Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller" or "you") and Spyc ("Data Processor" or "we", "us", or "our") governing the processing of personal data in connection with the use of our privacy-first investment tracking app (the "Service"). This DPA reflects our commitment to data protection and compliance with applicable laws.

1. Definitions

  • Personal Data: Any data relating to an identified or identifiable natural person processed via the Service.
  • Processing: Any operation performed on Personal Data, including collection, storage, and deletion.
  • Data Controller: You, who determine the purposes and means of processing Personal Data.
  • Data Processor: Us, who process Personal Data on your behalf.

2. Scope and Applicability

This DPA applies to the processing of Personal Data submitted by you through the Service, limited to anonymized data (e.g., hashed email keys) and transaction/holding data derived from uploaded files.

3. Obligations of the Data Processor

We agree to:

  • Process Personal Data only on your documented instructions, as outlined in this DPA and the Privacy Policy.
  • Ensure confidentiality of Personal Data processed.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist you, where possible, in meeting your obligations to respond to data subject requests.
  • Delete or return Personal Data at your request upon termination of the Service.

4. Data Processing Details

  • Subject Matter: Processing of anonymized investment-related data.
  • Duration: For the duration of your use of the Service, with data deleted post-termination.
  • Nature and Purpose: To provide investment tracking features, including net worth calculations and visualizations.
  • Categories of Data: Hashed email keys, transaction dates, amounts, and asset types.
  • Data Subjects: Users of the Service.

5. Security Measures

We maintain security measures including encryption in transit, secure storage, and access controls to protect Personal Data against unauthorized access or loss.

6. Sub-Processors

We do not engage sub-processors to process Personal Data unless required for service delivery (e.g., cloud storage). Any sub-processor will be bound by similar data protection obligations.

7. Data Subject Rights

We will assist you in fulfilling data subject rights (e.g., access, rectification, erasure) to the extent required by applicable law, leveraging our data export and deletion capabilities.

8. Audits and Inspections

Upon reasonable request, we will make available information necessary to demonstrate compliance with this DPA, subject to confidentiality obligations.

9. Liability

Each party shall be liable for damages caused by processing where it has not complied with this DPA, subject to applicable law.

10. Termination

This DPA remains in effect as long as we process Personal Data on your behalf. Upon termination, we will delete or return all Personal Data as instructed by you.

11. Contact Us

If you have any questions about this DPA, please contact us at info@spyc.io.