Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of and is incorporated into the agreement between the Customer and Infi Developments under which the Customer uses the AI Toolbox browser extension and related backend services (the "Service"). It reflects the parties' agreement on the processing of personal data in accordance with Regulation (EU) 2016/679 (the "GDPR").
- Processor: Infi Developments, operator of AI Toolbox, contactable at [email protected].
- Controller: the Customer identified in the applicable order or account.
- Effective date: the date the Controller accepts this DPA or begins using the Service, whichever is earlier.
If the Customer processes the personal data of third parties through the Service, the Customer acts as the Controller and Infi Developments acts as the Processor with respect to that data. Where Infi Developments determines the purposes and means of processing a Customer's own account data, Infi Developments acts as an independent controller for that limited data, governed by its Privacy Policy.
1. Definitions
Terms such as "personal data", "processing", "controller", "processor", "sub-processor", "data subject", "personal data breach", and "supervisory authority" have the meanings given in the GDPR. "Applicable Data Protection Law" means the GDPR and any national implementing or successor legislation applicable to the processing.
2. Scope and Roles
This DPA applies to the processing of personal data by Infi Developments (as processor) on behalf of the Controller in connection with the Service. Infi Developments shall process personal data only on documented instructions from the Controller, including as set out in this DPA and the Controller's use of the Service, unless required to do otherwise by applicable law (in which case Infi Developments shall inform the Controller, unless legally prohibited). Infi Developments shall immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
3. Details of Processing
The subject matter, duration, nature and purpose of the processing, the categories of personal data, and the categories of data subjects are set out in Annex 1.
4. Nature of the Service and Data Minimisation
The Service is a browser extension that organises, searches, and exports AI chat conversations. The content of the Controller's AI conversations is stored locally in the user's own browser (IndexedDB) and is not transmitted to or stored on Infi Developments's servers. Only organisational metadata (folder structure, saved prompts, bookmarks, tag rules, message labels, pinned items, and aggregate usage counts) and account identifiers (email address, and where applicable a numeric platform user id) are synced to Infi Developments's backend for the purpose of providing cross-device functionality.
5. Confidentiality
Infi Developments shall ensure that persons authorised to process the personal data are bound by an appropriate duty of confidentiality and process the data only as necessary to provide the Service.
6. Security of Processing
Taking into account the state of the art and the risks of processing, Infi Developments implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2. Infi Developments regularly reviews these measures and may update them provided the level of protection is not materially reduced.
7. Sub-processors
The Controller provides general authorisation for Infi Developments to engage the sub-processors listed in Annex 3 for the processing activities described. Infi Developments imposes on each sub-processor data protection obligations no less protective than those in this DPA and remains responsible for its sub-processors' performance. Infi Developments shall inform the Controller of any intended addition or replacement of a sub-processor with reasonable notice via email or its website, giving the Controller the opportunity to object on reasonable data-protection grounds.
8. International Transfers
Where a sub-processor processes personal data outside the European Economic Area, such transfers are carried out under an adequacy decision or appropriate safeguards under Chapter V of the GDPR, including the European Commission's Standard Contractual Clauses (SCCs), together with any supplementary measures required.
9. Assistance to the Controller
Taking into account the nature of the processing, Infi Developments shall assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests to exercise data subject rights (access, rectification, erasure, restriction, portability, and objection). Infi Developments shall also assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Infi Developments.
10. Personal Data Breach
Infi Developments shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's personal data, and shall provide information reasonably available to it to assist the Controller in meeting its own notification obligations.
11. Deletion and Return
The Controller may request deletion of its personal data at any time by contacting [email protected]. Upon such request, or upon termination of the Service, Infi Developments shall delete the Controller's personal data. The Service provides a complete erasure routine that removes all records tied to a user account across all data stores. On uninstall, account data is scheduled for deletion after a grace period unless the user reinstalls, and can be erased immediately on request. Locally cached conversation content is removed by the user clearing the extension's local storage or uninstalling the extension, as it never resides on Infi Developments's servers.
12. Audits
Infi Developments shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, subject to reasonable notice, confidentiality, and no more than once per twelve-month period unless required by a supervisory authority.
13. Liability, Term and Governing Law
This DPA takes effect on the Effective Date and remains in force for as long as Infi Developments processes personal data on behalf of the Controller. Liability under this DPA is subject to the limitations and exclusions of liability set out in the main agreement between the parties. This DPA is governed by the laws of the State of Israel, without prejudice to the mandatory application of the GDPR.
Annex 1: Details of Processing
- Subject matter: provision of the AI Toolbox extension and backend sync services.
- Duration: for the term of the Controller's use of the Service.
- Nature and purpose: storing and synchronising organisational metadata and account identifiers to provide folders, saved prompts, bookmarks, tags, labels, search, and export across devices.
- Categories of personal data: email address; where applicable a numeric platform user id; organisational metadata created by the user (folder names, prompt names and content, bookmarks, tags, message labels, pinned items); aggregate usage counts and preferences. Conversation content is not processed on Infi Developments servers (stored locally in the user's browser).
- Special category data: none intended or requested. Users are instructed not to store special-category data in metadata fields.
- Categories of data subjects: the Controller's authorised users of the Service.
- Frequency of processing: continuous, for the duration of use.
Annex 2: Technical and Organisational Measures
- Data residency: all backend infrastructure is located in the European Union (DigitalOcean, Frankfurt, Germany). The database is hosted on the same infrastructure in the same location.
- Data minimisation: conversation content is never transmitted to or stored on Infi Developments servers; only organisational metadata and account identifiers are synced.
- Encryption at rest: sensitive synced fields (including prompt names and content, folder names, tags, labels) and the user's email address are encrypted at rest using AES.
- Encryption in transit: all communication between the extension and the backend is protected with TLS/HTTPS.
- Access control and authentication: signed JSON Web Tokens for API authentication; bcrypt password hashing and TOTP two-factor authentication for administrative and enterprise access; least-privilege access to production systems.
- Network and application security: reverse proxy (nginx) with TLS termination; HTTP security headers; CORS restrictions; API rate limiting and denial-of-service protection.
- Deletion: a complete erasure routine removes all records tied to an account across every data store; scheduled deletion on uninstall.
- Monitoring and maintenance: process supervision and regular dependency and operating-system updates on the production host.
Annex 3: Approved Sub-processors
- DigitalOcean, LLC — cloud infrastructure hosting (compute and object storage). Location: European Union (Frankfurt, Germany).
- OpenAI — on-demand summarisation of a single conversation when the user invokes Context Mentions or context handoff; requests are transient and not retained. Location: United States (SCCs).
- Polar Software Inc. — payment and subscription processing. Location: United States (SCCs).
- Lemon Squeezy — legacy payment and subscription processing for existing customers. Location: United States (SCCs).
- Zoho Corporation — delivery of transactional and support email. Location: India / United States (SCCs).
- Google LLC (Google Sheets API) — internal aggregate analytics reporting (no conversation content or user-identifying metadata). Location: United States (SCCs).
Customers who purchase through the AppSumo marketplace transact with AppSumo directly; AppSumo processes their purchase and billing information as a separate controller.
Requesting a signed copy: a countersigned DPA is available on request. Email [email protected] and we will provide one.
Effective Date: July 09, 2026
Last Updated: July 09, 2026