Data Processing Agreement (DPA / AVV)

Processor:Junaid Farooqui, sole proprietor based in Munich, Germany ("Heimdall"). Postal address available in the Impressum.

Controller: the natural or legal person who registered an account at useheimdall.app, identified by the billing email on file ("Customer").

The Processor processes personal data on behalf of the Controller solely to perform the SaaS contract concluded between the parties (see our AGB). This DPA applies for the duration of that contract and any subsequent retention period required by law (§ 5 below).

Nature: hosted SaaS providing content-strategy intelligence: ingesting trend signals, generating AI briefs, analysing post performance, clustering audience comments, repurposing video.

Purpose: enabling the Customer to identify and produce better-performing creative content.

Scope:processing limited to what is necessary to perform the contracted features. No processing for the Processor's own purposes (e.g. model training, profiling, marketing).

Data subjects:(i) the Customer if a natural person, (ii) the Customer's employees or contractors who use the account, (iii) authors of public posts that the Customer chooses to track (competitors), (iv) authors of comments that the Customer pastes into the Comment-to-Content feature, (v) connected-social-account owners (where the Customer connects their own accounts via Phyllo).

Categories of personal data:

• Account / contact data: name, email, password hash, locale, timezone.
• Content data the Customer enters: voice samples, briefs, drafts, pasted competitor content, pasted comments.
• Connected-platform data (when explicitly authorized via Phyllo): public profile, post analytics.
• Technical data: IP at signup, browser user-agent, session cookies, error / request logs.
• Billing data (held by Paddle as merchant of record, not by Heimdall): masked payment instrument, VAT details, billing address.

Heimdall does not request, expect or permit processing of special categories of personal data under Art. 9 GDPR (e.g. health, religion, political opinions, biometric data). The Customer is responsible for not uploading such data.

• Process personal data only on documented instructions from the Controller. The Customer's use of the product through the standard interface constitutes such instruction. Any out-of-band instruction must be in writing.
• Ensure persons authorized to process the data are bound by confidentiality (Art. 28(3)(b)) — the Processor is currently a sole proprietorship; any future contractor or employee will be bound by written confidentiality before access.
• Implement appropriate technical and organizational measures under Art. 32 GDPR; see Annex II below.
• Engage sub-processors only with prior general authorization. The current list lives at /privacy §6and changes will be announced with at least 14 days' notice; objections can be raised by emailing [email protected].
• Assist the Controller in fulfilling its obligations to respond to data-subject requests under Articles 15–22 GDPR.
• Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).
• Notify the Controller without undue delay (within 72 hours) after becoming aware of a personal data breach.
• At the choice of the Controller, delete or return all personal data after the end of the provision of services. Backups will be rotated out within 90 days.
• Make available all information necessary to demonstrate compliance and allow for audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits during business hours, with 30 days' written notice, no more than once per year, and at the Controller's expense.

Current authorized sub-processors are listed at /privacy §6. By signing this DPA the Customer authorises that list. New sub-processors will be announced via in-app notification and email to the Customer's billing address with at least 14 days' advance notice. The Customer may object within that window; if objection cannot be resolved, the Customer may terminate the contract for the affected functionality.

Transfers to third countries are limited to the sub-processors listed at /privacy §6. They are safeguarded by EU-U.S. Data Privacy Framework certification where available, otherwise by the EU Commission's 2021 Standard Contractual Clauses (SCC Module 2 or 3 as applicable), supplemented by Heimdall's technical and organizational measures (see Annex II).

Liability between the parties is governed by the AGB (see /terms §11). Liability to data subjects under Art. 82 GDPR remains unaffected.

This DPA enters into force on the date of acceptance and remains in force as long as the underlying SaaS contract exists. Upon termination, the deletion / return obligations in § 4(8) apply.

German law applies. Place of jurisdiction for B2B disputes is Munich. Consumer jurisdiction rules remain unaffected.