Data Processing Agreement (DPA)

Introduction

This Data Processing Agreement (DPA) forms part of the Terms of Service between you (the 'Controller') and NinjaNote (the 'Processor') and governs the processing of personal data in accordance with the General Data Protection Regulation (GDPR).

This DPA applies to all personal data processed by NinjaNote on your behalf when you use our service.

Definitions

• Controller: You, the user, who determines the purposes and means of processing personal data
• Processor: NinjaNote, which processes personal data on behalf of the Controller
• Personal Data: Any information relating to you that you store in NinjaNote
• Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)
• Data Subject: You, the individual to whom personal data relates
• Sub-Processor: Third-party services that process data on behalf of NinjaNote

Roles and Responsibilities

Under GDPR:

Processing Details

Nature of Processing

Storage, transcription, categorization, synchronization, and optional sharing of voice notes and associated data.

Purpose of Processing

• Transcribing audio recordings to text
• Storing notes and audio files
• Synchronizing data across your devices
• Enabling collaborative features when you share notes

Duration

Data is processed for as long as you maintain an active account, plus up to 30 days for backups after account deletion.

Types of Personal Data

• Email address, name, profile photo
• Voice recordings, transcribed text, notes, summaries
• Device information, push notification tokens

Categories of Data Subjects

Individual users of NinjaNote who create personal accounts.

Sub-Processors

NinjaNote uses the following sub-processors to deliver the service:

We will notify you of any changes to sub-processors via email or service announcements.

Security Measures

NinjaNote implements the following technical and organizational measures:

• Encryption in transit (HTTPS/TLS) and at rest (Firebase default encryption)
• Role-based access control and data isolation per user
• Secure authentication via Google OAuth 2.0
• Security monitoring and logging
• Regular automated backups with encryption
• Regular security updates and patches

Data Subject Rights

NinjaNote provides the following tools to help you fulfill data subject rights:

• Right of Access: Export all your data via the GDPR data export endpoint
• Right to Rectification: Edit and update your notes and profile at any time
• Right to Erasure: Delete your account and all data via the account deletion endpoint
• Right to Portability: Export your data in JSON format
• Right to Object: Stop using the service and delete your account

For assistance with data subject rights, contact hola@ninjanote.app

Data Breach Notification

In the event of a personal data breach, NinjaNote will notify you without undue delay (within 72 hours of becoming aware) and provide information about the nature of the breach and remedial actions.

International Data Transfers

Data may be transferred to countries outside the EEA. NinjaNote ensures appropriate safeguards through:

• Use of services with adequacy decisions (where applicable)
• Standard Contractual Clauses with sub-processors
• Sub-processors with Privacy Shield certification or equivalent

Audit Rights

You may request information about our data processing practices and security measures by contacting us. We will provide reasonable cooperation to demonstrate compliance with this DPA.

Data Deletion

Upon termination of your account, all personal data will be permanently deleted within 30 days, except where retention is required by law.

Term and Termination

This DPA remains in effect for as long as you use NinjaNote and for 30 days after account deletion to allow for backup retention.

Contact

For questions about data processing or this DPA, please contact: