Data Processing Agreement
Last Updated: July 2026
1. Scope
This document summarises how PhysoClick ("Controller") engages third-party service providers ("Processors") that process personal data on our behalf, in accordance with GDPR Article 28.
2. Data Controller
PhysoClick is the data controller for all personal data collected through the platform. Governing law: Republic of Lithuania. Contact: via the Contact & Support page.
3. Subprocessors
The following third-party processors may process personal data on our behalf:
| Processor | Purpose | Data Processed | Location | GDPR Commitment |
|---|---|---|---|---|
| Hetzner Online GmbH | Hosting infrastructure | All platform data (encrypted at rest) | EU (Germany/Finland) | Privacy Policy |
| Google LLC (Analytics) | Usage analytics (with consent only) | Anonymised usage data, IP address (truncated) | EU/US (SCCs) | GDPR Compliance |
| Microsoft Corp. (Clarity) | Usage analytics (with consent only) | Anonymised session recordings, click data | EU/US (SCCs) | GDPR Compliance |
| Paddle.com Market Ltd | Payment processing | Name, email, billing info (Paddle is Merchant of Record) | UK/EU | GDPR Compliance |
| OpenRouter, Inc. | AI feature routing | Lesson context, grade, language, question text (no PII) | US (SCCs) | Privacy Policy |
| Google LLC (OAuth) | Social authentication | Name, email (on user-initiated login only) | EU/US (SCCs) | GDPR Compliance |
| Sentry (Functional Software, Inc.) | Error tracking | Error stack traces, request metadata (no PII by default) | US (SCCs) | Privacy & Compliance |
4. Processing Instructions
All processors act solely on our documented instructions. They may not process personal data for their own purposes. Each processor is contractually obligated to:
- Process data only as instructed by the Controller;
- Ensure persons authorised to process data are bound by confidentiality;
- Implement appropriate technical and organisational security measures;
- Not engage sub-processors without prior authorisation;
- Assist the Controller with data subject rights requests;
- Delete or return all personal data at end of service;
- Make available information necessary to demonstrate compliance.
5. International Transfers
Where data is transferred outside the EU/EEA, we ensure adequate safeguards through Standard Contractual Clauses (SCCs) adopted by the European Commission, or the processor's adherence to an adequacy decision.
6. Security Measures
- All data in transit is encrypted via TLS 1.2+;
- Database storage is encrypted at rest;
- Passwords are hashed using bcrypt;
- Access to production systems is restricted to authorised personnel;
- Regular automated backups with encrypted storage;
- Rate limiting and CSRF protection on all endpoints.
7. Breach Notification
Processors are contractually required to notify us without undue delay upon becoming aware of a personal data breach. We will notify the relevant data protection authority within 72 hours and affected users without undue delay where required by GDPR Articles 33 and 34.
8. Data Retention
- Email logs: automatically deleted after 180 days;
- Resolved error reports: automatically deleted after 360 days;
- Failed queue jobs: automatically deleted after 7 days;
- Sessions: automatically expired and cleaned per session lifetime;
- User data: retained until account deletion or as required by law.
9. Contact
For questions about data processing or to exercise your rights, please use the Contact & Support page.
← Back to Privacy Policy