Data Processing Agreement

1. Definitions

For the purposes of this Agreement:

• "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, or deletion.
• "Controller" means the user or organization that determines the purposes and means of processing Personal Data.
• "Processor" means Nodim (Tibor Tasi as representative), which processes Personal Data on behalf of the Controller.
• "Subprocessor" means any third party engaged by the Processor to process Personal Data.
• "GDPR" means the EU General Data Protection Regulation (Regulation (EU) 2016/679).

2. Subject Matter and Duration

This Agreement governs the processing of Personal Data by the Processor in connection with providing the Subtrakr Service.

Processing begins when the Controller starts using the Service and continues until the Controller's account is deleted or terminated, including data deletion and backup retention as described in this Agreement.

3. Nature and Purpose of Processing

The Processor will process Personal Data solely for the following purposes:

• To provide and operate the Subtrakr web application.
• To manage user accounts and authenticate logins.
• To deliver notifications and communications related to the Service.
• To process billing and payments.
• To provide analytics, reporting, and system maintenance.

No processing will occur beyond these purposes unless required by law or explicitly authorized by the Controller.

4. Type of Data and Categories of Data Subjects

Personal Data processed:

• Name
• Email address
• Subscription and recurring payment metadata (e.g., amount, billing cycle, renewal date)

Categories of data subjects:

• Users of the Service (Controllers)
• Team members invited by the Controller

The Service does not process special categories of data (sensitive data) as defined under Article 9 of the GDPR.

5. Processor Obligations

The Processor agrees to:

• Process Personal Data only on documented instructions from the Controller.
• Ensure confidentiality of any person authorized to process Personal Data.
• Implement and maintain appropriate technical and organizational security measures.
• Assist the Controller in fulfilling its obligations regarding data subject rights.
• Delete or return all Personal Data at the end of the service period.
• Make available all information necessary to demonstrate compliance with GDPR obligations.

The Processor shall not use Personal Data for its own purposes.

6. Security Measures

The Processor implements appropriate security measures to ensure the protection of Personal Data, including:

• HTTPS encryption for data in transit
• Envelope encryption for data at rest
• Access restricted to authorized personnel only
• Continuous monitoring and access logging

The Processor regularly reviews and updates these measures to maintain compliance with Article 32 of the GDPR.

7. Subprocessors

The Controller authorizes the Processor to engage the following subprocessors to provide parts of the Service:

The Processor may update this list by adding or replacing subprocessors. The Processor will notify Controllers of such changes in advance (e.g., via email or in-app notice). Controllers may object to the change if they have a justified reason related to data protection.

8. Data Retention and Deletion

Personal Data is retained for as long as necessary to provide the Service.

When the Controller deletes their account or terminates the Service:

• Personal Data will be deleted from active systems;
• Backups may persist for up to 30 days, after which they are permanently deleted;
• Requests for deletion can be sent to [email protected].

9. Assistance with Data Subject Rights

The Processor will assist the Controller in fulfilling obligations related to data subject requests under GDPR Articles 12–23, including:

• Access to data
• Rectification
• Erasure ("Right to be forgotten")
• Restriction of processing
• Data portability

Requests from data subjects received directly by the Processor will be forwarded to the Controller without undue delay.

10. Data Breach Notification

In the event of a Personal Data breach, the Processor will:

• Notify the Controller without undue delay after becoming aware of the breach.
• Provide details of the breach, its likely impact, and remedial measures taken.
• Cooperate with the Controller to meet notification obligations under GDPR Articles 33 and 34.

11. Liability

The Processor's total liability arising under this Agreement shall not exceed the total amount paid by the Controller for the Service in the 12 months preceding the event giving rise to the claim.

Nothing in this Agreement limits liability for intentional or grossly negligent acts.

12. Governing Law and Jurisdiction

This Agreement is governed by the laws of Hungary.

Any disputes arising from or relating to this Agreement shall be resolved in English, in accordance with the arbitration clause defined in the Terms of Service.

13. Term and Termination

This Agreement remains in effect as long as the Processor processes Personal Data on behalf of the Controller.

Upon termination, all data processing shall cease, and Personal Data will be deleted or returned as outlined above.

14. Contact Information

For privacy and data protection matters, please contact:

📧 [email protected]

🏠 Nodim (Tibor Tasi as representative)

1092 Budapest, Erkel street 14/A A/5/2, Hungary