" — third-party providers we use to deliver the service.

2. Roles

You are the Controller of personal data that appears in your generated articles, your publisher account information, and your reader data.

We are the Processor for: account credentials, content you submit (prompts, persona definitions), generated articles, and audit logs.

For account telemetry (login IP, session ID) we act as joint controller for security purposes.

3. Scope and duration

  • Subject matter: SaaS for AI-assisted article generation.
  • Nature: storage, transmission, transformation via LLM APIs, hosting on our VPS.
  • Duration: for the term of your subscription, plus 90 days for deletion.
  • Categories of data subjects: account holders, individuals named in articles, your readers (indirectly).
  • Categories of personal data: contact info (email), authentication (hashed credentials), content data (prompts, articles), audit logs (IP, session).

4. Sub-processors

We use the following sub-processors. Notice of new sub-processors will be sent to account holders 30 days before they go live, with a right to object.

LLM APIs

  • Anthropic (US)
  • Google (US — Gemini)
  • OpenAI (US)
  • Groq (US)

Image generation

  • NVIDIA (US)
  • Pollinations (DE)
  • Cloudflare (US)
  • Hugging Face (FR/US)
  • Together AI (US)
  • Google (Imagen)

Image search

  • Wikipedia / Wikimedia (US)
  • Pexels (DE)
  • Pixabay (DE)
  • Unsplash (CA)
  • Google (CSE)

Email

  • Google (Gmail SMTP)

Hosting

  • Hostinger (LT/EU VPS)

5. Security measures

  • Authentication: bcrypt password hashing, mandatory 2FA for super-admins, JWT session tokens with CSRF double-submit.
  • Network: HTTPS-only (Let's Encrypt), no plaintext credential storage.
  • Access: principle of least privilege; no production access from personal laptops.
  • Logging: audit logs of admin actions, retained 12 months.
  • Incident response: account holders notified within 72 hours of confirmed breach affecting their data.

6. Data subject rights

We assist Controllers in responding to data subject requests (access, correction, deletion, portability, restriction, objection).

  • Self-service: account holders can edit profile and request deletion through the app.
  • Email: privacy@trend-copilot.com for any request we cannot self-service.

7. International transfers

Some sub-processors are US-based. We rely on Standard Contractual Clauses (Module 2 / Module 3 as applicable) for cross-border transfers.

8. Audits

You may request an audit annually with 30 days' notice.

We will provide our most recent third-party security review on request (note: SOC 2 audit pending — current state is documented in our internal security policy, available under NDA).

9. Return / deletion on termination

On termination, we delete all your data within 30 days unless retention is required by law.

On request before deletion, we provide an export of articles, personas, and account metadata.

10. Liability

The Terms of service liability section applies to this DPA.

11. Governing law

Same as the Terms of service. EU/UK customers may invoke their local supervisory authority for GDPR claims.

12. Contact

DPO contact: privacy@trend-copilot.com

For a counter-signed PDF of this DPA, email the address above. We respond within 5 working days.