Data Processing Agreement
Last updated: 2026-04-27
This Data Processing Agreement ("DPA") supplements the Terms of Service and applies when you ("Customer") use MentionsAPI to process data subject to GDPR, UK GDPR, CCPA, or comparable data protection laws. By creating an account or sending API requests, you accept this DPA.
1. Roles
For data you submit through the API (queries, brand strings, webhook URLs, account information), you are the data controller and we are the data processor. We process this data only on your documented instructions, which are the API calls you make and the account configuration you set.
2. Categories of data
- Account data — email, password hash, billing address, API keys (hashed at rest).
- Request metadata — timestamp, mode, cost, cache status, upstream success/failure, providers called. We do not retain request bodies (queries) or response bodies (model answers) beyond the request window.
- Webhook configuration — destination URLs and signing secrets you provide for
/v1/watch. Secrets are encrypted at rest where the encryption migration is in effect; otherwise stored in restricted-access tables.
3. Subprocessors
We rely on the following named subprocessors to deliver the API. Customer data may flow through these providers strictly to the extent necessary to fulfill API requests:
| Subprocessor | Purpose | Region |
|---|---|---|
| Cloudflare, Inc. | API hosting (Workers), CDN, edge security | Global |
| Supabase, Inc. | Database, authentication, edge functions | United States |
| Stripe, Inc. | Payment processing, top-up checkout, card storage | United States |
| OpenAI, OpenCloud LLC | ChatGPT API responses (mode:quick) | United States |
| Anthropic, PBC | Claude API responses (mode:quick) | United States |
| Google LLC | Gemini API responses (mode:quick) | United States |
| Perplexity AI, Inc. | Perplexity API responses (mode:quick) | United States |
| Browser-based scraping infrastructure | Live UI extraction for *_live, ai_overview, ai_mode, bing_copilot modes | Multi-region |
We may add or replace subprocessors. Material changes will be posted at this URL with at least 30 days notice for billed customers. Continued use after the notice period constitutes acceptance.
4. International transfers
If you are located in the EEA, UK, or Switzerland, your data may be transferred to the United States and other jurisdictions where our subprocessors operate. We rely on the European Commission's Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and equivalent mechanisms where applicable.
5. Security measures
We implement organizational and technical security measures appropriate to the risk, including encryption in transit (TLS), hashed API keys at rest, role-based access controls, RLS-enforced database isolation per account, and audit logs for billing and sensitive operations. See the full security overview at /legal/security.
6. Data subject rights
We support your obligations under GDPR Articles 15–22 and CCPA §1798.105 by providing self-serve account deletion (Settings page) and an email channel at [email protected] for export, correction, restriction, and erasure requests. We respond to verified requests within 30 days.
7. Breach notification
We will notify you without undue delay (and within 72 hours of our confirmed awareness) of any personal data breach affecting your data, with the information required by GDPR Art. 33.
8. Retention & deletion
- Request metadata (
usage_events): retained 90 days, then aggregated to monthly totals and per-event rows deleted. - Account data: retained while your account is active. Deleted within 30 days of account closure or upon verified erasure request.
- Payment records: retained per Stripe's policies and US tax law.
9. Audits
On reasonable written request and no more than once per year, we will respond to a customer audit questionnaire (e.g., a CAIQ-Lite or vendor security review) covering the matters described in this DPA. Direct on-premises audits require a separate written agreement.
10. Term & termination
This DPA remains in effect for as long as we process your data under the Terms of Service. On termination of the Service, we will delete or return your data in accordance with Section 8 unless applicable law requires retention.
11. Contact
DPA, GDPR, or privacy questions: [email protected].