SendLint

1. Subject matter & duration

Processor processes personal data submitted by Controller’s users (email QA inputs, account credentials, usage telemetry) for the duration of the active service subscription, terminating automatically upon account deletion.

2. Nature & purpose of processing

Processing is limited to (a) hosting and analyzing the email HTML Controller uploads, (b) generating QA reports against Controller’s configured brand rules, (c) optional AI passes against Anthropic Claude with explicit per-call opt-in, and (d) operational telemetry necessary to run the service (auth, billing, performance monitoring).

3. Categories of data subjects & personal data

Data subjects: Controller’s end-customers whose email addresses or names may appear inside marketing email HTML submitted for QA, plus Controller’s own employees authenticated to the platform.
Personal data: Account email + display name + role; raw email HTML which may include subscriber names, addresses, transactional values, or other tokens; payment instrument metadata processed by Stripe (Processor never sees full card numbers).

4. Sub-processors

The following sub-processors are engaged. Processor will give Controller 30 days’ notice before adding a new sub-processor:

• Supabase (database, auth) — US East & EU
• Vercel (hosting, edge) — global edge
• Anthropic (AI features, opt-in only) — US
• Stripe (billing) — US, processes Standard Contractual Clauses
• Resend (transactional email) — US
• Sentry (error reporting) — US/EU
• PostHog (product analytics) — US

5. Security measures

Processor implements TLS 1.2+ in transit, AES-256 at rest, row-level security at the database layer, principle-of-least-privilege service-role usage, SSRF protections on outbound rendering, and rate limiting per-IP and per-org on heavy routes. Access to production data is restricted to named operators and logged.

6. Data subject rights

Controller may exercise rights of access, rectification, erasure, restriction, and portability on behalf of its data subjects via the in-product profile page or by emailing admin@sendlint.com. Processor will respond within 30 days of a verified request.

7. International transfers

Where personal data is transferred outside the EU/UK, Processor relies on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and an assessment of equivalent protection in the destination jurisdiction. A copy of the executed SCCs is available upon request.

8. Breach notification

Processor will notify Controller in writing within 72 hours of becoming aware of a personal data breach affecting Controller’s data, including the categories and approximate number of data subjects affected and the steps taken to mitigate the breach.

9. Audit rights

Processor will make available all information necessary to demonstrate compliance with this DPA. Controller may, with 30 days’ notice and no more than annually, conduct or commission an audit; audits will be conducted during business hours and will not unreasonably interfere with Processor’s operations.

10. Return or deletion of data

On termination of the service, Processor will, at Controller’s choice, return all personal data or delete it (including from sub-processors), within 30 days of termination, unless retention is required by law.

Execution

This DPA may be incorporated by reference into your subscription. For a counter-signed copy, contact admin@sendlint.com. For the full privacy policy see our privacy page.