Data Processing Agreement

Last Updated: July 2026

1. Scope

This document summarises how PhysoClick ("Controller") engages third-party service providers ("Processors") that process personal data on our behalf, in accordance with GDPR Article 28.

2. Data Controller

PhysoClick is the data controller for all personal data collected through the platform. Governing law: Republic of Lithuania. Contact: via the Contact & Support page.

3. Subprocessors

The following third-party processors may process personal data on our behalf:

Processor Purpose Data Processed Location GDPR Commitment
Hetzner Online GmbH Hosting infrastructure All platform data (encrypted at rest) EU (Germany/Finland) Privacy Policy
Google LLC (Analytics) Usage analytics (with consent only) Anonymised usage data, IP address (truncated) EU/US (SCCs) GDPR Compliance
Microsoft Corp. (Clarity) Usage analytics (with consent only) Anonymised session recordings, click data EU/US (SCCs) GDPR Compliance
Paddle.com Market Ltd Payment processing Name, email, billing info (Paddle is Merchant of Record) UK/EU GDPR Compliance
OpenRouter, Inc. AI feature routing Lesson context, grade, language, question text (no PII) US (SCCs) Privacy Policy
Google LLC (OAuth) Social authentication Name, email (on user-initiated login only) EU/US (SCCs) GDPR Compliance
Sentry (Functional Software, Inc.) Error tracking Error stack traces, request metadata (no PII by default) US (SCCs) Privacy & Compliance

4. Processing Instructions

All processors act solely on our documented instructions. They may not process personal data for their own purposes. Each processor is contractually obligated to:

  • Process data only as instructed by the Controller;
  • Ensure persons authorised to process data are bound by confidentiality;
  • Implement appropriate technical and organisational security measures;
  • Not engage sub-processors without prior authorisation;
  • Assist the Controller with data subject rights requests;
  • Delete or return all personal data at end of service;
  • Make available information necessary to demonstrate compliance.

5. International Transfers

Where data is transferred outside the EU/EEA, we ensure adequate safeguards through Standard Contractual Clauses (SCCs) adopted by the European Commission, or the processor's adherence to an adequacy decision.

6. Security Measures

  • All data in transit is encrypted via TLS 1.2+;
  • Database storage is encrypted at rest;
  • Passwords are hashed using bcrypt;
  • Access to production systems is restricted to authorised personnel;
  • Regular automated backups with encrypted storage;
  • Rate limiting and CSRF protection on all endpoints.

7. Breach Notification

Processors are contractually required to notify us without undue delay upon becoming aware of a personal data breach. We will notify the relevant data protection authority within 72 hours and affected users without undue delay where required by GDPR Articles 33 and 34.

8. Data Retention

  • Email logs: automatically deleted after 180 days;
  • Resolved error reports: automatically deleted after 360 days;
  • Failed queue jobs: automatically deleted after 7 days;
  • Sessions: automatically expired and cleaned per session lifetime;
  • User data: retained until account deletion or as required by law.

9. Contact

For questions about data processing or to exercise your rights, please use the Contact & Support page.

← Back to Privacy Policy

Report an Issue

We use cookies
We use essential cookies to make our platform work. With your permission, we also use analytics cookies to understand how you use the platform and improve your experience.
Cookie preferences
Choose which cookies you allow. Essential cookies are always active because they are necessary for the platform to function. Analytics cookies help us understand how you use the platform.
Essential cookies Always active
Required for the platform to function. These cookies handle authentication, security, and session management. They cannot be disabled.
Cookie Provider Purpose Lifetime
physo-click-session PhysoClick Authentication and session management 30 days
XSRF-TOKEN PhysoClick Security — prevents cross-site request forgery Session
remember_web_* PhysoClick "Remember me" auto-login 60 days
cookie_consent PhysoClick Stores your cookie preferences 1 year
Analytics cookies
Help us understand how visitors interact with the platform. This data is used to improve features and user experience. No personal data is sold or shared with advertisers.
Cookie Provider Purpose Lifetime
_ga, _ga_*, _gid Google Page views and usage analytics 2 years
_clid, _clck Microsoft Session recordings and heatmaps 1 year