Data Processing Addendum

Version 1.1 · Effective 2026-05-28 · Last reviewed 2026-05-28

This Data Processing Addendum (“DPA”) supplements the Vogelview Terms of Service and applies whenever Vogelview processes Personal Data on behalf of a Customer subject to applicable data protection legislation (GDPR, UK GDPR, CCPA, and equivalent state laws). Capitalized terms have the meaning ascribed in those laws.

1. Scope and roles

Customer is the data controller; Vogelview is the data processor for Personal Data submitted to or generated by the service.

2. Subject matter and duration of processing

Processing is for the purpose of providing the Vogelview interpretation service to the Customer and their end users, for the duration of the service agreement plus a 90-day post-termination retention window during which Customer may export Personal Data.

3. Types of Personal Data processed

• Identifying information (name, email, account credentials hash)
• Demographic information (age, sex, country)
• Genetic data (when uploaded by end user) — categorized as Special Category Data under GDPR Art. 9
• Medical test data (when uploaded by end user) — categorized as Special Category Data
• Wearable / health-app data (when connected by end user)
• Usage analytics with consent

4. Categories of data subjects

End users (consumers), authorized family members, and corporate-account members.

5. Sub-processors

Vogelview engages the sub-processors listed at /legal/sub-processors. The Customer hereby authorizes engagement of those sub-processors and grants general written authorization for the addition of new sub-processors with at least 30 days’ prior notice.

6. International data transfers + data residency

Primary residency: all Customer Personal Data is stored in Google Cloud Platform region us-central1 (Iowa, USA) via Firebase. Backups stay within the same region. EU-to-US transfers occur as part of normal service operation.

Transfer mechanism: Vogelview relies on the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914, Module Two — controller-to-processor) for transfers from the EEA/UK/Switzerland to the United States. For UK transfers, the UK International Data Transfer Addendum (IDTA) is incorporated by reference. Where the EU–US Data Privacy Framework adequacy decision (2023) applies to a given sub-processor, we additionally rely on that framework as a parallel mechanism. The SCCs are deemed executed by acceptance of this DPA.

Customer residency choice: at present we do not offer EU-only residency. Enterprise customers with strict residency requirements should contact us before signing; EU/CH-resident infrastructure can be provisioned on request as a paid add-on.

7. Security measures

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls; principle of least privilege
• Multi-factor authentication for production access
• Audit logging of administrative actions
• Annual third-party security review
• Defined incident response plan with 72-hour breach notification

8. Data subject rights

Vogelview will assist the Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) without undue delay. End users may also exercise these rights directly via Settings.

9. Personal Data Breach notification

Vogelview will notify the Customer without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach affecting Customer data, providing all information reasonably required to comply with the Customer’s notification obligations.

10. Audits

Vogelview makes available the most recent third-party security audit report and answers reasonable written audit questions. On-site audits are limited to once per year and require 30 days’ notice.

11. Data return and deletion

Within 30 days of termination, Vogelview will export the Customer’s Personal Data on request and delete remaining copies within the post-termination retention window (90 days), unless retention is legally required.

12. Liability

Each party’s liability under this DPA is subject to the limitation of liability provisions in the underlying service agreement.

13. Contact

Vogelview Data Protection Officer: dpo@vogelview.health

EU representative (per GDPR Art. 27): To be confirmed in writing on execution of this DPA for enterprise customers in the EEA. Default contact: eu-rep@vogelview.health.

This DPA is a template provided for transparency. For execution with your organization’s specific details (registered company name, primary contact, EU representative election, etc.), download the executable version: DPA.pdf. For questions, contact legal@vogelview.health.