Last Updated: May 21, 2026
Version: 2.0
This Data Processing Agreement ("DPA") supplements and forms part of the Terms of Service or other agreement ("Service Agreement") between Halogen AI, Inc. ("Halogen AI," "we," "us," or "our") and our customers ("Customer," "you," or "your") governing the use of Halogen Presence™, our Answer Engine Optimization (AEO) platform, and related services. This DPA applies when Customer Data processed through the Services includes Personal Data as defined under applicable data protection laws. By using the Services, you agree to the terms of this DPA.
"Applicable Laws" means all applicable data protection and privacy laws and regulations applicable to the processing of Personal Data, including without limitation the General Data Protection Regulation (EU) 2016/679 ("GDPR"); the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial laws including Quebec's Law 25; and other applicable federal, state, provincial, and international privacy laws.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Halogen AI on behalf of the Customer through the Services.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
"Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Personal Data.
"Sub-processor" means any third party engaged by Halogen AI to process Personal Data on behalf of our Customers.
Halogen AI acts as a data processor (or "service provider" under the CCPA/CPRA) with respect to Personal Data processed on behalf of Customers, who act as data controllers. This DPA defines the responsibilities and obligations of both parties regarding data protection.
Halogen AI processes Personal Data for the following purposes:
Types of Personal Data we process:
Categories of Data Subjects:
Personal Data is processed for the duration of the Service Agreement and retained for a limited period following termination as described in Section 7, unless a different retention period is required by law or agreed upon in writing.
All Halogen AI personnel authorized to process Customer Personal Data are subject to confidentiality obligations, are informed of applicable data-protection and security requirements, and are granted access only on a need-to-know basis.
We implement and maintain technical and organizational measures designed to protect Personal Data appropriate to the risk, including:
We continue to invest in our security program, including pursuing recognized security certifications and enhancements over time. We describe our current measures here and update them as our program matures; we do not, however, condition our obligations under this DPA on future enhancements.
In the event of a Security Incident affecting Customer Personal Data, we will notify affected Customers without undue delay, and in any event within forty-eight (48) hours of becoming aware of the incident. Notifications will describe, to the extent known, the nature of the incident, the categories of data affected, the likely consequences, and the measures taken or proposed to address it. We will cooperate in good faith in investigation and remediation efforts.
We use the following sub-processors to deliver the Services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI provider (Claude) for visibility analysis and content generation | United States |
| OpenAI, L.L.C. | AI provider (GPT models) for visibility analysis | United States |
| Google LLC | AI provider (Gemini) for visibility analysis; analytics | United States |
| Stripe, Inc. | Payment processing | United States |
| Vercel, Inc. | Application hosting and infrastructure | United States |
| Neon, Inc. | Database hosting and storage | United States |
| Resend, Inc. | Transactional and report email delivery | United States |
The locations above reflect the primary processing location for each provider; certain providers may process data in additional regions in accordance with their own terms. We maintain written data-protection terms with our sub-processors as required by Applicable Laws. An up-to-date list of sub-processors is available on this page or upon request.
As the data controller, you are responsible for ensuring you have a legal basis for collecting and providing Personal Data to us; providing necessary notices and obtaining required consents from Data Subjects; ensuring your instructions comply with Applicable Laws; ensuring you are authorized in respect of any website or property you submit for tracking or audit; and maintaining your own records of processing activities. You agree not to provide Personal Data to the Services beyond what is necessary for the Services, and to avoid submitting special categories of Personal Data.
We will provide reasonable assistance to help you respond to Data Subject requests regarding access, correction, deletion, portability, objection, and restriction of processing. We will not respond directly to Data Subjects unless instructed by you or required by law. Reasonable assistance is provided at no additional charge.
You may verify our compliance with this DPA through reasonable means, including security questionnaires, review of available security documentation and certifications, and, on reasonable prior notice and no more than once per year (or as required by a supervisory authority), an audit of relevant processing activities, subject to confidentiality and to not unreasonably disrupting our operations.
We operate primarily from the United States and store the data underlying the Services in the United States. However, because the Services rely on third-party AI providers and other sub-processors, certain Personal Data may be processed in, or transmitted to, jurisdictions outside the United States and Canada in accordance with those providers' terms.
We will provide reasonable assistance, taking into account the nature of processing and the information available to us, with Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities where required by Applicable Laws.
We may update this DPA to reflect changes in Applicable Laws, to accommodate new services or features, to improve security measures, or to add or change sub-processors. Updates will be posted on this page with a new version number and date. Material changes will be communicated by email or through the service dashboard.
For questions about this DPA or our data-protection practices:
Halogen AI, Inc.
1545 NE 90th St, Seattle, WA 98115
Email: privacy@halo-gen.ai