Data Processing Addendum

"GDPR" means Regulation (EU) 2016/679. "UK GDPR" means the GDPR as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018. Capitalised terms not defined here have the meanings given in the GDPR or the Agreement.

"Personal Data" means any information relating to an identified or identifiable natural person submitted to the Services by Customer or its end users. "Sub-processor" means a third party engaged by Clearly to process Personal Data on Customer's behalf.

The parties agree that, with respect to the processing of Personal Data, Customer is the Controller, Clearly is the Processor, and Clearly will engage Sub-processors under Section 6.

Clearly will process Personal Data only on documented instructions from Customer, including with regard to transfers, unless required to do so by Union or Member State law to which Clearly is subject. The Agreement (including this DPA, the configuration of the Services chosen by Customer, and any product-specific documentation) constitutes Customer's complete and final instructions.

• Account identifiers (email, name, profile photo)
• Workspace content (documents, messages, projects, uploaded files)
• AI prompts and generated outputs
• Billing identifiers (Stripe customer/subscription IDs; we never receive card numbers)
• Technical telemetry (IP, user agent, route, error stacks) when consent permits

Data subjects include Customer's authorised users, end users of Customer's Shopify storefront, and any natural persons whose data Customer chooses to upload.

Clearly will ensure that personnel authorised to process Personal Data are bound by confidentiality obligations. Clearly maintains technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2+), encryption at rest for storage backends that support it, role-based access controls, audit logging, and regular vulnerability scans.

Customer authorises Clearly to engage Sub-processors to provide the Services. Current Sub-processors:

• Cloudflare, Inc. — hosting, edge compute, durable storage
• Google LLC (Firebase Auth + Firestore + Vertex AI) — auth and AI inference
• Stripe, Inc. — payment processing
• Mailgun Technologies, Inc. — transactional email
• OpenRouter, Inc. — secondary AI inference

Clearly will give Customer 30 days' prior notice of any new Sub-processor by email to Customer's billing contact. Customer may object on reasonable grounds.

Where Personal Data is transferred from the EEA, the United Kingdom, or Switzerland to a country not subject to an adequacy decision, the parties incorporate by reference the Standard Contractual Clauses (Module Two: Controller-to-Processor) issued by the European Commission, with Clearly as data importer. The UK Addendum to the SCCs is incorporated for transfers from the United Kingdom.

Clearly will assist Customer through appropriate technical and organisational measures, taking into account the nature of the processing, in fulfilling Customer's obligations to respond to data subject requests under Articles 12 to 23 of the GDPR. Self-serve export and deletion are available within the workspace; assisted exports for large datasets are available on request toprivacy@clearly.sh.

Clearly will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data, with reasonable detail to enable Customer to comply with its own notification obligations.

Clearly will make available to Customer all information necessary to demonstrate compliance with this DPA, including by providing Clearly's most recent third-party audit reports (e.g., SOC 2 Type II) and information security questionnaires on request. Customer may, no more than once per year, request an audit on 30 days' written notice, conducted at Customer's expense and during business hours.

On termination of the Agreement, Clearly will, at Customer's choice, delete or return all Personal Data to Customer and delete existing copies, save where Union or Member State law requires retention. Default behaviour: a 30-day grace window, followed by permanent deletion across all Sub-processors.

This DPA takes effect on Customer's acceptance of the Agreement and remains in force for the duration of the Services. In the event of a conflict between this DPA and the Agreement, this DPA prevails for matters concerning the processing of Personal Data.

Privacy and DPA matters: privacy@clearly.sh. Counter-signature: legal@clearly.sh.