Privacy Policy
Provision of Software-as-a-Service in the form of the website spell- and grammar-checking tool "TypoFox" – Data Processing Agreement pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR")
Our Contact Details
The protection of your data is particularly important to us. You can reach us at any time using the contact details below for questions or to withdraw your consent.
- Support: support@typofox.com
- Legal & data protection inquiries: office@dryven.com
- Web: typofox.com
- Address: dryven GmbH, Europaplatz 7, 3100 St. Pölten, Austria
- Phone: +43 664 535 38 68
Parties
The customer, hereinafter referred to as "Controller" or "User", and "TypoFox" (dryven GmbH, Europaplatz 7, 3100 St. Pölten, Austria, registered with the Commercial Register of the Regional Court of St. Pölten under FN 590486 m, VAT ID ATU78748278, managing directors: Anna Kofler & Jörg Summer), hereinafter also referred to as "Processor". Controller and Processor are jointly referred to as the "Parties".
Preamble
This Privacy Policy specifies the data protection rights and obligations of the Parties arising from the contract concluded between them regarding the use of the TypoFox platform.
TypoFox is a Software-as-a-Service tool that crawls websites of a domain specified by the User and uses artificial intelligence to check them for spelling and grammar errors. TypoFox is offered exclusively to businesses, freelancers, public entities, associations and other professionals (B2B). Consumers within the meaning of Section 1 of the Austrian Consumer Protection Act (KSchG) are not eligible to purchase the service.
In performing the contract, the Processor processes personal data on behalf of the Controller as a processor within the meaning of Article 28 GDPR. This agreement ensures that the processing complies with applicable data protection law.
1. Subject Matter and Duration
1.1. The subject matter of this agreement is the performance of the activities offered through the TypoFox platform by the Processor as a processor within the meaning of Article 28 GDPR – in particular the automated crawling of websites designated by the Controller, the analysis of their content for spelling and grammar errors, and the provision of the results through the platform.
1.2. The duration of this agreement corresponds to the term of the contract concluded through the platform.
2. Specification of the Processing
2.1. Nature and Purpose of Processing
The purpose is the identification of spelling and grammar errors on websites of the Controller through the use of web crawling technologies and artificial intelligence. Processing includes in particular:
2.1.1. The automated retrieval (crawling) of the domain or subdomains specified by the Controller and the extraction of the textual content of the publicly accessible pages located there.
2.1.2. The analysis, structuring and processing of this content using artificial intelligence (in particular Large Language Models provided by OpenAI) in order to identify spelling and grammar errors and generate correction suggestions.
2.1.3. The Controller acknowledges that the AI models used by the Processor (in particular those of OpenAI) temporarily use the content submitted in order to generate the respective result. Storage of the data for training the providers' general models is contractually excluded (API use with "Zero Data Retention" or, where this is not available, a maximum 30-day retention period for abuse monitoring on OpenAI's side). The Processor remains the data protection processor.
2.1.4. The creation, storage and provision of the generated analysis results, correction suggestions and reports within the User account.
2.1.5. The management of the user account (registration, authentication, subscription management) and the handling of payments through the Merchant of Record Paddle.
2.1.6. The Controller acknowledges that the analysis is based on probabilistic AI systems and that the results require mandatory human review by the Controller ("Human in the Loop" principle). No guarantee is given as to the completeness or accuracy of the errors identified or the correction suggestions provided.
2.1.7. The Controller warrants that they own the domain to be scanned or hold the explicit authorisation of the owner to have its content crawled and processed by TypoFox.
2.2. Categories of Personal Data
Depending on the configuration and use case by the Controller, the following categories of personal data may in particular be processed:
2.2.1. Account data of the User (e.g. name, email address, password hash, language, time zone) 2.2.2. Contract and billing data (e.g. selected subscription, term, invoice data – payment instruments are processed exclusively by Paddle) 2.2.3. Usage data (e.g. scanned domains, number of pages crawled, scan timestamps, allowance consumed) 2.2.4. Content of the scanned websites, to the extent that it contains personal data (e.g. names, contact details or other personal information appearing in texts, imprint, team pages) 2.2.5. Technical data (e.g. IP address, user agent, browser type, log data) 2.2.6. Special categories of personal data (Article 9 GDPR) only if the Controller scans domains that publicly contain such content. Responsibility for this lies exclusively with the Controller.
2.3. Categories of Data Subjects
2.3.1. The Controller themselves and employees of the Controller who use the platform 2.3.2. Persons whose personal data is published on the website to be scanned by the Controller (e.g. employees, management, contact persons, authors) 2.3.3. Other third parties whose data is contained in the content scanned by the Controller
3. Obligations of the Processor
3.1. The Processor processes personal data exclusively on the documented instructions of the Controller, including with regard to transfers of data to a third country. The configuration of scans, the selection of the domain to be checked and the use of the platform by the Controller constitute the primary instruction.
3.2. The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality.
3.3. The Processor takes all technical and organisational measures (TOMs) required pursuant to Article 32 GDPR to ensure a level of protection appropriate to the risk. These measures are documented in Annex I.
3.4. The Processor complies with the conditions for engaging further processors (sub-processors) pursuant to Section 6.
3.5. The Processor supports the Controller as far as possible by appropriate technical and organisational measures in fulfilling the Controller's obligation to respond to requests for the exercise of data subject rights (Chapter III GDPR: information, access, rectification, erasure, restriction, data portability, objection, automated individual decision-making).
3.6. The Processor supports the Controller, taking into account the nature of the processing and the information available to it, in complying with Articles 32 to 36 GDPR. In particular, the Processor will notify the Controller of personal data breaches without undue delay by email.
3.7. Upon completion of the services, the Processor shall, at the choice of the Controller, delete or return all personal data, unless storage is required by Union or Member State law (in particular under the Austrian Federal Fiscal Code (BAO) and the Austrian Commercial Code (UGB) of up to 7 years for invoice and accounting data).
3.8. The Processor makes available to the Controller all information necessary to demonstrate compliance and allows for and contributes to audits and inspections.
3.9. The Processor maintains a record of all categories of processing activities pursuant to Article 30(2) GDPR.
3.10. The Controller has the right to satisfy themselves to a reasonable extent of the Processor's compliance, e.g. by inspecting relevant certifications, audits or self-disclosures.
4. Obligations of the Controller
4.1. The Controller is responsible for the lawfulness of the processing of personal data (Article 4(7) GDPR).
4.2. The Controller must ensure that they are authorised to crawl the domain they specify and that there is a sufficient legal basis for processing the personal data contained therein.
4.3. The Controller issues all instructions in writing or in electronic form. Verbal instructions must be confirmed in writing or electronically without undue delay.
4.4. The Controller informs the Processor without undue delay if they detect any errors or irregularities when reviewing the processing results.
5. Rights of the Controller / Users
5.1. With respect to data stored at the Processor, the Controller is generally entitled to the rights to information, access, rectification, erasure, restriction, data portability, withdrawal and objection.
5.2. Complaints may be addressed to the Processor (office@dryven.com) or to the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna (dsb@dsb.gv.at).
6. Sub-Processing
6.1. The Controller hereby grants the Processor general written authorisation to engage further processors (sub-processors).
6.2. A list of currently engaged sub-processors is included in Annex II.
6.3. The Processor informs the Controller of any intended changes by email. The Controller may object within 14 days for an important data-protection-related reason.
6.4. The Processor imposes on sub-processors the same data protection obligations set out in this agreement (Article 28(4) GDPR).
6.5. Transfers to a new sub-processor only take place once all conditions are met.
6.6. Transfers to a third country only take place under Articles 44 et seq. GDPR (e.g. adequacy decision, EU-US Data Privacy Framework, Standard Contractual Clauses). The basis is documented in Annex II.
7. Notification of Personal Data Breaches
7.1. The Processor notifies the Controller of any personal data breach without undue delay after becoming aware of it. The notification contains at least the information required by Article 33(3) GDPR.
8. Liability
8.1. Statutory provisions apply unless otherwise provided. As Controller, the Controller is liable to data subjects for damages from unlawful processing.
8.2. Internally, the Parties are liable in proportion to their fault. The limitations of liability in the platform contract apply mutatis mutandis.
8.3. The Processor is liable to data subjects only if it has failed to comply with its specific processor obligations or has acted contrary to lawful instructions of the Controller.
8.4. Liability of the Processor is limited to slight negligence vis-à-vis business customers.
8.5. Claims are time-barred within one year of becoming aware of the damage and the party causing it.
9. Cookies
9.1. The platform and typofox.com use "cookies" to make the offering more user-friendly, effective and secure.
9.2. A cookie is a small text file transmitted via a web server to the User's browser, allowing recognition on later visits.
9.3. Types of Cookies
- Session cookies: temporary, deleted at end of session.
- Persistent cookies: remain stored on the device for recognition on later visits.
9.4. Users may restrict or delete cookies via browser settings. Some functions may be limited if cookies are disabled.
9.5. Cookie Categories
- Essential cookies: authentication, security, cookie preferences. Set by dryven GmbH.
- Analytical cookies (consent only): pseudonymised statistics via PostHog. Withdraw via cookie settings at any time.
10. Server Log Files
10.1. The provider automatically records IP address, browser/language settings, OS, referrer URL, ISP, date and time. 10.2. This data is not merged with personal data sources. Retention is generally 30 days.
11. Payment Processing via Paddle (Merchant of Record)
11.1. Payment processing and invoicing are handled exclusively by Paddle.com Market Limited (Judd House, 18-29 Mora Street, London EC1V 8BT, UK) and Paddle.com Inc. for US transactions. Paddle acts as Merchant of Record.
11.2. Payment data is transmitted directly to Paddle. The Processor receives only data necessary to provide the service and for accounting.
11.3. Paddle is an independent controller for payment processing under its own privacy policy: https://www.paddle.com/legal/privacy
11.4. Paddle transfers data partly to third countries (in particular the US) on the basis of EU SCCs and – where applicable – the EU-US Data Privacy Framework.
12. Communication by Email
12.1. Users must take their own precautions to ensure email confidentiality. The Processor is not liable for damages from such communication.
13. Final Provisions
13.1. Amendments require written form, including waiver of this requirement. 13.2. If individual provisions are invalid, the remainder is unaffected. 13.3. This agreement is governed by Austrian law, excluding conflict-of-law rules.
Annex I: Technical and Organisational Measures (TOMs)
Confidentiality (Art. 32(1)(b) GDPR)
- Physical access: Certified cloud providers (Google Cloud, Supabase) with security locks, alarms, video surveillance, biometric controls, ISO 27001.
- System access: Strong passwords, 2FA for admin, auto-lock, secure password hashing.
- Data access: Role-based, need-to-know; Row-Level Security in Supabase.
- Separation: Logical multi-tenancy.
Integrity (Art. 32(1)(b) GDPR)
- Transfer: TLS 1.2+ everywhere, encryption at rest.
- Input: Logging of admin and security events.
Availability and Resilience (Art. 32(1)(b)(c) GDPR)
- Availability: Automated backups, redundant systems on Google Cloud Run and Supabase.
- Recoverability: Defined recovery procedures.
Regular Review (Art. 32(1)(d) GDPR)
- Regular review of measures.
- Established data protection management.
- Incident response process incl. statutory breach notification.
Annex II: Approved Sub-Processors
| Service | Provider | Description |
|---|---|---|
| Hosting & infrastructure | Google Cloud EMEA Limited (EU region, Cloud Run) | App hosted in EU region. DPA, EU SCCs, EU-US DPF where applicable. No use for own purposes. |
| Database, auth, storage | Supabase, Inc. (EU region) | Stores accounts, subscriptions, configs, scan results. Supabase DPA, TOMs, EU SCCs. |
| AI models (LLM) | OpenAI Ireland Ltd. / OpenAI L.L.C. | Spell/grammar analysis via API. No training on customer data. Up to 30-day abuse-monitoring retention. EU SCCs + EU-US DPF. |
| Web crawling | Mendable Inc. (Firecrawl) | Primary service for extracting text from websites and sitemaps. Processes website content temporarily. Mendable DPA, EU SCCs. |
| Payment & MoR | Paddle.com Market Ltd (UK) / Paddle.com Inc. (USA) | Payments, invoicing, taxes, refunds. Both processor and independent controller (KYC, fraud, statutory obligations). Paddle DPA, EU SCCs, EU-US DPF. |
| Transactional email | Astrodon Corporation (Loops, loops.so) | Account emails, password reset, scan reports/exports if delivered by email, billing-related notices and other operational messages. Processor under Loops DPA (https://loops.so/dpa). Transfers outside the EEA on EU SCCs or other Chapter V GDPR mechanisms as documented by Loops. |
| Web analytics | PostHog, Inc. | Product and website analytics (e.g. usage patterns, funnels). Pseudonymised where possible; non-essential tracking only with consent per cookie settings. PostHog DPA; international transfers per PostHog’s documentation (e.g. EU SCCs / adequacy). |
| Error monitoring | PostHog, Inc. | Error events, stack traces and related technical diagnostics to improve reliability. Configured to avoid scanned website content; primarily technical metadata. Same legal framework as analytics row. |
Last updated: May 2026