The Promptists – Data Sharing and International Transfers Addendum

This Addendum explains how personal data is shared between independent Controllers using the Platform and the safeguards applied to international data transfers in accordance with applicable data protection laws. It should be read together with our Privacy Policy and Terms of Service, which govern your use of the Platform.

1. Purpose and Scope

This Data Sharing and International Transfers Addendum ("Addendum") forms part of and is incorporated into The Promptists Terms of Service ("Terms"). It governs the sharing of personal data between independent data controllers when using The Promptists Platform ("Platform"), and sets out obligations relating to international transfers in accordance with applicable data protection laws, including the EU General Data Protection Regulation ("GDPR") and UK GDPR.

This Addendum applies where Users (as Controllers) exchange or process personal data through the Platform, and where The Promptists LLC ("The Company") also processes personal data as an independent Controller for its own defined purposes.

2. Independent Controller Status

Each Party acts as an independent Controller with respect to the personal data it processes. Nothing in this Addendum creates joint controllership, and The Company does not act as a Processor for Users. Each User remains solely responsible for determining the lawful basis, purpose, and scope of personal data they upload, transmit, or otherwise process through the Platform.

3. No Joint Controllership

The Parties agree that they do not jointly determine the purposes or means of processing and therefore are not joint Controllers. Each Party shall independently comply with its respective obligations under applicable data protection laws.

4. Obligations of Each Controller

Each User, as an independent Controller, agrees to:

4.1 Ensure it has a valid legal basis for processing personal data.

4.2 Provide all required notices and secure all necessary consents.

4.3 Respond to data subject requests directed to them under GDPR and UK GDPR.

4.4 Comply with applicable data protection, privacy, and data security laws.

4.5 Not collect or share personal data through the Platform that violates law or the rights of others.

The Company, as an independent Controller, shall:

4.6 Process personal data for Platform-related purposes, including trust and safety, security, dispute resolution, fraud prevention, analytics, and enforcement of the Terms.

4.7 Provide appropriate notices through its Privacy Policy and maintain a lawful basis for its processing activities.

4.8 Support Users by fulfilling relevant Platform-level obligations (e.g., security, cooperation, and transparency).

5. Sub-Processor Transparency (Platform Infrastructure)

For transparency, the Platform uses the following service providers, which may process personal data:

Stripe (payments)

GetStream.io (messaging, voice, video, recording, transcription)

Google Analytics (analytics)

Supabase (infrastructure and storage)

These entities act as processors to The Company in its capacity as an independent Controller.

6. International Data Transfers

Where personal data is transferred outside the EU or UK, such transfers shall rely on:

• 6.1 An adequacy decision; or
• 6.2 Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms; and
• 6.3 Supplementary safeguards where required.

7. Security Measures

Each Party shall implement technical and organizational measures appropriate to the risk, including access controls, encryption where applicable, and secure storage. The Company shall maintain platform-level security measures consistent with its Privacy Policy.

8. Cooperation and Data Subject Rights

Where reasonable and lawful, the Parties shall:

Each Party remains independently responsible for responding to requests directed to it.

• 8.1 Cooperate in good faith in responding to data subject requests.
• 8.2 Notify one another of relevant requests where shared data is implicated.

9. Personal Data Breach Notification

If a Controller becomes aware of a personal data breach affecting shared data, that Controller shall notify the other Party without undue delay and provide reasonable cooperation. Each Party remains responsible for any required regulatory or data subject notifications applicable to its own processing.

10. Retention and Deletion

Each Party determines its own retention periods. The Company may retain communications and Platform records as described in its Privacy Policy and Terms, including for trust, safety, enforcement, and dispute resolution purposes. Users remain responsible for their own retention decisions outside the Platform.

11. Governing Law, Liability, and Dispute Resolution

This Addendum is governed by and subject to the Terms, including:

In the event of conflict, the Terms shall prevail.

• 11.1 Governing law (Delaware).
• 11.2 Mandatory arbitration and class action waiver.
• 11.3 Limitations of liability, which apply equally to this Addendum.

12. Order of Precedence

If there is any inconsistency between this Addendum and the Terms, this Addendum controls solely with respect to data protection and international transfer matters. All other provisions of the Terms remain in full force and effect.

13. Acceptance and Incorporation

By using the Platform, continuing to access the Platform, or otherwise processing personal data through it, the User acknowledges and agrees to this Addendum. This Addendum is incorporated by reference into the Terms.

End of Addendum