Data Processing Agreement

Our commitment to GDPR compliance and data protection

Last updated: June 2025

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between Women Building with AI ("Data Controller", "we", "us", "our") and the user of our services ("Data Subject", "you", "your"). This DPA supplements our Privacy Policy and governs the processing of personal data in compliance with the General Data Protection Regulation (GDPR).

2. Types of Personal Data Processed

We process the following categories of personal data:

  • Identity Data: Name, username, title
  • Contact Data: Email address, phone number (if provided)
  • Transaction Data: Details about payments and purchases from us
  • Technical Data: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
  • Usage Data: Information about how you use our website, products, and services
  • Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Consent: Where you have given clear consent for us to process your personal data for specific purposes
  • Contract: Where processing is necessary for the performance of a contract with you
  • Legal Obligation: Where processing is necessary for compliance with a legal obligation
  • Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party

4. Data Security Measures

We implement appropriate technical and organizational measures to ensure data security, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication measures
  • Regular backups and disaster recovery procedures
  • Staff training on data protection and security

5. Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. When determining the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, and applicable legal requirements.

6. International Data Transfers

We ensure that any transfer of personal data outside the European Economic Area (EEA) is done in compliance with GDPR requirements, using appropriate safeguards such as Standard Contractual Clauses or ensuring the recipient country has an adequate level of data protection.

7. Sub-processors

We use the following sub-processors to help us provide our services:

  • Stripe: Payment processing
  • Resend: Email communications
  • Supabase: Database and authentication services
  • Vercel: Website hosting

All sub-processors are required to comply with GDPR requirements and maintain appropriate security measures.

8. Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of Access: You can request a copy of your personal data
  • Right to Rectification: You can request correction of inaccurate data
  • Right to Erasure: You can request deletion of your data in certain circumstances
  • Right to Restrict Processing: You can request limitation of processing in certain circumstances
  • Right to Data Portability: You can request your data in a structured, commonly used format
  • Right to Object: You can object to processing based on legitimate interests or direct marketing
  • Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time

9. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

10. Contact Information

For any questions about this Data Processing Agreement or to exercise your rights, please contact our Data Protection Officer at:

Email: [email protected]
Subject Line: GDPR Data Request

11. Updates to this Agreement

We may update this Data Processing Agreement from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes by posting the new agreement on this page with an updated revision date.