Data Processing Agreement

In this Data Processing Agreement ("DPA"), the following terms have the meanings below. Capitalized terms not defined here have the meanings in our Terms of Service or Privacy Policy.

• "Controller" means the entity that determines the purposes and means of processing personal data. For data you upload or connect about your websites and business, you are typically the Controller.
• "Processor" means the entity that processes personal data on behalf of the Controller. Learn Domains acts as a Processor when handling your connected website data, knowledge base content, AI prompts, and related outputs to provide the Service.
• "Customer" means the organization or individual that has an account with Learn Domains and uses the Service under our Terms of Service.
• "Services" means the Learn Domains Digital Asset Intelligence Command Center at learn.domains and app.learn.domains, including Mission Brief, Opportunity Engine, AI Growth Analyst, Content Operations, Knowledge Base, Digital Asset Vault (when purchased), integrations, billing, and support features described in our product documentation.
• "Customer Data" means personal data and business content you provide or connect through the Services, including account information, website configuration, integration data, knowledge base and vault assets, AI prompts and outputs, content drafts, and support communications.
• "Subprocessors" means third-party service providers engaged by Learn Domains to process Customer Data. The current list is published at /subprocessors.

Learn Domains is a Digital Asset Intelligence Command Center. Customers connect websites and optional data sources (Google Search Console, Google Analytics, Stripe revenue read access), add brand knowledge, and use AI-assisted features to receive ranked recommendations, briefs, opportunities, and content drafts. You remain responsible for deciding what to publish and what integrations to connect.

When we process Customer Data to deliver the Service on your instructions (through your account actions and configuration), we act as a Processor. When we process data for our own account administration, billing, security, product analytics, or marketing site operations, we act as a Controller — that processing is described in our Privacy Policy.

This DPA supplements our Terms of Service and Privacy Policy. If there is a conflict between this DPA and the Terms regarding the processing of Customer Data, this DPA controls for processing matters.

We process only the categories of data required to operate the Service. The exact fields stored depend on your usage:

• Account and identity data: name, email, organization name, Clerk user and organization identifiers, role assignments.
• Billing metadata: subscription plan, status, Stripe customer and subscription identifiers, credit balances and usage — card numbers are handled by Stripe and are not stored by Learn Domains.
• Website and asset configuration: domains, brand context, industry, goals, competitors, and related metadata you provide per website.
• Google Search Console data (read-only, when connected): clicks, impressions, CTR, average position, and query/page dimensions you authorize.
• Google Analytics (GA4) data (read-only, when connected): sessions, users, pageviews, engagement, landing pages, and traffic sources.
• Stripe revenue data (read-only restricted key, when connected): revenue, MRR, active subscriptions, customers, and transaction metadata.
• Knowledge Base content: documents, notes, URL library entries, and embeddings derived from content you upload or approve.
• Digital Asset Vault content (when purchased): brand guidelines, SOPs, playbooks, and other long-term memory assets you upload.
• Intelligence outputs: Mission Briefs, opportunities, SEO recommendations, digital asset scores, and related structured analysis.
• AI Growth Analyst data: conversation threads, prompts, model outputs, token usage, and credit charges.
• Content Operations data: content briefs, outlines, drafts, FAQs, internal link suggestions, and quality reports (drafts only — no auto-publish).
• Directory Accelerator data (when purchased): directory qualification results and submission assets for your website.
• Support and communications: messages sent via contact form, email, or the homepage chatbot.
• Affiliate and referral data (for program participants): referral codes, attribution, conversions, and payout metadata.
• Technical logs: request metadata, job status, integration sync results, and security events — not full integration exports in client analytics.

We process Customer Data to perform the following activities, each gated by your account configuration and plan entitlements:

• Account provisioning and authentication through Clerk, with organization-scoped access enforced in the application and database.
• Integration sync: scheduled and on-demand pulls of Search Console, GA4, and Stripe metrics; credentials are envelope-encrypted (AES-256-GCM) before storage.
• Knowledge Base ingestion: chunking, embedding (OpenAI text-embedding-3-small), and retrieval to ground AI outputs in your brand context.
• Mission Brief generation: deterministic analysis plus optional AI enhancement to rank weekly orders for your website.
• Opportunity Engine: decay, cannibalization, striking-distance, and gap detection across connected metrics.
• AI Growth Analyst: conversational Q&A grounded in your connected data and Knowledge Base, routed through the AI Model Router with credit reservation.
• Content Operations: opportunity-to-draft pipeline with human review states (no automatic publishing to your site).
• Digital Asset Vault (when entitled): long-term brand memory storage and retrieval for entitled organizations.
• Directory Accelerator (when purchased): deterministic directory discovery and submission asset generation.
• Billing and credits: Stripe-verified subscription lifecycle, credit grants, reservations, and usage logging.
• Transactional email via Resend for account, billing, and operational notices.
• Rate limiting via Upstash Redis on expensive endpoints to prevent abuse.

We do not sell Customer Data. We do not use Google user data for advertising. AI inputs are sent to third-party model providers only to generate outputs you request, under those providers' API terms.

We implement technical and organizational measures aligned with our Security page and confirmed v1 architecture. These reflect what is actually deployed — not aspirational certifications:

• Encryption in transit: all public traffic is served over TLS (HTTPS).
• Encryption at rest: tenant data is stored in managed Postgres (Supabase) with provider-level encryption at rest.
• Credential protection: third-party integration tokens and keys are AES-256-GCM envelope-encrypted before storage; connecting integrations is blocked until encryption is configured.
• Authentication: Clerk manages sign-in, sessions, and MFA; sessions use short-lived signed tokens.
• Authorization: organization roles (owner, admin, member, client) plus platform roles for admin tooling; enforced in the service layer and again with Supabase Row Level Security (deny-by-default on tenant tables).
• Billing integrity: Stripe webhooks are signature-verified and idempotent; credits grant only after confirmed payment.
• Google OAuth: read-only scopes only; signed and encrypted OAuth state binds connections to your organization.
• AI routing: all model calls flow through a single server-side router with token and cost logging; expensive AI work is credit-gated.
• Secrets isolation: API keys and provider credentials exist only on the server and are never exposed to the browser.
• Operational access: production data access is limited to authorized operators and logged.

No method of transmission or storage is completely secure. We design for graceful failure — degraded integrations are surfaced clearly rather than silently retried with stale credentials.

We retain Customer Data for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. When data is no longer needed, we delete or anonymize it.

You can disconnect integrations at any time, which revokes our ongoing access to that source. You can request account and data deletion by emailing from the address on your account or through account settings where available. Verified deletion requests are processed within a reasonable time, subject to legal retention requirements.

Purchased credit packs do not expire, but that billing rule does not extend personal data retention beyond what is needed to operate the Service.

Depending on your location, you and your end users may have rights regarding personal data, including rights to access, correct, export, restrict, object to, or delete processing. As Controller for much of the data you connect, you are responsible for honoring those rights for your users where applicable.

• Access: view account, billing, and much of your connected data inside the app.
• Correction: update website configuration, knowledge base content, and account details in settings.
• Export: request a structured copy via our Data Requests page at /data-requests.
• Deletion: request account deletion via /data-requests or as described in our Privacy Policy.
• Restriction and objection: contact us if you need to restrict certain processing; disconnecting an integration stops further collection from that source.

Learn Domains and our Subprocessors may process data in the United States and other countries where they operate. Where required by applicable law, we rely on appropriate safeguards for cross-border transfers, including standard contractual mechanisms offered by Subprocessors where available.

We engage Subprocessors to provide the Service. The current list — including each provider's purpose, category, and website — is maintained at /subprocessors.

We publish subprocessors at /subprocessors and update that page when providers change. When we add or replace a subprocessor that will process Customer Data, we provide at least 30 days advance notice to organization owners by email before the new provider goes live, except where the change is required for security, legal compliance, or an emergency and advance notice is not reasonably practicable.

Notice period: at least 30 days by email to organization owners before a new subprocessor processes Customer Data, except for security, legal, or emergency changes where advance notice is not reasonably practicable. If you object to a new subprocessor on reasonable data-protection grounds, contact us before the effective date. If we cannot resolve your concern, you may cancel your subscription; access continues through the end of the paid period.

You authorize our use of Subprocessors to process Customer Data as described in this DPA, provided we remain responsible for their processing under our instructions for the core Service delivery.

We will provide reasonable assistance for data protection inquiries you receive that relate to our processing of Customer Data, to the extent we can do so without revealing other customers' confidential information.

If we become aware of a security incident that materially affects Customer Data in our custody, we will notify you without undue delay and provide information reasonably necessary for you to meet your obligations, consistent with our Security page and operational runbooks.

Questions about this DPA or how we process Customer Data? Contact hi@learn.domains. For security concerns, include "Security" in the subject line.