Last updated on June 30, 2026

Data Processing Agreement

1. PURPOSE AND SCOPE

1.1 Purpose of this DPA.This Data Processing Agreement (the "DPA") forms part of the agreement under the Terms of Service governing the Customer's use of the Macaly platform and the Services provided by LANGTAIL.COM s.r.o., ID No. 198 68 987, with its registered seat at Záhřebská 562/41, Vinohrady, 120 00 Prague 2, Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague under file No. C 393016 (the "Processor", "we", "us" or "our"), to the customer identified in the applicable Order, subscription or other agreement governing the use of the Services (the "Customer" or the "Controller").

1.2 Scope of this DPA. This DPA governs the processing of Customer Personal Data by the Processor on behalf of the Customer in connection with the provision of the Services. This DPA applies only where the Processor processes Customer Personal Data on behalf of the Customer as a Processor within the meaning of Applicable Data Protection Laws. Processing carried out by the Processor as an independent Controller is governed by the Privacy Policy.

1.3 Applicability.This DPA applies where the Processor processes Customer Personal Data on behalf of the Customer within the meaning of Article 28 of the Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation) (the "GDPR") or other Applicable Data Protection Laws.

1.4 Independent Controller Processing. Where the Processor processes personal data as an independent Controller, including for account administration, billing, security, fraud prevention, legal compliance or the operation of the Services, such processing is governed by the Privacy Policy rather than this DPA.

1.5 Order of precedence. In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Customer Personal Data, this DPA shall prevail to the extent of such conflict.

2. DEFINITIONS

2.1 Unless otherwise defined in this DPA, capitalised terms used in this DPA have the meanings given to them in the Terms of Service or the Privacy Policy.

2.2 For the purposes of this DPA:

"Applicable Data Protection Laws"means all laws and regulations applicable to the processing of Customer Personal Data under this DPA, including, where applicable, the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and any national laws implementing or supplementing such legislation.

"Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

"Customer Personal Data" means any Personal Data contained within Customer Data that the Processor processes on behalf of the Customer in connection with the provision of the Services.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

"Personal Data", "Personal Data Breach", "process", "processing" and "Processor" have the meanings given to them in the GDPR or other Applicable Data Protection Laws.

"Subprocessor" means any third party appointed by the Processor to Process Customer Personal Data on behalf of the Customer in connection with the provision of the Services.

2.3 Interpretation. References in this DPA to Articles or Chapters are references to the corresponding provisions of the GDPR unless expressly stated otherwise.

3. ALLOCATION OF ROLES

3.1 Controller. The Customer acts as the Controller of Customer Personal Data and determines the purposes and means of the processing of such Customer Personal Data.

3.2 Processor.The Processor shall process Customer Personal Data solely on behalf of the Customer and in accordance with this DPA, the Terms of Service and the Customer's documented instructions, unless otherwise required by Applicable Data Protection Laws.

3.3 Independent Controller Processing.Nothing in this DPA limits or affects the Processor's processing of personal data as an independent Controller where the Processor determines the purposes and means of the processing for its own legitimate business purposes, including account administration, billing, security, fraud prevention, legal compliance and operation of the Services, as described in the Privacy Policy.

4. DETAILS OF PROCESSING

4.1 Details of Processing. The details of the processing of Customer Personal Data carried out by the Processor on behalf of the Customer, including the subject matter, duration, nature and purpose of the processing, the categories of Customer Personal Data and the categories of Data Subjects, are set out in Annex I, which forms an integral part of this DPA.

5. CUSTOMER INSTRUCTIONS

5.1 Documented instructions.The Processor shall process Customer Personal Data only on the Customer's documented instructions, including as set out in the Terms of Service, this DPA and any other written instructions provided by the Customer, unless otherwise required by Applicable Data Protection Laws. The Customer acknowledges and agrees that its configuration and use of the Services, including instructions submitted through the Platform by its Authorised Users, constitute the Customer's documented instructions to the Processor for the purposes of this DPA.

5.2 Provision of the Services.The Customer instructs the Processor to Process Customer Personal Data to the extent necessary to provide, operate, maintain, secure and support the Services in accordance with the Terms of Service, this DPA and the Customer's use of the Services.

5.3 AI-powered functionality. Where the Customer or its Authorised Users use AI-powered functionality made available through the Services, the Customer acknowledges and agrees that the submission of prompts, instructions, Customer Data, Generated Content and other information to the Services constitutes an instruction to the Processor to Process such information to the extent necessary to provide the requested AI-powered functionality.

5.4 Connected Third-Party Services. By connecting or enabling any Connected Third-Party Service, the Customer instructs the Processor to Process Customer Personal Data as necessary to establish, maintain and operate the relevant integration, including exchanging Customer Personal Data with the relevant Connected Third-Party Service in accordance with the permissions configured by the Customer and its Authorised Users.

5.5 Authorised Users. The Processor shall be entitled to rely on any instruction received through the Services from an Authorised User acting within the permissions assigned by the Customer without any obligation to verify the validity or authority of such instruction.

5.6 Customer responsibilities. The Customer is solely responsible for:

  • determining the purposes and legal bases for the processing of Customer Personal Data;
  • ensuring that it has all necessary rights, permissions and authorisations to provide Customer Personal Data to the Processor and to authorise its processing through the Services, including AI-powered functionality and Connected Third-Party Services;
  • providing all notices and obtaining all consents required under Applicable Data Protection Laws;
  • ensuring the accuracy, quality and lawfulness of Customer Personal Data; and
  • determining the categories of Customer Personal Data submitted to the Services, including whether to submit any special categories of personal data or other sensitive information.

5.7 Lawfulness of instructions.The Processor shall promptly inform the Customer if, in the Processor's opinion, any documented instruction infringes Applicable Data Protection Laws. Unless prohibited by Applicable Data Protection Laws, the Processor may suspend the relevant processing until the Customer confirms, amends or withdraws the relevant instruction.

5.8 Reliance on Customer instructions.Except where otherwise required by Applicable Data Protection Laws, the Processor shall be entitled to rely on the Customer's documented instructions and representations regarding the lawfulness of the processing and shall have no obligation to independently verify that the Customer's processing activities comply with Applicable Data Protection Laws. Nothing in this DPA relieves the Processor of its obligation under Article 28(3) GDPR to inform the Customer where, in the Processor's opinion, an instruction infringes Applicable Data Protection Laws.

6. PROCESSOR OBLIGATIONS

6.1 Processing in accordance with this DPA.The Processor shall process Customer Personal Data only in accordance with this DPA, the Terms of Service, the Customer's documented instructions and Applicable Data Protection Laws.

6.2 Compliance with Applicable Data Protection Laws. The Processor shall comply with the obligations applicable to processors under Applicable Data Protection Laws in relation to the processing of Customer Personal Data.

6.3 Confidentiality. The Processor shall ensure that all persons authorised to Process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory, and receive appropriate training regarding the protection of Customer Personal Data.

6.4 Processor personnel. The Processor shall ensure that access to Customer Personal Data is limited to personnel, contractors and authorised persons who require such access for the purpose of providing the Services and who are bound by appropriate confidentiality and security obligations.

6.5 Notification of unlawful instructions. Where the Processor considers that a documented instruction infringes Applicable Data Protection Laws, the Processor shall notify the Customer without undue delay in accordance with Section 5 of this DPA.

6.6 No independent ownership of Customer Personal Data. Except as expressly permitted by this DPA, the Terms of Service or Applicable Data Protection Laws, the Processor shall not acquire any ownership rights in Customer Personal Data or Process Customer Personal Data for its own independent purposes.

6.7 Information demonstrating compliance. The Processor shall make available to the Customer such information as is reasonably necessary and proportionate to demonstrate compliance with its obligations under this DPA and Applicable Data Protection Laws, subject to Section 12 (Audits).

7. SECURITY MEASURES

7.1 Appropriate security measures. The Processor shall implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risks to the rights and freedoms of natural persons.

7.2 Security programme. The Processor shall maintain an information security programme designed to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and Services used to Process Customer Personal Data.

7.3 Examples of security measures. Depending on the nature of the processing, such measures may include:

  • encryption of Customer Personal Data in transit and, where appropriate, at rest;
  • secure authentication and access controls;
  • role-based access management based on the principle of least privilege;
  • secure management of API credentials, authentication tokens and credentials used to access Connected Third-Party Services;
  • logging and monitoring of access to systems and Services;
  • vulnerability management and regular security updates;
  • incident detection and response procedures;
  • backup and disaster recovery measures; and
  • appropriate contractual, technical and organisational safeguards when engaging Subprocessors.

7.4 Security updates. The Processor may modify or update its technical and organisational measures from time to time, provided that such modifications do not materially reduce the overall level of security for Customer Personal Data.

7.5 Customer responsibilities. The Customer acknowledges that the effectiveness of the security measures also depends on the secure configuration and use of the Services by the Customer and its Authorised Users, including the management of user access, credentials, Connected Third-Party Services and permissions granted through the Services.

8. SUBPROCESSORS

8.1 General authorisation. The Customer hereby provides the Processor with a general authorisation to engage Subprocessors to process Customer Personal Data on behalf of the Customer in connection with the provision of the Services.

8.2 Current Subprocessors. The Customer acknowledges and agrees that the Processor may engage the Subprocessors listed in Annex III, as amended from time to time. The Processor shall maintain an up-to-date list of its Subprocessors in Annex III or otherwise make such list available through its website.

8.3 Appointment of new Subprocessors. The Processor may appoint or replace Subprocessors from time to time as necessary to provide, operate, maintain, secure or improve the Services. Where required by Applicable Data Protection Laws, the Processor shall inform the Customer of the appointment or replacement of a Subprocessor by updating Annex III or by another reasonable means before such appointment becomes effective.

8.4 Subprocessor obligations. The Processor shall ensure that each Subprocessor is subject to written contractual obligations requiring the protection of Customer Personal Data to a standard required by Applicable Data Protection Laws.

9. INTERNATIONAL TRANSFERS OF CUSTOMER PERSONAL DATA

9.1 International transfers.The Customer acknowledges and agrees that the Processor and its Subprocessors may Process Customer Personal Data in countries outside the European Economic Area ("EEA"), the United Kingdom or Switzerland in connection with the provision, operation, maintenance, security and support of the Services.

9.2 Transfer mechanisms. Where Customer Personal Data is transferred to a country that has not been recognised as providing an adequate level of protection under Applicable Data Protection Laws, the Processor shall ensure that such transfer is carried out using an appropriate transfer mechanism recognised under Applicable Data Protection Laws, including, where applicable:

  • an adequacy decision adopted by the European Commission;
  • the EU Standard Contractual Clauses;
  • the EU-U.S. Data Privacy Framework (or any successor framework); or
  • any other lawful transfer mechanism recognised under Applicable Data Protection Laws.

9.3 Subprocessors. The Customer acknowledges that transfers carried out by approved Subprocessors in accordance with this DPA shall be deemed to be authorised by the Customer.

10. ASSISTANCE

10.1 Assistance. Taking into account the nature of the processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Customer to enable the Customer to comply with its obligations under Applicable Data Protection Laws relating to Data Subject rights, the security of processing, Personal Data Breaches, data protection impact assessments and prior consultations with competent supervisory authorities, to the extent required by Applicable Data Protection Laws.

10.2 Customer responsibility. The Customer remains solely responsible for complying with its obligations as Controller under Applicable Data Protection Laws.

11. PERSONAL DATA BREACHES

11.1 Notification of Personal Data Breaches. The Processor shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, as required by Applicable Data Protection Laws.

11.2 Cooperation. Taking into account the nature of the processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Customer in relation to such Personal Data Breach to the extent required by Applicable Data Protection Laws.

12. AUDITS

12.1 Audit rights. To the extent required by Applicable Data Protection Laws, the Processor shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

12.2 Conditions.Any audit shall be conducted upon reasonable prior written notice, during normal business hours, in a manner that minimises disruption to the Processor's business operations and subject to the Processor's confidentiality, security and access policies.

12.3 Alternative evidence.The Processor may satisfy the Customer's audit requests by providing relevant certifications, audit reports, security documentation or other information demonstrating compliance, where such information reasonably addresses the Customer's request.

13. RETURN AND DELETION OF CUSTOMER PERSONAL DATA

13.1 Return or deletion.Upon termination or expiry of the Services, the Processor shall, at the Customer's choice, delete or return Customer Personal Data, unless Applicable Data Protection Laws require the Processor to retain some or all of the Customer Personal Data.

13.2 Retention. Notwithstanding the foregoing, the Processor may retain Customer Personal Data for the period and to the extent required by Applicable Data Protection Laws or as necessary to comply with its legal obligations, resolve disputes, enforce its legal rights or comply with its standard backup and business continuity procedures, provided that such Customer Personal Data remains subject to the confidentiality and security obligations set out in this DPA for as long as it is retained. The Processor shall delete such retained Customer Personal Data once the applicable retention period expires, unless further retention is required by Applicable Data Protection Laws.

13.3 Deletion through the Services. Where the Services enable the Customer to retrieve or delete Customer Personal Data directly, the Customer acknowledges that it is responsible for exporting or deleting Customer Personal Data before termination of the Services, where applicable.

14. LIABILITY

14.1 Liability.Each Party's liability arising out of or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Terms of Service, unless otherwise required by Applicable Data Protection Laws.

15. FINAL PROVISIONS

15.1 Term. This DPA shall remain in effect for as long as the Processor processes Customer Personal Data on behalf of the Customer in connection with the provision of the Services.

15.2 Relationship with the Terms of Service. Except as expressly provided in this DPA, the Terms of Service remain in full force and effect. This DPA forms an integral part of the Terms of Service.

15.3 Amendments.The Processor may amend this DPA from time to time to reflect changes in Applicable Data Protection Laws, regulatory guidance, the Services or the Processor's processing activities. Where required by Applicable Data Protection Laws, the Processor shall provide the Customer with reasonable notice of any material amendments.

15.4 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

15.5 Governing law. This DPA shall be governed by the governing law and jurisdiction provisions set out in the Terms of Service, unless otherwise required by Applicable Data Protection Laws.

ANNEX I - DETAILS OF PROCESSING

DescriptionDetails
Subject matter of the ProcessingThe provision, operation, maintenance, support and security of the Services provided under the Terms of Service.
Duration of the ProcessingFor the duration of the Customer's use of the Services and thereafter for the period specified in the Terms of Service, this DPA and Applicable Data Protection Laws.
Nature of the ProcessingCollection, recording, organisation, structuring, storage, hosting, retrieval, consultation, use, transmission, disclosure by transmission, alignment, combination, restriction, deletion or destruction of Customer Personal Data, including AI-assisted processing where initiated by the Customer through the Services.
Purpose of the ProcessingTo provide, operate, maintain, support, secure and improve the functionality of the Services in accordance with the Customer's documented instructions, the Terms of Service and this DPA. For the avoidance of doubt, Customer Personal Data is not used to train the Processor's AI models or improve the Services except where expressly agreed in the Terms of Service or otherwise instructed by the Customer.
Categories of Customer Personal DataThe categories of Customer Personal Data are determined and controlled by the Customer and may include account information, identification data, contact details, Customer Data, prompts, Messages, Generated Content containing Personal Data, usage data, technical identifiers and any other Personal Data submitted through the Services by the Customer or its Authorised Users.
Categories of Data SubjectsThe categories of Data Subjects are determined by the Customer and may include the Customer's employees, contractors, representatives, Authorised Users, customers, prospective customers, end users, website visitors and other individuals whose Personal Data is submitted to the Services by or on behalf of the Customer.
Special categories of Personal DataThe Processor does not require or intentionally seek the Processing of special categories of Personal Data. The Customer remains solely responsible for determining whether such data is submitted to the Services and for ensuring an appropriate legal basis where required under Applicable Data Protection Laws.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES

The Processor implements and maintains appropriate technical and organisational measures designed to protect Customer Personal Data in accordance with Article 32 GDPR. Such measures include, as appropriate:

AreaDescription
GovernanceInternal policies, confidentiality obligations, employee awareness and security procedures.
Access managementRole-based access controls, authentication mechanisms and access granted on a least-privilege basis.
EncryptionEncryption of Customer Personal Data in transit and, where appropriate, at rest.
Infrastructure securityMonitoring, logging, vulnerability management, security updates and protection of production systems.
Availability and resilienceBackup procedures, disaster recovery measures and business continuity processes.
Incident managementProcesses for detecting, investigating, responding to and documenting security incidents and Personal Data Breaches.
Subprocessor managementContractual, technical and organisational safeguards when engaging Subprocessors.
International transfersAppropriate safeguards for transfers of Customer Personal Data outside the EEA, the United Kingdom and Switzerland in accordance with Applicable Data Protection Laws.
Connected Third-Party ServicesMeasures designed to protect Customer Personal Data exchanged with Connected Third-Party Services authorised by the Customer, including secure authentication and permission management where applicable.

The Processor may update or modify these technical and organisational measures from time to time, provided that the overall level of protection for Customer Personal Data is not materially reduced.

ANNEX III - SUBPROCESSORS LIST

The Processor may engage the following Subprocessors in connection with the provision of the Services. This Annex may be updated from time to time in accordance with Section 8 of this DPA.

SubprocessorPurpose of ProcessingLocation
Anthropic PBCAI model provider (Claude models and APIs)United States
Apify Technologies s.r.o.Web scraping and data extraction servicesCzech Republic
Amazon Web Services, Inc.Cloud infrastructure and hosting servicesUnited States / EEA
Browserbase, Inc.Browser automation and headless browser infrastructureUnited States
Clerk, Inc.User authentication and identity managementUnited States
Cloudflare, Inc.Content delivery network (CDN), object storage, network security and browser renderingUnited States
Code.storageSource code repository and project storageUnited States / EEA
Cohere Inc.AI embeddings and reranking servicesCanada
ComposioIntegration platform for third-party applicationsUnited States
Convex, Inc.Realtime backend infrastructureUnited States
Crisp IM SASCustomer support and live chat servicesFrance
Dash0 GmbHObservability, telemetry and monitoringGermany
Datadog, Inc.Infrastructure monitoring, logging and performance monitoringUnited States
E2B TechnologiesSecure code execution sandbox infrastructureUnited States
Figma, Inc.Design collaboration platformUnited States
FirecrawlWeb crawling and scraping servicesUnited States
FreestyleCode execution sandbox servicesUnited States
GitHub, Inc.Source code hosting and repository managementUnited States
Google LLCAI services, cloud infrastructure, Google Workspace and related technical servicesUnited States / EEA
GreptileAI-assisted code review servicesUnited States
LangtailPrompt management platformCzech Republic
Linear Orbit, Inc.Issue tracking and project managementUnited States
LoopsMarketing email deliveryUnited States
Morph LLMAI-assisted code editingUnited States
MusicGPTAI-generated music servicesUnited States
Neon, Inc.Managed PostgreSQL database hostingUnited States
Notion Labs, Inc.Documentation and knowledge managementUnited States
OpenAI, LLCAI model provider and speech-to-text servicesUnited States
OpenRouterAI model gatewayUnited States
Pexels GmbHStock image servicesGermany
PostHog, Inc.Product analyticsUnited States
RapidAPIAPI marketplace and API integrationsUnited States
RelaceAI-assisted code editing servicesUnited States
Replicate, Inc.AI model hosting and inference servicesUnited States
Astrodon Corporation (Resend)Transactional email deliveryUnited States
Revolut Bank UABPayment and billing servicesLithuania
ScreenshotOneWebsite screenshot generation servicesUnited States
Functional Software, Inc. (Sentry)Error monitoring and diagnosticsUnited States
Slack Technologies, LLCInternal communications and operational notificationsUnited States
StreamlineIcon library and design assetsNetherlands
Stripe, Inc.Payment processingUnited States
WhatsApp LLC / WhatsApp Ireland LimitedCustomer communication platform and messaging integrationsUnited States / Ireland
Telnyx LLCTelephony and messaging infrastructureUnited States
Upstash, Inc.Redis database, caching and messaging infrastructureUnited States
Vercel Inc.Cloud hosting, deployment infrastructure and edge servicesUnited States

Note: The list of Subprocessors may be updated from time to time in accordance with Section 8 of this DPA. The most current version of this Annex will be made available by the Processor through its website or otherwise upon request.