Skip to content
← Back to home

Data Processing Addendum

Last updated: 18/07/2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer”) and Peter Neale, trading as Scry, an Australian sole trader (ABN 12 605 313 932) (“Scry,” “Processor”) wherever Customer, in using the Service, acts as a data controller of personal data belonging to session participants, players, or other individuals (“Data Subjects”) that is subject to the GDPR, UK GDPR, or an equivalent data protection law. Terms not defined here have the meaning given in the Terms of Service or the GDPR.

This DPA applies automatically to Customers who need it for regulatory reasons; it does not change Scry's obligations to individual end users under the Privacy Policy, which continues to apply in parallel.


1. Roles

Customer is the data controller of personal data relating to its campaign's players and session participants. Scry is the data processor, processing that personal data solely to provide the Service, on Customer's documented instructions as set out in the Terms of Service and this DPA.


2. Subject Matter and Details of Processing

Subject matterProvision of the Scry campaign management Service, including voice recording, transcription, AI-assisted wiki generation, and related features.
DurationFor as long as Customer's account or campaign remains active, plus the retention period described in Section 8 of the Privacy Policy.
Nature and purposeRecording, transcription, entity extraction, summarization, storage, and display of session content to build and maintain a campaign wiki.
Categories of Data SubjectsCustomer's session participants/players (and the Customer/DM themselves).
Categories of personal dataVoice audio and its transcription; Discord usernames/IDs; in-session dialogue and any personal information disclosed within it; player entity metadata (e.g., pronouns, if configured).

3. Processor Obligations

Scry will:

  1. Process personal data only on Customer's documented instructions, including regarding international transfers, unless required to do otherwise by law (in which case Scry will inform Customer before processing, unless prohibited from doing so);
  2. Ensure personnel authorized to process the data are bound by confidentiality;
  3. Implement appropriate technical and organizational security measures under GDPR Article 32, including encryption in transit, row-level database security, and service-role-only backend access (see Section 12 of the Privacy Policy);
  4. Engage sub-processors only as listed in Section 5 below, and notify Customer of any intended change so Customer can object on reasonable data-protection grounds;
  5. Assist Customer, taking into account the nature of processing, in responding to Data Subject rights requests (access, deletion, portability, etc.) — in practice, largely self-service via /scry delete-my-data and account tools described in the Privacy Policy;
  6. Assist Customer with data protection impact assessments and consultations with supervisory authorities where required;
  7. Notify Customer without undue delay after becoming aware of a personal data breach affecting Customer's data, and provide information reasonably necessary for Customer to meet its own breach notification obligations;
  8. At Customer's choice, delete or return all personal data at the end of the relationship (subject to the retention windows in the Privacy Policy and any legal retention obligations), including via Obsidian export before deletion; and
  9. Make available information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, on reasonable notice and no more than once per year absent a legitimate concern.

4. International Transfers

Where personal data is transferred outside the EEA or UK, the safeguard depends on the sub-processor — see the table in Section 5. Most rely on Standard Contractual Clauses or the EU-US Data Privacy Framework; Supabase's infrastructure is hosted in Japan, which has a standing EU adequacy decision, so no additional safeguard is required there.

DeepSeek is the exception. DeepSeek, used for entity extraction, summarization, and Scry's AI chat features, processes data on infrastructure in mainland China. It does not currently offer a GDPR-standard DPA, Standard Contractual Clauses, or any other recognized Chapter V transfer mechanism, and China has no European Commission adequacy decision. If Customer is a controller of EU/UK personal data and needs a lawful transfer basis for every sub-processor before signing this DPA, that basis does not currently exist for DeepSeek specifically. Customer should factor this into its own risk assessment before relying on this DPA to cover AI-feature processing, and may wish to exclude the DM Assistant, Unseen Servant, and Prep Assistant from in-scope processing until this is resolved.


5. Sub-processors

Customer provides general authorization for Scry to engage the sub-processors listed below, and any additional sub-processor Scry adds after giving Customer notice as described in Section 3(4).

Sub-processorFunctionLocationTransfer mechanism
VercelApplication hostingWashington D.C., USASCCs / EU-US DPF
SupabaseDatabase, vector storage, file storage (including temporary PDF staging)Tokyo, JapanEU adequacy decision — no SCCs required
RailwayDiscord bot hosting, background workersVirginia, USASCCs / EU-US DPF
ClerkAuthenticationUnited States (no EU residency option currently offered)SCCs
StripePayment processingUnited States (global processing)SCCs / EU-US DPF
GroqVoice transcriptionUnited StatesSCCs
DeepSeekAI processing (extraction, summarization, chat)Mainland ChinaNone — see Section 4
OpenAIText embeddingsUnited States by defaultSCCs / EU-US DPF
PostHogProduct analyticsUnited StatesSCCs / EU-US DPF
SentryError monitoringFrankfurt, Germany (EU)Not applicable — EU-hosted
ResendTransactional emailUnited States (account data always US-based, regardless of sending region)EU-US DPF

6. Liability

Each party's liability under this DPA is subject to the limitation of liability set out in Section 14 of the Terms of Service.


7. Contact

Data protection queries relating to this DPA: peter@getscrying.com

Never break the spell again.

Your world, remembered. Your sessions, summarised. Your players, seen.

Start for free

No card required