Data Processing Agreement (DPA)

Last Updated: December 2025

This Data Processing Agreement (DPA) forms part of the terms governing the use of the Quillific writing platform provided by Pronunciator LLC (“Processor”) when used by an organization (“Controller”) that requires GDPR compliance.

1. Definitions

  • Controller: The organization that determines the purposes and means of processing personal data.
  • Processor: Pronunciator LLC.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Services: Access to and use of the Quillific writing platform.
  • Subprocessors: Third-party service providers engaged to support the Services.

2. Subject Matter of Processing

The Processor handles personal data as necessary to provide the Services, including user-generated text, AI outputs, account details, usage metadata, and subscription information.

3. Duration of Processing

Processing continues for as long as the Controller uses the Services or until the Controller requests deletion. Deletion is permanent because no backups exist.

4. Nature and Purpose of Processing

The Processor processes personal data for the following purposes:

  • User authentication and account management
  • Providing AI-based writing and editing tools
  • Storing writing history for user access
  • Subscription management
  • Analytics based on metadata (never text)

5. Categories of Data Subjects

Data subjects may include users authorized by the Controller, including staff, students, or patrons. Quillific is intended for individuals aged 16 or older.

6. Processor Obligations

The Processor will:

  • Process personal data only on documented instructions from the Controller.
  • Ensure authorized personnel are bound by confidentiality obligations.
  • Implement reasonable security measures (noting that data is not encrypted at rest or in transit).
  • Assist the Controller with data subject requests when feasible.
  • Notify the Controller without undue delay of any personal data breach.
  • Delete or return personal data upon request or termination of the Services.

7. Subprocessors

The Controller authorizes the Processor to use the following subprocessors:

  • Firebase Authentication
  • Firebase Analytics (metadata only)
  • OpenAI (AI processing)
  • RevenueCat
  • Google Sign-In
  • Apple Sign-In

OpenAI may retain user-submitted content for up to 30 days for abuse monitoring.

8. International Data Transfers

Personal data is transferred to the United States. Transfers rely on Standard Contractual Clauses (SCCs) from Google, Apple, and RevenueCat, and may rely on GDPR Article 49(1)(b) when necessary to provide the Services.

9. Security

The Controller acknowledges the following:

  • Data is not encrypted at rest.
  • Data is not encrypted in transit.
  • No backups are maintained.
  • Platform-level protections are provided primarily through Firebase.

Controllers must evaluate whether these measures are appropriate for their own use case.

10. Data Subject Requests

The Processor will assist the Controller in handling requests for access, correction, deletion, or objection. Requests received directly by the Processor will be forwarded to the Controller.

11. Data Deletion

Upon request from the Controller, the Processor will permanently delete all associated personal data. Because no backups exist, deletion cannot be reversed.

12. Audits

Audits are limited to reviewing this DPA and publicly available documentation from Firebase, Google, Apple, RevenueCat, and OpenAI. Physical or on-site audits are not supported.

13. Liability

Each party’s liability is governed by the underlying agreement or Terms of Service.

14. Governing Law

This DPA is governed by the laws of the State of California.

15. Contact

Pronunciator LLC
Jackson, Wyoming, USA
Email: support@pronunciator.com