Data Processing Addendum

You (“Customer”) act as the Data Controller. Deliteful acts as the Data Processor for personal data provided through your use of the Service.

Processing is strictly limited to executing the file-based automation tasks you request. Deliteful does not read, analyze, index, or reuse file contents for any other purpose. No AI training or behavioral analysis is performed.

Processing is carried out under GDPR Article 6(1)(b): performance of a contract between you and Deliteful to deliver the Service.

• Cloudflare — R2 temporary storage, HTTPS, DNS, security
• Vercel — frontend hosting
• Modal — isolated serverless compute for processing
• Supabase — authentication, session management, database
• Lemon Squeezy — subscription billing (controller role)

Files are stored only temporarily for processing. They are automatically deleted from R2 shortly after job completion. Modal compute environments are ephemeral and do not store file contents.

• No long-term file storage
• No indexing, caching, or reuse of file contents
• Only minimal account and billing information is retained

• HTTPS encryption through Vercel and Cloudflare
• Isolated Modal execution environments
• Automatic R2 temporary file deletion
• Database-level row security (RLS) via Supabase

Customers may request access, correction, portability, or deletion of stored personal data. File-based content is never retained long-term, so right-of-erasure requests typically apply only to account or billing data.

Data may be processed in the United States or other regions where our subprocessors operate. Transfers occur under appropriate legal mechanisms such as Standard Contractual Clauses (“SCCs”).