Remi
Data Processing Agreement
Last updated: 27 February 2026
1. Definitions
- "Controller" — the user (you), who determines the purposes and means of processing personal data by using the Remi service.
- "Processor" — Remi ("we", "us", "our"), which processes personal data on behalf of the Controller.
- "Personal Data" — any information relating to an identified or identifiable natural person, as defined by the GDPR.
- "Sub-processor" — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "GDPR" — Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Scope & Purpose
This Data Processing Agreement ("DPA") supplements the Remi Terms of Service and applies to the processing of Personal Data by Remi on behalf of the Controller. The purpose of processing is to scan email metadata from the Controller's Gmail or Outlook inbox to identify delivery confirmations, extract return deadlines, and send timely reminders. The categories of data processed include email addresses, email metadata (sender, subject, date, snippet), OAuth tokens, and subscription information.
3. Processor Obligations
As Processor, Remi shall:
- Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required to do so by applicable law.
- Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organisational security measures as described in Section 6 of this DPA.
- Assist the Controller in responding to data subject access requests (DSARs) and other rights requests under the GDPR.
- Assist the Controller in ensuring compliance with obligations related to security of processing, breach notification, data protection impact assessments, and prior consultation.
- At the Controller's choice, delete or return all Personal Data upon termination of the service agreement.
4. Sub-processors
The Controller authorises the Processor to engage the following Sub-processors. We will notify the Controller at least 30 days before adding or replacing a Sub-processor, and the Controller may object to such changes.
| Provider | Purpose | Location |
|---|---|---|
| Neon | PostgreSQL database hosting | US (East) |
| OpenRouter | AI parsing of email metadata | US |
| Resend | Email delivery | US |
| Stripe | Payment processing | US |
| Vercel | Application hosting | US |
| Cloudflare | CDN and DNS | Global |
| Gmail OAuth authentication, inbox access & Pub/Sub push notifications | US | |
| Microsoft | Outlook email access & authentication (Entra ID / Graph API) | Global |
| Telnyx | SMS delivery | US |
5. Data Transfers
Personal Data may be transferred to and processed in the United States. For transfers of Personal Data from the European Economic Area to countries that have not received an adequacy decision from the European Commission, we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission, supplemented by additional technical measures where appropriate. Copies of our SCCs are available upon request.
6. Security Measures
Remi implements the following technical and organisational measures to protect Personal Data:
- Encryption at rest — OAuth tokens and sensitive data are encrypted using AES-256-GCM.
- Encryption in transit — all data is transmitted over TLS 1.2 or higher.
- Row-level security (RLS) — database queries are scoped to individual user IDs, preventing cross-user data access.
- Content Security Policy (CSP) — strict CSP headers prevent cross-site scripting and other injection attacks.
- Audit logging — access to Personal Data is logged for accountability and incident response.
- Access controls — access to production systems is limited to authorised personnel using multi-factor authentication.
7. Breach Notification
In the event of a personal data breach, Remi will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.
8. Data Retention & Deletion
Personal Data is retained for as long as the Controller's account is active. Upon account deletion or termination of the service agreement, all Personal Data associated with the Controller's account will be permanently deleted within 30 days. Deletion cascades to all related records, including email metadata, OAuth tokens, reminder preferences, and subscription data. Aggregated, anonymised data that cannot be attributed to any individual may be retained indefinitely.
9. Audit Rights
The Controller may request compliance documentation to verify Remi's adherence to this DPA and applicable data protection laws. Remi will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audit requests should be directed to [email protected].
10. Term
This DPA is effective from the date the Controller begins using the Remi service and remains in effect for as long as Remi processes Personal Data on behalf of the Controller. This DPA is co-terminous with the Remi Terms of Service. Obligations relating to confidentiality and data deletion survive termination.
11. Contact
For questions about this DPA or to exercise your rights, contact us at [email protected].