Data Processing Agreement (DPA)
Last updated: December 21, 2025
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between 530am.io ("Data Controller" or "we") and you ("Data Subject" or "you") and governs the processing of personal data in accordance with the EU General Data Protection Regulation (GDPR) 2016/679.
2. Definitions
For the purposes of this DPA:
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on personal data, such as collection, recording, storage, use, disclosure, or deletion
- "Data Controller" means 530am.io, which determines the purposes and means of processing personal data
- "Data Subject" means you, the individual to whom personal data relates
- "Data Processor" means any third party that processes personal data on behalf of the Data Controller
- "Sub-processor" means any Data Processor engaged by another Data Processor
- "GDPR" means the General Data Protection Regulation (EU) 2016/679
3. Scope and Application
This DPA applies to all processing of personal data by 530am.io where:
- The data subject is located in the European Union
- The processing is carried out in the context of our services
- The processing is subject to GDPR requirements
4. Data Controller Responsibilities
As the Data Controller, 530am.io shall:
- Determine the purposes and means of processing personal data
- Ensure that processing is lawful, fair, and transparent
- Collect personal data only for specified, explicit, and legitimate purposes
- Ensure data is adequate, relevant, and limited to what is necessary
- Keep personal data accurate and up to date
- Retain personal data only for as long as necessary
- Implement appropriate technical and organizational security measures
- Comply with data subjects' rights under GDPR
5. Categories of Personal Data Processed
We process the following categories of personal data:
5.1 Identity and Contact Data
- Name
- Email address
- Username
- Profile picture (optional)
5.2 Financial and Transaction Data
- Payment card details (processed by Stripe, not stored by us)
- Billing address
- Transaction history
- Subscription status
5.3 Technical Data
- IP address
- Browser type and version
- Operating system
- Session data
- Cookie data
5.4 Usage and Behavioral Data
- Posts created
- Comments posted
- Login history
- Feature usage patterns
6. Legal Basis for Processing
We process personal data based on the following legal grounds:
| Purpose | Legal Basis |
|---|---|
| Account registration and management | Contract performance (Article 6(1)(b)) |
| Processing payments and subscriptions | Contract performance (Article 6(1)(b)) |
| Sending service communications | Contract performance (Article 6(1)(b)) |
| Marketing communications | Consent (Article 6(1)(a)) |
| Security and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Article 6(1)(c)) |
7. Data Processors and Sub-processors
We engage the following third-party data processors:
7.1 Current Data Processors
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe | Payment processing | USA | PCI DSS compliant, Standard Contractual Clauses |
| Resend | Email delivery and contacts | USA | Standard Contractual Clauses |
| ShortPixel | Image optimization | EU | GDPR compliant, EU-based |
7.2 Processor Obligations
All data processors are required to:
- Process personal data only on documented instructions from us
- Ensure confidentiality of persons authorized to process personal data
- Implement appropriate technical and organizational security measures
- Only engage sub-processors with our prior written authorization
- Assist us in responding to data subject rights requests
- Assist us with data breach notifications
- Delete or return personal data at the end of the agreement
- Provide information necessary to demonstrate GDPR compliance
8. International Data Transfers
Some of our data processors are located outside the European Economic Area (EEA). For such transfers, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs): Approved by the European Commission
- Adequacy Decisions: Transfers to countries with adequate data protection laws
- Additional Safeguards: Technical measures such as encryption in transit and at rest
9. Data Retention
We retain personal data for the following periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (active) | Duration of account + 30 days | Service provision |
| Transaction records | 7 years | Legal and tax obligations |
| Marketing consent | Until withdrawn + 30 days | Consent management |
| Security logs | 90 days | Security and fraud prevention |
| User-generated content | Duration of account (or until deleted by user) | Service provision |
10. Security Measures
We implement the following technical and organizational security measures:
10.1 Technical Measures
- Encryption in transit (TLS/SSL)
- Encryption at rest for sensitive data
- Secure password hashing (bcrypt)
- Two-factor authentication (optional)
- Regular security updates and patches
- Firewall and intrusion detection systems
- Regular security audits and penetration testing
10.2 Organizational Measures
- Access controls and authentication
- Staff training on data protection
- Confidentiality agreements with staff and contractors
- Data breach response plan
- Regular backup procedures
- Incident logging and monitoring
11. Data Breach Notification
In the event of a personal data breach:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (if required under GDPR Article 33)
- We will notify affected data subjects without undue delay if the breach is likely to result in high risk to their rights and freedoms (GDPR Article 34)
- Notifications will include: nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed
- We maintain a record of all personal data breaches
12. Data Subject Rights
Under GDPR, you have the following rights:
- Right of Access (Article 15): Request copies of your personal data
- Right to Rectification (Article 16): Request correction of inaccurate data
- Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
- Right to Restriction (Article 18): Request restriction of processing
- Right to Data Portability (Article 20): Receive your data in a machine-readable format
- Right to Object (Article 21): Object to processing based on legitimate interests
- Rights Related to Automated Decision-Making (Article 22): Protection from automated profiling
To exercise these rights, contact us at hello@530am.io. We will respond within 30 days.
13. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
A list of EU supervisory authorities can be found at: edpb.europa.eu
14. Changes to This DPA
We may update this DPA to reflect changes in our data processing practices or legal requirements. Material changes will be communicated via email and posted on this page with an updated "Last updated" date.
15. Contact Information
For questions about data processing or to exercise your data subject rights:
Data Controller: 530am.io
Email: hello@530am.io
Subject Line: "GDPR Request" or "Data Protection"