The terms below govern how VenatoPRO (d/b/a PRplus) processes personal data on behalf of our customers. Enterprise customers receive an executable PDF of this DPA with every order form.
Last updated: April 22, 2026 · Governing law: Pennsylvania, USA
Paid customers can request a counter-signed DPA with their legal entity and signing authority by emailing legal@prplus.io. Typical turnaround is 3 business days.
"PRplus" or "Processor" means VenatoPRO LLC, a Pennsylvania limited liability company with offices at 302 Spithaler School Road, Evans City, PA 16033, operating the PRplus.io service. "Customer" means the legal entity that has subscribed to the PRplus service. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in Regulation (EU) 2016/679 ("GDPR"). "CCPA" means the California Consumer Privacy Act as amended. "Subprocessor" means any third-party processor engaged by PRplus to process Personal Data on behalf of Customer.
For Personal Data uploaded, submitted, or generated by the Customer through the PRplus service, the Customer is the Controller and PRplus is the Processor. VenatoPRO (d/b/a PRplus) processes Personal Data solely to deliver the service, as documented in the PRplus Terms of Service and any executed order form, and in accordance with Customer's lawful written instructions.
VenatoPRO (d/b/a PRplus) processes: (a) account identifiers — name, email, organization name of Customer personnel; (b) customer content — the clients, contacts, pitches, reports, and AI prompt/response pairs the Customer chooses to store; (c) usage metadata — page views, feature usage, error logs. Data subjects include Customer personnel and any third-party contacts the Customer chooses to upload. Special-category data should not be uploaded unless Customer has obtained a lawful basis and notified PRplus.
PRplus maintains an up-to-date list of subprocessors at /subprocessors. PRplus will notify Customer of any new or changed subprocessor at least 30 days before the change takes effect. Customer may object on reasonable grounds within 30 days, in which case PRplus will either: (a) revise the change, (b) offer a mutually agreeable alternative, or (c) terminate the affected portion of the service with a pro-rata refund.
PRplus ensures that personnel authorized to process Personal Data are subject to written confidentiality obligations and are trained annually on data protection and secure development practices.
PRplus implements industry-appropriate technical and organizational measures, including: encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256); Row-Level Security policies enforcing per-organization isolation; role-based access control with least-privilege defaults; short-lived authentication sessions; webhook signature verification; audit logging for administrative actions; separation of production and non-production environments; and quarterly reviews of vendor access.
Each subprocessor is engaged under a written contract providing data-protection obligations materially equivalent to those in this DPA, and transfers of Personal Data to recipients outside the EEA / UK / Switzerland are made under the EU Standard Contractual Clauses (2021/914) or an equivalent transfer mechanism recognized by the relevant supervisory authority.
PRplus will, without undue delay, notify Customer of any request received from a data subject exercising rights under applicable data protection law. PRplus will, taking into account the nature of the processing, provide reasonable assistance to enable Customer to respond to such requests. Customer retains ultimate responsibility for handling data subject requests.
PRplus will notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach affecting Customer data. The notification will include, to the extent known: the nature of the breach, affected categories of data and approximate number of data subjects, likely consequences, and measures taken or proposed to remediate.
On termination of the service, or upon Customer's written request, PRplus will — at Customer's choice — return or delete all Personal Data within 30 days, subject to retention required by law. Certain system backups may persist for up to 30 additional days until normal rotation removes them.
PRplus will, at Customer's written request and no more than once per 12-month period (except as required by a supervisory authority), make available information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by Customer or an auditor mandated by Customer. Where PRplus has obtained an independent third-party audit report (e.g., SOC 2), PRplus may satisfy this obligation by providing that report.
Personal Data may be transferred to PRplus personnel and subprocessors located in the United States. Where such transfers involve Personal Data subject to the GDPR, the transfer is governed by the EU Standard Contractual Clauses (2021/914), with PRplus acting as data importer (Module Two: Controller to Processor).
The limitations of liability in the Terms of Service apply equally to this DPA. In the event of a conflict between this DPA and the Terms of Service in respect of the processing of Personal Data, this DPA controls.
This DPA is automatically incorporated into the Terms of Service for all paid customers. A separately signed PDF is available on request for customers whose procurement processes require one.
For all DPA, privacy, and data-protection questions contact legal@prplus.io. For a printable copy, see the PDF version (available on request).