Data Processing Addendum

This addendum applies where Fomel processes personal data on your behalf in the course of providing the service. For that data, you are the controller and Fomel is the processor. Fomel processes personal data only on your documented instructions, which include your use of the service and these terms.

The subject matter is the provision of the Fomel service. Processing continues for the term of your subscription and ceases on termination, subject to the deletion practices described in our Privacy Policy.

Fomel ingests, indexes, retrieves, and analyzes the material you connect or upload so it can return decision support across Reports, the Assistant, and Decisions, and so it can deliver that output to your authorized users in-app and by email.

• Your authorized users (executives and their staff).
• People referenced in your connected and uploaded material: colleagues, board members, investors, customers, counterparties, and other correspondents.

• Account data: names, email addresses, roles, and company affiliation.
• Communications content and metadata: read-only Gmail messages and headers, calendar events and attendees, and Drive document content and metadata that you choose to connect.
• Uploaded content: documents you add to the Context Library and any personal data they contain.
• Derived data: the people graph, vector embeddings, decisions, and outcomes generated from the above.

Fomel is not designed to process special-category data, and you should not connect or upload such data except as strictly necessary and lawful.

Fomel implements technical and organizational measures appropriate to the risk, including:

• Encryption of connected-account tokens at rest.
• Encryption of data in transit (TLS).
• Organization-scoped access controls enforced at every layer of the application.
• Strictly read-only access to connected Google data; Fomel never writes to your Gmail, Calendar, or Drive.
• An audit trail of administrative and data actions.
• Least-privilege handling of data passed to sub-processors.

You authorize Fomel to engage the following sub-processors. Each receives only the data needed for its function.

• Anthropic (Claude)

  Model inference for analysis and drafting.

  United States

• Voyage AI

  Embedding generation for retrieval.

  United States

• Resend

  Transactional and Report email delivery.

  United States

• Supabase

  Managed Postgres database hosting, including embeddings.

  United States / EU (per project region)

• Google

  Source of read-only Gmail, Calendar, and Drive data via OAuth.

  United States

We will give reasonable notice of any intended change to this list so you can object.

Where processing involves transferring personal data across borders, the transfer is made under an appropriate safeguard, including the European Commission's Standard Contractual Clauses (SCCs) where required. The applicable SCC module and completed annexes form part of this addendum and are provided on request.

Fomel will assist you, taking into account the nature of processing, in responding to data subject requests and in meeting your security, breach-notification, and impact-assessment obligations. The service provides self-serve export and deletion so you can fulfill access, portability, and erasure requests directly.

Fomel will notify you without undue delay after becoming aware of a personal data breach affecting your data, and will provide the information reasonably needed for you to meet your own notification duties.

On termination, Fomel will delete or return personal data as described in our Privacy Policy, save for copies required to be retained by law.

To request an executed DPA or to raise a data protection matter, write to hello@fomel.local.