Summary: This Data Processing Addendum ("DPA") forms part of the agreement between BoringDollars, Inc. ("Prago", the "Processor") and the customer (the "Controller") for the provision of the Prago service. It sets out the parties' obligations regarding the processing of personal data under the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK GDPR, and equivalent data protection laws.
This DPA is incorporated into and forms part of the Terms of Service between BoringDollars, Inc. ("Prago", "we", "us") and the Customer ("Controller", "you"). By using the Prago service, the Controller instructs Prago to process personal data on its behalf as described in this DPA. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
For the purposes of this DPA:
"Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
"Processing" means any operation or set of operations performed on personal data, as defined in Article 4(2) GDPR.
"Controller" means the natural or legal person which determines the purposes and means of the processing of personal data.
"Processor" means a natural or legal person which processes personal data on behalf of the Controller.
"Sub-processor" means any third party engaged by Prago to process personal data on the Controller's behalf.
"Data Subject" means the natural person to whom personal data relates.
"Supervisory Authority" means the independent public authority responsible for monitoring the application of data protection law in a given jurisdiction.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Decision 2021/914/EU.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
"UK GDPR" means the GDPR as retained in UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
The Customer is the Controller. BoringDollars, Inc. is the Processor. Prago processes personal data only on documented instructions from the Controller, unless required to do so by applicable law, in which case Prago will inform the Controller of that legal requirement before processing, unless prohibited by law. Prago will promptly inform the Controller if it believes an instruction infringes applicable data protection law. Prago ensures that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.
Subject matter: Personal data submitted to or collected by Prago in connection with the Customer's use of the Prago service.
Duration: For the term of the agreement between the parties, plus any retention period required by applicable law or agreed in writing between the parties.
Nature of processing: Collection, storage, analysis, transformation, transmission, and deletion of personal data as necessary to provide the Prago service.
Purpose: Providing autonomous AI marketing services including content generation, search engine optimisation, AI visibility optimisation, social media publishing, campaign analytics, and campaign management as described in the Terms of Service.
Data subjects:
Categories of personal data:
Special categories: Prago does not knowingly process special categories of personal data as defined in Article 9 GDPR. The Controller must not submit special category data to Prago without prior written agreement.
Prago engages third-party sub-processors to provide elements of its service. All sub-processors are bound by data processing agreements that impose obligations no less protective than those in this DPA.
Prago will provide at least 14 days' written notice before engaging a new sub-processor or making material changes to an existing sub-processor engagement. The Controller may object to a new sub-processor within 14 days of notice by writing to privacy@prago.io. If the parties cannot resolve the objection within a reasonable time, the Controller may terminate the affected services without penalty.
Prago's current sub-processors are categorised by function below. Specific vendor names are available to enterprise customers under NDA upon written request to privacy@prago.io.
| Category | Location | Purpose |
|---|---|---|
| Cloud infrastructure provider | United States | Hosting, compute, storage, and networking for all Prago services |
| Payment processor | United States | Billing, subscription management, and payment method handling |
| Identity and authentication provider | United States | User authentication, session management, and access control |
| Customer communications platform | United States | In-app support messaging and customer success communications |
| Email delivery provider | United States | Transactional and marketing email delivery |
| Product analytics provider | United States | Anonymised usage analytics and product improvement |
| Error monitoring provider | United States | Application error tracking and performance monitoring |
| Brand data provider | United States | Publicly available brand asset enrichment |
| Web content provider | United States | Publicly accessible website content retrieval |
| Search data provider | European Union | Search engine ranking data and keyword analysis |
| AI inference providers (multiple) | United States | Large language model inference for content generation and analysis |
| Mapping and geolocation provider | United States | Geographic data enrichment for location-based analytics |
Specific vendor names are available to enterprise customers under NDA upon written request to privacy@prago.io.
Prago implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include:
A description of Prago's security programme and certifications is maintained on our Security page. Enterprise customers may request a completed security questionnaire by writing to privacy@prago.io.
Prago is headquartered in the United States. When Prago transfers personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States or another third country not subject to an adequacy decision, such transfers are made pursuant to:
(a) EU transfers: The Standard Contractual Clauses adopted by the European Commission under Decision 2021/914/EU, Module Two (Controller to Processor), which are incorporated by reference into this DPA. By accepting this DPA, the Controller (as data exporter) and Prago (as data importer) agree to be bound by the SCCs, with the Controller acting as data exporter and Prago acting as data importer.
(b) UK transfers: The International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner's Office, or the UK Addendum to the EU SCCs, as applicable.
(c) Swiss transfers: Applicable Swiss data protection law requirements and any transfer mechanisms recognised by the Swiss Federal Data Protection and Information Commissioner.
Prago applies appropriate supplementary technical and organisational measures when transferring personal data internationally to ensure a level of protection essentially equivalent to that guaranteed within the EEA. On written request, Prago will provide the Controller with copies of the applicable transfer mechanisms.
Prago will, to the extent technically feasible, assist the Controller in fulfilling its obligations to respond to data subject requests under applicable law. This includes requests to:
If Prago receives a data subject request directly relating to the Controller's data, Prago will promptly forward the request to the Controller and will not respond to the data subject directly, except to acknowledge receipt, unless required to do so by applicable law.
The Controller is solely responsible for responding to such requests within the timeframes required by applicable law. To request Prago's assistance with a data subject request, contact privacy@prago.io.
Prago will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting data processed under this DPA. Notification will be made to the email address associated with the Controller's account or to a contact specified in writing.
The notification will include, to the extent then available:
Where full information is not available within 72 hours, Prago will provide available information initially and supplement it as additional information becomes available.
The Controller is responsible for notifying the relevant supervisory authority and, where required, affected data subjects in accordance with applicable law. Prago will cooperate with and provide reasonable assistance to the Controller in preparing any required notifications.
Upon the Controller's written request, no more than once per calendar year (unless there is reasonable cause to suspect a material breach of this DPA), Prago will make available to the Controller information reasonably necessary to demonstrate Prago's compliance with its obligations under this DPA. Such information may include:
Where an on-site or third-party audit is required by a supervisory authority or applicable law, the parties will agree in writing on the scope, timing, duration, and cost allocation at least 30 days in advance. Audits must be conducted during normal business hours and must not unreasonably interfere with Prago's operations. The Controller agrees to treat all audit findings as confidential information.
This DPA is effective from the date the Controller first accepts the Terms of Service and remains in force until the agreement between the parties is terminated or expires.
Upon termination of the agreement, Prago will, at the Controller's written election made within 30 days of termination:
(a) Return: Provide the Controller with an export of all personal data in a commonly used, machine-readable format; or
(b) Delete: Securely and permanently delete all personal data from Prago's systems and procure deletion by sub-processors, subject to any retention obligations imposed by applicable law.
Prago will provide the Controller with written certification of deletion within 30 days of completing the deletion process. Where Prago is required by applicable law to retain personal data beyond the termination date, Prago will notify the Controller of such requirement and restrict processing of the retained data to the purposes required by that law.
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service between the parties. To the extent that applicable law prohibits the limitation or exclusion of liability for personal data breaches or data protection infringements, such limitations and exclusions shall not apply to the extent of such prohibition.
Where both parties are responsible for damage caused by processing in breach of applicable data protection law, each party shall be liable for the damage attributable to its own part of the processing. Prago shall not be liable for damages arising from the Controller's breach of its own obligations under applicable data protection law or from the Controller's failure to provide accurate or complete processing instructions.
BoringDollars, Inc.
1111B S Governors Ave, Suite 95441, Dover, DE 19904, United States
Delaware File No. 10560883
DPA and data protection inquiries: privacy@prago.io