Data Processing Addendum

This Data Processing Addendum (DPA) supplements the Terms of Service for customers who process personal data through the Pair Service and need GDPR Article 28 / CCPA processing terms. For most pair.directory users (no personal data flowing through the API), no DPA is needed.

You are the Controller of any personal data you send to the Service. Pair is the Processor. We process personal data only on your documented instructions (the Terms and the Service's normal operation).

• Subject matter: ingredient pairing scoring requested via the API.
• Duration: for the term of your subscription.
• Data subjects: your end users, where you send their inputs to the API.
• Categories: minimal — typically just text strings (ingredient names).

See the Subprocessors page. We provide notice of changes via that page; signed-DPA customers can opt into email notice.

We maintain the technical and organizational measures described on the Security page, including encryption in transit, access controls, and audit logging.

Where personal data is transferred out of the EEA/UK, transfers rely on Standard Contractual Clauses (2021) and the UK Addendum. Signed copies are available on request.

We'll notify you without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting your data, with the information then known.

On termination, we delete or return personal data within 30 days, unless retention is required by law (e.g. billing records).

Email hello@pair.directory from your account's admin address. We'll send a counter-signed PDF DPA.