Data Transfer Agreement

This Data Transfer Agreement ("DTA") supplements our Privacy Policy and Terms of Service to address international data transfers and compliance with data protection regulations, including the General Data Protection Regulation (GDPR).

1. Scope and Purpose

This agreement governs the transfer of personal data from the European Economic Area (EEA) to countries outside the EEA, particularly the United States, where Chiroy's servers and service providers are located.

2. Data Controller and Processor

Data Controller

Chiroy acts as the data controller for personal data collected through our Service. We determine the purposes and means of processing your personal information.

Data Processors

We use the following data processors who may process your data outside the EEA:

• Firebase (Google): Data storage and hosting services
• Microsoft Clarity: Analytics and user behavior tracking
• Vercel: Website hosting and performance monitoring
• Email Service Providers: For communications and notifications

3. Legal Basis for Data Transfers

We transfer your personal data outside the EEA based on the following legal grounds:

Adequacy Decisions

Some countries have been deemed adequate by the European Commission for data protection purposes.

Standard Contractual Clauses (SCCs)

For transfers to countries without adequacy decisions, we rely on Standard Contractual Clauses approved by the European Commission.

Consent

In some cases, we may rely on your explicit consent for data transfers.

4. Data Protection Safeguards

We implement appropriate safeguards to protect your data during international transfers:

• Encryption: All data is encrypted in transit and at rest
• Access Controls: Strict access controls and authentication
• Data Minimization: We only transfer data necessary for service provision
• Regular Audits: Periodic security assessments of our processors
• Contractual Obligations: Data protection clauses in all processor agreements

5. Your Rights Under GDPR

If you are located in the EEA, you have the following rights regarding your personal data:

• Right of Access: Request information about your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Receive your data in a structured format
• Right to Object: Object to certain types of processing
• Right to Withdraw Consent: Withdraw consent at any time

6. Data Retention and Deletion

We retain your personal data only for as long as necessary to provide our services or as required by law. When you delete your account, we will:

• Delete your personal data from our active systems
• Request deletion from our data processors
• Retain minimal data for legal compliance if required

7. International Data Transfers

United States Transfers

Most of our data processing occurs in the United States. We ensure adequate protection through:

• Standard Contractual Clauses with our US-based processors
• Additional contractual safeguards
• Regular monitoring of data protection practices

Other Countries

If we transfer data to other countries, we ensure equivalent protection through appropriate safeguards.

8. Data Breach Notification

In the event of a data breach affecting your personal data, we will:

• Notify relevant supervisory authorities within 72 hours
• Notify affected individuals without undue delay
• Take immediate steps to contain and remediate the breach
• Document all breach-related activities

9. Supervisory Authority

If you are located in the EEA, you have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not handled your personal data in accordance with applicable data protection laws.

10. Changes to This Agreement

We may update this Data Transfer Agreement from time to time to reflect changes in our data processing practices or applicable laws. We will notify you of any material changes.