Data Processing Addendum
This Data Processing Addendum (the "DPA") forms part of the Private Claude Terms of Service between you ("Customer") and St8less.ai (the operator of Private Claude, "Private Claude," "we," "us"). It applies whenever your use of the Service involves processing of Personal Data and you act as a Controller, or as a Processor on behalf of a Controller, under applicable Data Protection Laws (including GDPR, UK GDPR, and CCPA/CPRA).
01Introduction and Scope
This DPA governs the processing of Personal Data by Private Claude on behalf of Customer in connection with Customer's use of the Service. It is incorporated into and forms part of the Terms of Service. To the extent of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA controls.
The terms of this DPA are designed to satisfy the requirements of Article 28 GDPR, the UK GDPR, and CCPA/CPRA "service provider" obligations, while reflecting the actual technical reality that Private Claude does not retain Customer Data.
02Definitions
- Customer Data means the prompts, files, attachments, and responses transmitted through the Service during a session. Customer Data is processed in transit only and is not stored by Private Claude.
- Account Data means the email address, authentication credentials, subscription status, and billing identifiers stored to operate the Service.
- Personal Data has the meaning given in the applicable Data Protection Laws and refers to any information within Customer Data or Account Data that relates to an identified or identifiable natural person.
- Controller, Processor, and Sub-processor have the meanings given in the GDPR (and the equivalent meanings under other Data Protection Laws).
- Data Protection Laws means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").
- Standard Contractual Clauses or SCCs means the European Commission's standard contractual clauses for the transfer of personal data to third countries (Commission Implementing Decision (EU) 2021/914), and where applicable, the UK Addendum issued by the UK Information Commissioner.
- Service means the Private Claude product, including the website, web application, and supporting serverless functions, that provides a private interface to Anthropic's Claude models.
03Roles and Responsibilities
Customer is the Controller of Customer Data and Account Data. Private Claude is the Processor of Customer Data and acts as a Controller of Account Data only for the limited purposes of authentication, billing, fraud prevention, and service delivery.
Each party shall comply with its obligations under applicable Data Protection Laws. Customer is responsible for providing all notices and obtaining all consents required to lawfully transmit Personal Data through the Service.
04Scope and Nature of Processing
The Service operates as follows. Customer Data is sent from the user's browser, through stateless serverless functions hosted on Vercel, directly to Anthropic's API using Customer's own Anthropic API key, and the response is streamed back to the browser. Conversation history is held in the user's browser via local storage and never persisted on Private Claude infrastructure. We do not log, cache, or duplicate Customer Data at rest.
| Categories of data subjects | Categories of data | Nature of processing | Duration |
|---|---|---|---|
| Customer's end users (the people interacting with the Service) | Prompts, files, attachments, and responses (Customer Data) | Transit relay between browser and Anthropic API; no storage | Duration of the HTTP request only |
| Customer (account holder) and authorized end users | Email, authentication tokens, Stripe customer and subscription identifiers, active flag, account creation timestamp (Account Data) | Authentication, billing, fraud prevention, service delivery | Duration of the subscription plus 30 days for billing reconciliation |
The purpose of processing is to provide the Service. The subject matter is the relay of Customer Data to Anthropic's models and the operation of Customer's account.
05Zero-Retention Commitment for Customer Data
Private Claude does not retain, store, log, cache, or train on Customer Data. We hold no database of conversations because Customer Data never reaches a Private Claude database. Conversations live in the user's browser. Closing the tab is sufficient to satisfy any deletion request directed at Private Claude with respect to Customer Data.
06Account Data
To operate the Service, Private Claude stores a limited set of Account Data. Specifically:
- Email address and Supabase authentication record
- Stripe customer identifier and subscription identifier
- Active status flag
- Account creation timestamp
Account Data is held by our sub-processors Supabase (for authentication and account records) and Stripe (for billing). The lawful basis for processing Account Data is performance of the contract with Customer and our legitimate interest in fraud prevention and account security.
07Confidentiality
Personnel with access to Account Data are bound by written confidentiality obligations and access is limited to those who need it to perform their duties.
08Security Measures
Private Claude implements the following technical and organizational measures:
- HTTPS/TLS 1.2 or higher enforced on all traffic by Vercel, with HSTS preload
- Strict Content Security Policy and modern security headers (X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy)
- Authentication via Supabase with row-level security on all account tables
- All payment data handled by Stripe, which is certified PCI DSS Level 1; Private Claude never sees raw card data
- Customer Anthropic API keys stored encrypted at rest
- Principle of least privilege for administrative access
- No production access from personal or unmanaged devices
09Sub-processors
Customer authorizes Private Claude to engage the following sub-processors:
| Sub-processor | Role | Location | Safeguard |
|---|---|---|---|
| Anthropic, PBC | Model inference | USA | Customer's own API key; Anthropic's DPA accepted directly by Customer when creating their Anthropic account |
| Vercel Inc. | Hosting, edge network, serverless compute | USA / global edge | DPA + SCCs |
| Supabase Inc. | Authentication and account database | USA / EU | DPA + SCCs |
| Stripe Inc. | Payment processing | USA | PCI DSS Level 1, DPA + SCCs |
Private Claude will provide at least 30 days' notice of any addition or replacement of a sub-processor by updating this page. Continued use of the Service after the change takes effect constitutes acceptance.
10International Data Transfers
Where Personal Data is transferred outside the European Economic Area, Switzerland, or the United Kingdom to a country that does not benefit from an adequacy decision, the Standard Contractual Clauses (Module 2 or Module 3 as applicable) and, where the UK GDPR applies, the UK International Data Transfer Addendum, are incorporated into this DPA by reference and apply to the transfer.
11Data Subject Rights
Because Private Claude does not retain Customer Data, requests for access, erasure, rectification, restriction, or portability of Customer Data are inherently satisfied by closing the browser tab or clearing local storage on the user's device. There is no copy of Customer Data on Private Claude infrastructure to surface or delete.
For requests relating to Account Data, Customer or its end users may email support@privateclaude.ai. Private Claude will respond within 30 days.
12Personal Data Breach Notification
Private Claude will notify Customer without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting Account Data, providing the information required by Article 33(3) GDPR. Because Customer Data is not retained on Private Claude infrastructure, it cannot be the subject of a breach on our systems.
13Audits
Customer's audit rights under Article 28(3)(h) GDPR are satisfied by (a) this DPA, (b) sub-processor SOC 2 Type II or ISO 27001 reports, which Private Claude will make available on reasonable written request, and (c) Private Claude's response to reasonable written security questionnaires within 30 days. On-site audits will be permitted only where required by applicable law and at Customer's expense.
14Term and Termination
This DPA runs concurrently with the Terms of Service. Upon termination of the Customer's account, Account Data will be deleted within 30 days, except where retention is required by applicable law (for example, tax records).
15Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
16Governing Law, Venue, and Attorneys' Fees
This DPA is governed by the laws of the State of Florida, USA, without regard to its conflict-of-laws principles. Any action or proceeding arising out of or relating to this DPA, the Service, or the Personal Data processed under it shall be brought exclusively in the state or federal courts located in Florida, and each party irrevocably consents to the personal jurisdiction and venue of those courts.
In any such action or proceeding, the prevailing party shall be entitled to recover from the non-prevailing party its reasonable attorneys' fees, expert fees, court costs, and other costs and expenses incurred, including those incurred on appeal and in any post-judgment proceedings. To the fullest extent permitted by law, each party waives any right to a jury trial.
Each party further agrees that any claim must be brought in its individual capacity, and not as a plaintiff or class member in any purported class or representative action.
17Contact
Questions about this DPA, sub-processor reports, or data subject requests can be directed to support@privateclaude.ai.