Legal

Data Processing Agreement

Effective date: April 30, 2026

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

  • Customer (the “Controller”), and
  • Changed Labs OÜ (the “Processor”, “Changed”, “we”, “us”).

This DPA forms part of the agreement governing the Customer’s use of the Changed services (“Service”).

2. Scope

The Processor will process Personal Data on behalf of the Controller only for the purpose of providing the Service, in accordance with the Controller’s documented instructions and applicable data protection laws (including the GDPR).

3. Processing details

Subject matter: Provision of the Service.

Duration: For the term of the Service agreement, plus any period required to securely delete or return data.

Nature and purpose: Hosting, storing, and processing end-user content and account data to deliver app functionality.

Categories of data subjects: Customer’s authorized users/end users.

Categories of Personal Data: Account identifiers, profile data, and user-generated wellness content (e.g., journal entries, habit logs, reflections), as applicable to the Customer’s configuration.

4. Security

Processor will implement appropriate technical and organizational measures to protect Personal Data, including encryption in transit, access controls, logging, and least-privilege operational practices.

5. Sub-processors

Processor may engage sub-processors to provide parts of the Service (e.g., infrastructure providers). Processor remains responsible for its sub-processors’ performance of their obligations and will ensure appropriate contractual safeguards are in place.

Current key sub-processors may include: Supabase (database/auth/storage), and Apple and Google (mobile billing), as applicable.

6. Data subject requests

Processor will provide reasonable assistance to enable Controller to respond to data subject requests (including access, export, and deletion) to the extent applicable to the Service.

7. International transfers

Where Personal Data is transferred internationally, Processor will ensure an appropriate transfer mechanism is used (e.g., Standard Contractual Clauses), as required by applicable law.

8. Retention & deletion

Upon termination of the Service, Processor will delete or return Personal Data in accordance with the Service agreement, except to the extent retention is required by law.

9. Audit

Upon reasonable written request, Processor will provide information necessary to demonstrate compliance with this DPA and may make available relevant third-party audit reports or security documentation, subject to confidentiality and security restrictions.

10. Contact

Changed Labs OÜ

Email: [email protected]

Address: Sepapaja tn 6, Lasnamäe linnaosa, Tallinn, Harju maakond, 15551, Estonia