Data Processing Addendum

Effective: May 9, 2026

This is a template. If you're a B2B customer (typically Agency-tier) who needs a signed DPA for GDPR, UK GDPR, or your own compliance program, email legal@bddr.ai with subject line "DPA request." We'll countersign and return a PDF copy naming you and your organization as Customer.

1. Definitions

The capitalized terms below have the meaning given by Regulation (EU) 2016/679 (GDPR) and, where applicable, the UK General Data Protection Regulation (UK GDPR):

  • "Personal Data" — any information relating to an identified or identifiable natural person.
  • "Processing" — any operation performed on Personal Data.
  • "Data Subject" — the identified or identifiable natural person to whom Personal Data relates.
  • "Controller" — the party that determines the purposes and means of Processing.
  • "Processor" — the party that Processes Personal Data on behalf of the Controller.
  • "Sub-processor" — a Processor engaged by another Processor.
  • "Customer" — the party identified as Customer in the parties' subscription agreement or on the signature page of this Addendum.
  • "Provider" — Mini Parakeet LLC, a limited liability company organized under the laws of Oklahoma, United States.
  • "Service" — the bddr.ai Chrome extension and related software and services.
  • "Data Protection Laws" — the GDPR, UK GDPR, and other applicable laws governing the Processing of Personal Data.

2. Scope and subject matter

This Addendum supplements the Terms of Service and applies to Personal Data Processed by Provider on behalf of Customer in the course of providing the Service. The term of this Addendum follows the term of the subscription.

3. Roles

Customer is the Controller of the Personal Data it provides to, or causes to be processed through, the Service. Provider is the Processor. Where Processing falls outside the Service's intended use, the parties will determine roles in writing.

4. Customer obligations

  • Customer has a lawful basis for Processing the Personal Data it submits to the Service.
  • Customer has provided any notices and obtained any consents required by Data Protection Laws from relevant Data Subjects.
  • Customer has authority to give Provider the Processing instructions implicit in Customer's configuration and use of the Service.
  • Customer remains responsible for responding to Data Subject requests addressed to Customer.

5. Provider obligations

Provider will:

  • Process Personal Data only on Customer's documented instructions, including for the purposes of providing the Service, unless required otherwise by applicable law (in which case Provider will inform Customer unless the law prohibits notice).
  • Ensure that personnel authorized to Process Personal Data are bound by obligations of confidentiality.
  • Implement and maintain the technical and organizational measures described in Annex C.
  • Notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data Breach affecting Customer's data.
  • Assist Customer, through appropriate technical and organizational measures and insofar as possible, in responding to Data Subject requests.
  • Assist Customer in meeting its obligations under Articles 32–36 GDPR (security, data protection impact assessments, prior consultation).
  • At Customer's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires retention.
  • Make available to Customer information necessary to demonstrate compliance with this Addendum, and allow audits as described in Section 11.

6. Sub-processors

Customer grants general authorization for the engagement of Sub-processors listed in the sub-processors table of our Privacy Policy (the current list is incorporated by reference as Annex B).

Provider will provide at least 30 days' advance notice of the addition or replacement of a Sub-processor by updating the Privacy Policy sub-processors table and, for Customers who have subscribed to notifications, by email. Customer may object to a new Sub-processor on reasonable Data Protection grounds within 15 days of notice by emailing legal@bddr.ai; if the parties cannot resolve the objection, Customer may terminate the Addendum and subscription for a pro-rata refund of unused pre-paid fees.

Provider will impose on Sub-processors written obligations substantially equivalent to those of this Addendum. Provider remains responsible to Customer for the acts and omissions of its Sub-processors.

7. Security measures

Provider's technical and organizational measures are described in Annex C. Provider may update these measures from time to time, provided the updated measures do not materially degrade protection.

8. Data Subject requests

Provider will promptly forward to Customer any Data Subject request it receives that relates to Customer's Personal Data, and will not respond to such requests directly (except to confirm receipt and refer the Data Subject to Customer). Provider will assist Customer in responding to such requests within 10 business days of Customer's request for assistance.

9. Personal Data Breach notification

Provider will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting Customer's Personal Data. The notification will include, to the extent known:

  • The nature of the breach, including categories and approximate number of Data Subjects and records affected;
  • The likely consequences of the breach;
  • The measures taken or proposed to address the breach and mitigate adverse effects;
  • The contact point for further information.

Notification is not an acknowledgment of fault or liability. Customer is responsible for making any notifications to Data Subjects or supervisory authorities that may be required under Data Protection Laws.

10. International transfers

Where Customer's use of the Service involves the transfer of Personal Data to a country outside the European Economic Area, United Kingdom, or another jurisdiction that imposes cross-border transfer requirements, the parties will rely on the applicable Standard Contractual Clauses (or their UK or Swiss equivalents). If Customer requires the formal execution of such clauses, email legal@bddr.ai and the parties will do so.

11. Audits

Provider will respond to reasonable written requests from Customer for information necessary to demonstrate compliance with this Addendum, including through a security questionnaire. Provider will respond within 30 days.

On request from Agency-tier Customers, Provider will permit an on-site audit no more than once per 12-month period, during business hours, at Customer's expense, with at least 30 days' written notice, by a third-party auditor reasonably acceptable to Provider, and subject to reasonable confidentiality obligations. The scope of any audit is limited to Provider's Processing of Customer's Personal Data.

12. Term, termination, and deletion

This Addendum remains in effect as long as Provider Processes Customer's Personal Data. On termination of the subscription, at Customer's written choice, Provider will delete or return all Personal Data within 30 days and delete existing copies, unless applicable law requires retention. Customer may verify deletion by written confirmation from Provider.

Backups retained for routine backup cycles will be cycled through and overwritten in the ordinary course.

13. Liability

The limitations of liability in the Terms of Service apply to the subject matter of this Addendum, except where mandatory Data Protection Laws provide for specific allocations of liability that the parties cannot modify by contract.

14. General

This Addendum is part of the Terms of Service. In case of conflict between this Addendum and the Terms of Service with respect to the Processing of Personal Data, this Addendum controls. Amendment requires signed writing. Governing law, venue, and dispute resolution follow the Terms of Service.

Annex A — Details of Processing

  • Subject matter: Processing of Personal Data in connection with Customer's use of the Service.
  • Duration: For the term of the subscription, plus any retention period permitted by law or chosen by Customer.
  • Nature and purpose: Providing bid optimization, analytics, and related features within the Amazon Advertising Console; processing billing; delivering support; security and fraud prevention; improving the Service.
  • Types of Personal Data: Customer contact details (name, email, billing address); license keys; anonymous telemetry payloads (where Customer opts in, scoped per installation); OAuth tokens (stored in Customer's browser; refreshed via Provider's proxy); advertising account identifiers exchanged with Amazon when Customer connects the API; anonymized numeric metrics for AI Guide requests initiated by Customer's end users.
  • Categories of Data Subjects: Customer's authorized users of the Service.

Annex B — Sub-processors

The current list is maintained at bddr.ai/privacy (Section 7 of the Privacy Policy). The list is incorporated here by reference and may be updated per Section 6 of this Addendum.

Annex C — Technical and organizational measures

Provider maintains the following measures, which may be updated from time to time:

  • Access controls. Least-privilege access to production systems. Secrets managed through Cloudflare Wrangler.
  • Transit encryption. TLS 1.2+ for all data in transit to Provider-operated systems and to Sub-processors.
  • Request integrity. HMAC-SHA-256 signatures on AI Guide requests; license verification prior to forwarding.
  • Anonymization. Entity names replaced with proxy IDs before AI Guide data leaves the Data Subject's browser; mapping never persisted.
  • Local-first architecture. The Service is designed so Customer's advertising data does not traverse Provider's backend.
  • Logging and monitoring. Request-level logging on Cloudflare Workers; AI Guide request/response payloads are not persisted; anonymous telemetry retained 90 days, then pruned.
  • Change management. Version control; automated testing; dependency updates via Dependabot; deployment via GitHub Actions.
  • Incident response. Documented disclosure process at bddr.ai/security.
  • Personnel. Confidentiality obligations for personnel with access to Personal Data.

Signatures

A signed copy is provided on request. The signed copy will identify:

  • Customer's legal entity name and address;
  • Customer's authorized signatory;
  • Provider's authorized signatory;
  • Effective date;
  • Reference to the underlying subscription order or agreement.

Revision history

  • April 14, 2026 — Initial version.