Data Processing Information

Third-Party Data Recipients (Independent Controllers)

The following service receives personal data but operates as an independent data controller under its own privacy policy. This is not a sub-processor relationship under GDPR Article 28; rather, this party independently determines the purposes and means of processing the data it receives.

International Data Transfers

As a US-based company, we transfer and process data in the United States. For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we rely on the following legal mechanisms for lawful data transfers:

Standard Contractual Clauses (SCCs)

We have implemented Standard Contractual Clauses as approved by the European Commission with all sub-processors listed above. These clauses provide appropriate safeguards for your personal data when transferred outside the EEA.

Supplementary Security Measures

In accordance with the Schrems II decision, we have implemented additional technical and organizational measures to protect data transfers:

• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Strict authentication and authorization controls limit access to personal data
• Data Minimization: We only transfer the minimum data necessary to provide our services
• Pseudonymization: Where possible, we pseudonymize data before transfer to AI service providers
• Contractual Commitments: All sub-processors are contractually bound to protect EU data and resist government access requests

Data Retention

We retain your personal data only for as long as necessary to provide our services and comply with legal obligations:

Active Account Data

• Profile Data: Retained while your account is active and deleted within 30 days of account deletion
• Generated Content: Deleted within 30 days of account deletion
• Communication Logs: Retained for 12 months for service improvement and support

Financial and Legal Records

• Billing Records: Retained for 7 years to comply with tax and accounting requirements
• Affiliate Commission Records: Retained for 7 years for tax reporting (IRS 1099 requirements)
• Legal Compliance Records: Retained as required by applicable laws

Analytics and Tracking

• Affiliate Visit Data: IP addresses pseudonymized after 90 days, visit records retained for 24 months
• Analytics Data: Aggregated and anonymized after 12 months
• Server Logs: Retained for 90 days for security monitoring

Data Security Breach Notification

In the unlikely event of a data security breach that affects your personal information, we will:

Notification Timeline (GDPR Compliance)

• Within 72 hours: Notify the appropriate supervisory authority (for EU residents)
• Without undue delay: Notify affected users if the breach is likely to result in high risk to your rights and freedoms
• Within 60 days: Notify California residents (CCPA requirement) if applicable

What We Will Tell You

Our breach notifications will include:

• The nature of the breach and data types affected
• The likely consequences of the breach
• The measures we have taken or will take to address the breach
• Contact information for our Data Protection Officer or security team
• Recommended steps you can take to protect yourself

Your Rights Regarding Data Processing

Under GDPR and similar data protection laws, you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data (subject to legal retention requirements)
• Right to Restrict Processing: Request we limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for data processing at any time

To exercise these rights, please contact us at privacy@prbot.ai.

Supervisory Authority Contact

If you are located in the EEA, UK, or Switzerland and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection authority.

EU Data Protection Authorities

A list of EEA data protection authorities can be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

UK Information Commissioner's Office (ICO)

Website: https://ico.org.uk/
Phone: +44 303 123 1113

Changes to Sub-Processors

We may add, replace, or remove sub-processors as necessary to provide and improve our Service. We will:

• Update this page with any changes to our sub-processor list
• Ensure all new sub-processors meet our data protection standards
• Obtain appropriate Data Processing Agreements before engaging new processors

Contact Us

For questions about our data processing practices or to exercise your data protection rights, please contact:

• Email: privacy@prbot.ai
• Postal Address: StartupBros LLC, 100 1st Ave N, #2706, St. Petersburg, FL 33701, USA