Plain-language summary
- This is a baseline, future-facing agreement for organisations, partners, and academic users who put other people’s personal data into Clap Ideas.
- In that case, the organisation is usually the controller (it decides why and how the data is used) and Clap Ideas acts as a processor(it acts on the organisation’s instructions).
- We list our subprocessors— the outside services we use, such as Google for AI, Stripe for payments, and Sentry for error monitoring.
- Text used for duplicate detection and search is turned into embeddings on our own systems, so that step does not send your text to any third party.
- We describe security, help with people’s privacy rights, breach notice, and what happens to data when the agreement ends.
- The final, signed DPA and our legal entity details are confirmed on formal launch. This page is a draft and is not legal advice; counsel is reviewing it.
1. Purpose and scope
This Data Processing Addendum (“DPA”) describes how Clap Ideas processes personal data on behalf of an organisation that uses the platform. The Clap Ideas party to this DPA is the operator, CLAPPE Inc., of Suite C, 16644 – 71 St, Edmonton, Alberta T5Z 0N5, Canada. This DPA is meant to form part of the agreement between CLAPPE Inc. and the organisation (the “Customer”) once both sign it. Most individual users do not need this DPA; it matters when an organisation, partner, or research group uses Clap Ideas to handle personal data about other people.
This page is a baseline template. The executable version, the precise transfer tools, and any extra terms are confirmed on formal launch, subject to final confirmation by qualified counsel. The default governing law is the Province of Alberta and the federal laws of Canada that apply there. All notices between the parties under this DPA are given by email; we do not offer telephone support. For how we handle data in general, and for the rights of individual users, see the Privacy Policy and the Regional Privacy Rights Notice.
2. Roles: controller and processor
When the Customer uses Clap Ideas to process personal data, the roles are usually as follows:
- The Customer is the controller. It decides why and how the personal data is processed and is responsible for having a lawful basis to use it.
- Clap Ideas (CLAPPE Inc.) is the processor. It processes the personal data only to provide the platform and only on the Customer’s documented instructions.
For the public, open parts of the platform — where individuals publish their own ideas and comments — Clap Ideas acts as the controller for that data, and the Privacy Policy governs it, not this DPA.
3. Details of the processing
| Item | Description |
|---|---|
| Subject matter | Providing the Clap Ideas platform and its AI features to the Customer and its authorised users. |
| Nature of processing | Collecting, storing, organising, structuring, analysing with AI, displaying, transmitting, and deleting personal data, as needed to run the platform. |
| Purpose | Letting the Customer and its users submit, develop, moderate, and collaborate on ideas, projects, and events, with AI assistance. |
| Duration | For as long as the agreement is in place, plus any short, agreed period to return or delete data after it ends. |
3.1 Categories of data subjects
- The Customer’s authorised users and account holders.
- People named or described in content the Customer’s users submit.
3.2 Categories of personal data
- Account and contact data, such as name or display name and email address.
- Content data, such as ideas, comments, and project or event records.
- Technical data, such as IP address, device and browser details, and usage logs.
- Any personal data the Customer chooses to include in the content it submits. The Customer should not submit special-category data (such as health or biometric data) or children’s data unless it has confirmed a lawful basis and told us in advance.
4. Instructions and confidentiality
- We process personal data only on the Customer’s documented instructions, including for transfers, unless a law we are subject to requires otherwise. If that happens, we will tell the Customer unless the law forbids it.
- If we believe an instruction breaks data-protection law, we will tell the Customer.
- People who process the data for us are bound by a duty of confidentiality and only get access on a need-to-know basis.
5. Subprocessors
We use a small set of trusted outside services (“subprocessors”) to run the platform. The Customer gives general authorisation for the subprocessors below. We will give notice of new subprocessors so the Customer can object on reasonable data-protection grounds. We stay responsible for what our subprocessors do with the data.
| Provider | Purpose | Data categories | Region / transfer notes |
|---|---|---|---|
| Google (Gemini) | AI generation and classification (idea structuring, drafting, moderation), using Google’s API. | The content submitted for analysis, such as idea text, comments, and drafts. | United States / global. Covered by transfer tools and Google’s terms. |
| Stripe | Payment processing for donations. | Payment and transaction data. Card details are entered on Stripe’s own checkout and never reach our servers. | United States / global. Covered by Stripe’s terms and transfer tools. |
| CLAPPE Inc. | Operator that collects payments on behalf of Clap Ideas. “CLAPPE INC” appears on statements. | Donation and transaction records. | Operator-run. Acts as the contracting and payment-collecting entity. |
| Sentry | Error monitoring for the frontend and backend. | Diagnostic and technical data. Personal-data scrubbing is on, so we do not send personal data into error reports. | United States. Covered by transfer tools and Sentry’s terms. |
| Self-hosted mail server (clapideas.com) | Sending transactional email, such as confirmations and notices. | Email address and the contents of the message. | Operator-run on our own infrastructure. This limits how much email data goes to outside providers. |
| Self-hosted PostgreSQL and Valkey | Primary database, plus cache and task queue. | All platform data described above, as stored and cached. | Operator-run, containerised. The hosting provider and region are confirmed on formal launch. |
Local embeddings. To find duplicate and similar ideas and to power search, we turn text into numeric embeddings on our own systems using a local model. This step does notsend your text to any third party. Search also uses our database’s built-in full-text, trigram, and vector features.
6. International data transfers
Some subprocessors are based in, or may process data in, countries outside the EEA or the UK. Where personal data is transferred from a region with cross-border transfer rules, we rely on lawful transfer tools as a baseline, such as the European Commission’s Standard Contractual Clauses and the UK’s International Data Transfer Addendum, together with extra safeguards where they are needed.
The exact transfer tools, and any reliance on an adequacy decision, are confirmed once the contracting entity and hosting region are set on formal launch.
7. Security measures
We keep technical and organisational measures that are appropriate to the risk. These are described in more detail in our Security & Responsible Disclosure Policy and include:
- Encryption of data in transit using TLS/HTTPS.
- Strong password hashing (Argon2id) and secure, HTTP-only session cookies.
- Access controls and least-privilege access for staff and systems.
- Audit logging of sensitive actions.
- Dependency scanning and monitoring, with personal-data scrubbing in error reports.
No system is perfectly secure. We keep our measures under review and update them over time.
8. Helping with data-subject rights
Taking into account the nature of the processing, we will give the Customer reasonable help to:
- Respond to requests from individuals who want to use their rights, such as access, correction, deletion, restriction, objection, or portability.
- Meet the Customer’s own duties around security, breach notice, and, where needed, data-protection impact assessments and prior consultation with a regulator.
If an individual sends a rights request straight to us about a Customer’s data, we will pass it to the Customer rather than answer it ourselves, unless the law says otherwise.
9. Personal-data breach notification
If we become aware of a personal-data breach affecting the Customer’s data, we will tell the Customer without undue delay, by email to the Customer’s designated contact. We will share the information the Customer reasonably needs to meet its own legal duties, including what happened, the likely impact, and the steps we are taking. Reporting a breach to the Customer is not, by itself, an admission of fault.
10. Return and deletion on termination
When the agreement ends, and at the Customer’s choice, we will either return or delete the Customer’s personal data, then delete remaining copies, unless a law requires us to keep some of it. We may keep data in routine backups for a limited time until those backups expire on their normal cycle; that data stays protected and is not used for other purposes.
11. Audits and how they are limited
We will make available the information reasonably needed to show we meet this DPA, and we will allow and help with audits as the law requires. To protect everyone’s security and other customers’ data, audits follow reasonable limits:
- The Customer gives reasonable advance notice and audits no more often than yearly, unless a regulator requires more or a breach has occurred.
- Audits happen during business hours and must not disrupt the service.
- Where appropriate, we may meet an audit request by giving recent third-party reports or certifications instead of granting direct system access.
- Anyone carrying out an audit must keep what they learn confidential.
12. Final and executable version
This page is a baseline draft. The Clap Ideas party is CLAPPE Inc., of Edmonton, Alberta, Canada, and the default governing law is the Province of Alberta and the federal laws of Canada that apply there. The final, executable DPA, the precise transfer tools, and any extra terms are confirmed on formal launch and are subject to counsel review. To request the current DPA for your organisation, email legal@clapideas.com.
13. Related policies & contact
Read this DPA with our Privacy Policy, our Regional Privacy Rights Notice, and our Security & Responsible Disclosure Policy. For DPA or data-protection questions, email legal@clapideas.com or privacy@clapideas.com.
Change history is tracked by document version; see the Legal Centre.