Back to Legal

Data Processing Addendum

Effective: March 3, 2026Last updated: March 3, 2026

This Data Processing Addendum applies to the processing of personal data by Montaic on behalf of subscribers.

7.1 Definitions

“Personal data,” “processing,” “data controller,” and “data processor” have the meanings given to them under applicable data protection laws (including GDPR and CCPA/CPRA). For CCPA purposes, “service provider,” “contractor,” “business purpose,” and “sell/share” have the meanings given under the CCPA.

7.2 Roles

For the purposes of data protection law: You (the subscriber) are the data controller (or “business” under CCPA) with respect to the personal data of your clients and contacts that you input into the platform. Montaic acts as a data processor (or “service provider” under CCPA), processing personal data on your behalf and in accordance with your instructions as provided through your use of the Services.

7.3 Processing Scope

Montaic processes personal data only to the extent necessary to provide the Services, including: content generation based on your inputs; storage of your listing data and generated content; payment processing through Stripe; and communication delivery.

7.4 CCPA Service Provider Obligations

To the extent Montaic processes personal information as a “service provider” under the CCPA, Montaic shall:

(a) not sell or share personal information received from or on behalf of the subscriber;

(b) not retain, use, or disclose personal information for any purpose other than the business purposes specified in the agreement, including for a commercial purpose other than providing the Services;

(c) not combine personal information received from the subscriber with personal information received from other sources except as permitted by the CCPA;

(d) comply with the CCPA and grant the subscriber the same level of privacy protection as required by the CCPA; and

(e) notify the subscriber if Montaic determines it can no longer meet its CCPA obligations.

7.5 Sub-Processors

Montaic uses the following categories of sub-processors: cloud infrastructure providers (Vercel, Supabase), AI model providers (OpenAI, Anthropic), payment processors (Stripe), and email service providers (Resend). Sub-processors are contractually required to meet the same data protection obligations as Montaic, including applicable CCPA service provider restrictions.

A current list of sub-processors is available upon request. We will notify subscribers at least 14 days before engaging a new sub-processor that processes subscriber data. If you object to a new sub-processor, you may terminate the affected Services within 30 days of notification.

7.6 Data Security Obligations

Montaic implements appropriate technical and organizational measures to protect personal data, including: encryption in transit and at rest, access controls and authentication, regular security assessments, incident response procedures, and employee confidentiality obligations.

7.7 Data Breach Notification

In the event of a personal data breach that is likely to affect your rights or the rights of your clients, we will notify you without undue delay (and in any event within 72 hours of becoming aware of the breach) and provide information necessary for you to fulfill your own breach notification obligations.

7.8 Data Deletion

Upon termination of the Services or upon your written request, we will delete or return all personal data processed on your behalf in accordance with the data lifecycle described in our Terms of Service (Section 1.11), except where retention is required by applicable law.