LEGAL

Data Processing Addendum (DPA)

Last updated: April 2026

This DPA is incorporated into and supplements our Privacy Policy and Terms of Service. It applies to all processing of personal data under applicable data protection laws including GDPR, CCPA, and the Digital Personal Data Protection Act (DPDP Act) 2023.

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person (as defined under GDPR Art. 4(1), CCPA § 1798.100, and DPDP Act § 3)
  • Processing: Any operation performed on personal data, such as collection, recording, organization, storage, use, analysis, transmission, or deletion
  • Data Controller: The natural or legal person that determines the purposes and means of processing (you, the user)
  • Data Processor: The natural or legal person that processes personal data on behalf of the controller (PassTheBot)
  • Sub-Processor: A natural or legal person engaged by the processor to process personal data (our AI providers, payment processors, etc.)

2. Scope & Applicability

This DPA applies to all processing of personal data by PassTheBot under:

  • GDPR (EU): Regulation (EU) 2016/679 (General Data Protection Regulation)
  • CCPA (USA - California): California Consumer Privacy Act § 1798.100 et seq.
  • DPDP Act (India): Digital Personal Data Protection Act, 2023
  • Other applicable data protection and privacy laws in jurisdictions where users are located

This DPA is automatically binding on both parties and supersedes any conflicting terms in our Privacy Policy or Terms of Service.

3. Data Controller & Processor Roles

You (the User) are the Data Controller:

  • You determine what personal data to upload (resume, job descriptions)
  • You determine the purposes (ATS optimization, job search analysis)
  • You determine who has access to your data (only you unless you choose to share)

PassTheBot is the Data Processor:

  • We process your personal data only in accordance with your instructions (using our service features)
  • We do not determine the purposes or means of processing independently
  • We process data only for providing the PassTheBot service to you
  • We do not sell, rent, or share your personal data for our own purposes

4. Processing of Personal Data

Categories of Personal Data Processed:

  • Account information (email, name, optional photo)
  • Resume content (name, contact info, experience, skills, education, projects)
  • Job descriptions (text you provide for analysis)
  • Usage data (features used, timestamps, session data)
  • Device/browser data (IP address, user agent, operating system)

Purposes of Processing:

  • Provide ATS scoring, optimization, and analysis features
  • Store and retrieve your resumes across sessions
  • Generate AI-powered recommendations and rewrites
  • Aggregate anonymized analytics to improve the service
  • Send transactional emails (account verification, payment receipts, password resets)
  • Detect and prevent fraud, security threats, and abuse
  • Comply with legal obligations

Duration of Processing:

We process your data only for as long as your account is active. Upon account deletion, personal data is deleted or anonymized within 30 days, except where retention is required by law.

5. Sub-Processors

PassTheBot engages the following sub-processors to process your personal data on our behalf:

Sub-Processor Location Purpose Data Categories
GroqUnited StatesAI optimization engineResume content, job descriptions
OpenRouterUnited StatesAI fallback providerResume content, job descriptions
Google Gemini APIUnited StatesAI analysis (fallback)Resume content, job descriptions
RazorpayIndiaPayment processing (India)Email, payment method token
StripeUnited StatesPayment processing (International)Email, payment method token
ResendUnited StatesEmail delivery (TIER1)Email address
SendGridUnited StatesEmail delivery (TIER2)Email address
MailgunUnited StatesEmail delivery (TIER3)Email address
PosthogUnited StatesProduct analyticsUsage data, anonymized events
Upstash RedisUnited StatesCaching & session storageSession tokens, cached data
Cloudflare R2GlobalFile storage (optional)Resume files (encrypted)
PostgreSQL DatabaseIndia / US (configurable)Primary data storageAll user data (encrypted at rest)

Your Rights Regarding Sub-Processors:

  • You can request a current list of sub-processors at any time by emailing privacy@passthebot.dev
  • We will notify you of any changes to sub-processors with 30 days' advance notice (via email or in-app notification)
  • You have the right to object to the use of specific sub-processors; if you object, we will work with you to resolve your concern or you may terminate your account

6. Security & Safeguards

PassTheBot implements appropriate technical and organizational security measures:

  • Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.2+ encryption
  • Encryption at Rest: Personal data stored in our database is encrypted using AES-256 encryption
  • Access Control: Access to your data is restricted to authorized employees who require it to provide the service, all bound by confidentiality agreements
  • Authentication: Account access requires a secure password and optional two-factor authentication
  • Monitoring: We monitor systems for unauthorized access and security threats
  • Incident Response: We have documented procedures to respond to security breaches and notify affected users within legal timeframes
  • Regular Audits: We conduct periodic security audits and penetration testing
  • Data Minimization: We collect only the minimum personal data necessary to provide the service

Limitations: While we employ industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security against all threats.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including:

  • United States: AI providers (Groq, OpenRouter, Gemini), email services (Resend, SendGrid, Mailgun), analytics (Posthog), caching (Upstash)
  • India: Payment processing (Razorpay), primary database (configurable)

Legal Safeguards:

  • For GDPR (EU users): We rely on Standard Contractual Clauses (SCCs) and adequacy decisions where applicable
  • For CCPA (California): We comply with the CCPA's requirements for service providers and do not retain, use, or disclose personal information outside the business relationship
  • For DPDP Act (India): We process personal data only with explicit consent and comply with DPDP Act requirements for transfers outside India

8. Data Subject Rights

Depending on your jurisdiction, you have the following rights:

  • Right to Access: You can request a copy of your personal data that we hold. Request via privacy@passthebot.dev
  • Right to Correction: You can correct inaccurate personal data. You can update your account information directly in your account settings
  • Right to Deletion: You can request deletion of your personal data ("right to be forgotten"). We will delete your account and associated data within 30 days of your request
  • Right to Restrict Processing: You can request that we restrict how we process your data in certain circumstances
  • Right to Portability: You can request that we provide your data in a portable format (CSV/JSON) so you can transfer it elsewhere
  • Right to Object: You can object to processing of your data for certain purposes (e.g., marketing emails, analytics)
  • Right to Withdraw Consent: For processing based on your consent, you can withdraw consent at any time without affecting the lawfulness of prior processing

How to Exercise Your Rights:

To exercise any of these rights, email privacy@passthebot.dev with your request. Include your email address and a description of your request. We will respond within 30 days (or longer if permitted by applicable law).

9. Assistance with Compliance

PassTheBot will assist you in fulfilling your obligations under applicable data protection laws, including:

  • Data Subject Requests: We will cooperate with your responses to access, deletion, correction, and portability requests from your users or their data protection authorities
  • Data Protection Impact Assessments (DPIAs): If required under GDPR, we will assist with information needed for DPIA documentation
  • Breach Notifications: We will notify you without undue delay if we discover a breach of personal data, and provide information you need to notify regulators or affected individuals
  • Third-Party Requests: We will not disclose your personal data to law enforcement, courts, or other third parties except as required by law. We will notify you of valid requests where legally permissible

10. Data Protection Impact Assessment

PassTheBot acknowledges that processing of personal data (especially sensitive resume information) may require a Data Protection Impact Assessment (DPIA) under GDPR Article 35.

We will provide reasonable assistance if you need to conduct a DPIA, including:

  • Documentation of our processing activities
  • Security measures and risk mitigation strategies
  • Sub-processor information
  • Details about our data retention and deletion practices

To request DPIA assistance, email privacy@passthebot.dev

11. Contact

For questions about this DPA, data processing, or to exercise your rights:

privacy@passthebot.dev
PassTheBot
Pune, Maharashtra, India

Data Protection Officer (if applicable): Contact privacy@passthebot.dev

Regulatory Authorities:

  • GDPR (EU): European Data Protection Board and your local Data Protection Authority
  • CCPA (California): California Attorney General
  • DPDP Act (India): Data Protection Board of India
Also see our Privacy Policy, Terms of Service, Disclaimer, AI Transparency Statement, and Sub-Processors & Vendors.