This Data Processing Agreement ("DPA") is entered into by and between the Customer ("Controller") and Emotrek Inc. ("Processor"). This DPA forms part of the Terms of Service and governs the processing of Personal Data by the Processor on behalf of the Controller.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.
"Processing" means any operation performed on Personal Data, as defined in Art. 4(2) GDPR.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Supervisory Authority" means the relevant data protection authority in the Controller's jurisdiction.

2. Scope & Applicability

This DPA applies where and only to the extent that Emotrek processes Personal Data on behalf of the Customer in the course of providing the Services under the Terms of Service. This DPA is designed to comply with the requirements of:

Regulation (EU) 2016/679 (GDPR)
UK GDPR (as retained under the Data Protection Act 2018)
Swiss Federal Act on Data Protection (FADP)

3. Details of Data Processing

Element	Description
Subject Matter	Provision of mood tracking and clinical analytics platform
Duration	For the term of the Terms of Service, plus any retention period
Nature & Purpose	Collection, storage, analysis, and display of patient mood data for clinical support
Types of Personal Data	Name, email, mood scores, journal entries, voice recordings, assessment responses, device information
Categories of Data Subjects	Therapists (account holders) and their Patients (data subjects)

4. Obligations of the Processor

4.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law.

4.2 Confidentiality

The Processor ensures that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3)
Role-based access controls and Firebase security rules
Immutable PHI access audit logging
Automatic session timeout (30-minute inactivity)
Regular security testing and vulnerability assessments
Disaster recovery and backup procedures via Google Cloud

4.4 Data Protection Officer

The Processor has appointed a Data Protection Officer (DPO) who can be contacted at: dpo@Emotrek.app.

5. Sub-processors

5.1 Authorized Sub-processors

The Controller hereby grants the Processor general written authorization to engage the following sub-processors:

Sub-processor	Purpose	Location	Transfer Mechanism
Google Cloud Platform / Firebase	Infrastructure, database, authentication	United States	SCCs / DPF
Google AI (Gemini)	AI analysis of mood data	United States	SCCs / DPF
Stripe, Inc.	Payment processing	United States	SCCs / DPF
Vercel, Inc.	Web application hosting & CDN	United States (edge)	SCCs / DPF

5.2 Notice of New Sub-processors

The Processor will notify the Controller at least 30 days before engaging any new sub-processor. The Controller may object to the engagement of a new sub-processor within 14 days of receiving notice. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the agreement.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests under Chapter III of the GDPR, including:

Right of Access (Art. 15) — Providing copies of Personal Data
Right to Rectification (Art. 16) — Correcting inaccurate data
Right to Erasure (Art. 17) — Deleting data ("Right to be Forgotten"), subject to legal retention requirements
Right to Restriction (Art. 18) — Restricting processing
Right to Data Portability (Art. 20) — Exporting data in machine-readable format
Right to Object (Art. 21) — Objecting to processing

The Processor will respond to Controller requests within 5 business days and assist with Data Subject requests within 30 calendar days.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall include:

The nature of the breach, including categories and approximate number of Data Subjects affected
The name and contact details of the DPO
A description of the likely consequences
A description of measures taken or proposed to mitigate the breach

8. International Transfers

Where Personal Data is transferred from the EEA/UK/Switzerland to a third country (including the United States), the Processor ensures an adequate level of protection through:

Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914)
The EU-U.S. Data Privacy Framework (DPF) where applicable
Supplementary measures as recommended by the EDPB

9. Data Return & Deletion

Upon termination of the Services or upon request, the Processor shall:

Return all Personal Data to the Controller in a commonly used, machine-readable format, or
Delete all Personal Data (including copies), unless EU or Member State law requires continued storage

HIPAA Exception: Clinical records (mood entries, assessments) may be retained in de-identified form for up to 7 years as required by HIPAA §164.530(j).

10. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall:

Make available all information necessary to demonstrate compliance
Allow and contribute to audits, including inspections, conducted by the Controller or an authorized third-party auditor
Provide audit reports upon reasonable request (no more than once per 12-month period)

11. Liability & Indemnification

The Processor's liability under this DPA is subject to the limitations set forth in the Terms of Service. Each party shall be liable for damage caused by processing that infringes the GDPR, in accordance with Art. 82 GDPR.

12. Term & Termination

This DPA shall remain in effect for the duration of the Terms of Service. Provisions that by their nature should survive termination (including Sections 7, 9, 10, 11) shall survive.

13. Governing Law

This DPA is governed by the laws applicable to the Terms of Service. For processing governed by the GDPR, the provisions of the GDPR shall prevail in the event of any conflict.

14. Contact

For questions about this DPA:

Emotrek Inc.
Data Protection Officer: dpo@Emotrek.app
Privacy: privacy@Emotrek.app
Legal: legal@Emotrek.app

Related documents: Terms of Service · Privacy Policy