Data Processing Agreement

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Food Blog Studio, operated by Food Blog Coaching (“Processor,” “we,” “us,” or “our”) and the user of our services (“Controller,” “you,” or “your”).

This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation, and other applicable data protection legislation.

2. Definitions

• “Data Protection Laws” means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, CCPA, PIPEDA, and any successor legislation.
• “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Services.
• “Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
• “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
• “Services” means the Food Blog Studio platform and related services provided under the Terms of Service.

3. Scope and Roles

3.1 Relationship of the Parties

For the purposes of this DPA:

• You (the Controller) determine the purposes and means of processing Personal Data through your use of our Services
• We (the Processor) process Personal Data on your behalf to provide the Services

3.2 Scope of Processing

This DPA applies to Personal Data processed by us in the course of providing the Services, including:

• Account information (email addresses, names)
• Billing and subscription information (processed via Stripe)
• Content submitted for AI processing (recipes, blog content, prompts)
• Usage data and analytics
• Ideal Reader Profile and Voice Tone Profile information, including writing samples

4. Details of Processing

4.1 Subject Matter

The provision of AI-powered content generation and analysis tools for food bloggers.

4.2 Duration

Processing will continue for the duration of your use of the Services and for any retention period required by law or as specified in our Privacy Policy.

4.3 Nature and Purpose

4.4 Categories of Data Subjects

• Users of Food Blog Studio (food bloggers and content creators)
• Individuals described in user-submitted content (e.g., Ideal Reader Profiles)

4.5 Types of Personal Data

• Contact information (email address, name)
• Account credentials
• Billing and subscription data (payment processing handled by Stripe)
• User-generated content and prompts
• Usage and analytics data
• IP addresses and device information

5. Processor Obligations

We agree to:

5.1 Lawful Processing

• Process Personal Data only on your documented instructions, unless required by law
• Inform you if we believe an instruction violates Data Protection Laws

5.2 Confidentiality

• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
• Limit access to Personal Data to those who need it to perform the Services

5.3 Security Measures

Implement appropriate technical and organizational measures to ensure security of Personal Data, including:

• Encryption of data in transit (TLS/HTTPS)
• Secure authentication through Firebase
• Access controls and authentication requirements
• Regular security assessments
• Incident response procedures

5.4 Sub-processors

• Only engage Sub-processors with your prior authorization (see Section 7)
• Ensure Sub-processors are bound by data protection obligations comparable to this DPA
• Remain liable for Sub-processor compliance

5.5 Data Subject Rights

• Assist you in responding to Data Subject requests (access, rectification, erasure, portability, objection)
• Notify you promptly upon receiving a Data Subject request
• Not respond directly to Data Subject requests without your authorization, unless legally required

5.6 Data Breach Notification

• Notify you without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach
• Provide information about the breach, including nature, categories of data, approximate number of Data Subjects affected, and remedial measures

5.7 Data Protection Impact Assessments

Provide reasonable assistance for Data Protection Impact Assessments and prior consultations with supervisory authorities, where required.

5.8 Deletion and Return

Upon termination of the Services or your request:

• Delete or return all Personal Data (at your choice)
• Delete existing copies unless retention is required by law
• Provide certification of deletion upon request

6. Controller Obligations

You agree to:

• Ensure you have a lawful basis for processing Personal Data through our Services
• Provide clear and accurate instructions for processing
• Ensure Data Subjects are informed about how their data will be processed
• Comply with all applicable Data Protection Laws
• Obtain any necessary consents from Data Subjects

7. Sub-processors

7.1 Authorized Sub-processors

You authorize us to engage the following Sub-processors:

7.2 Changes to Sub-processors

We will:

• Maintain a current list of Sub-processors
• Notify you of any intended changes to Sub-processors
• Allow you a reasonable period to object to new Sub-processors
• If you object and we cannot accommodate, you may terminate the affected Services

8. International Data Transfers

8.1 Transfer Mechanisms

Personal Data may be transferred to countries outside the EEA/UK, including the United States. We ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with Sub-processors
• Other legally recognized transfer mechanisms

8.2 Additional Safeguards

For transfers to the United States, we implement supplementary measures including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Data minimization practices

9. Audits and Compliance

9.1 Audit Rights

Upon reasonable notice, you may:

• Request information demonstrating our compliance with this DPA
• Conduct audits (or have them conducted by an independent auditor) of our processing activities

9.2 Audit Conditions

Audits shall:

• Be conducted during normal business hours
• Not unreasonably disrupt our operations
• Be subject to confidentiality obligations
• Be at your expense (unless the audit reveals material non-compliance)

9.3 Certifications and Reports

We will provide, upon request:

• Evidence of security measures
• Summary of security assessments
• Relevant certifications (if applicable)

10. Liability

10.1 Liability Cap

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.

10.2 Indemnification

Each party shall indemnify the other for any fines, damages, or costs arising from the indemnifying party's breach of this DPA or Data Protection Laws.

11. Term and Termination

11.1 Term

This DPA shall remain in effect for the duration of your use of the Services.

11.2 Survival

Provisions that should survive termination (including confidentiality, data deletion, and liability) shall survive.

12. Governing Law

This DPA shall be governed by the same law as the Terms of Service. For EEA Data Subjects, GDPR shall apply. For UK Data Subjects, UK GDPR shall apply.

13. Updates to This DPA

We may update this DPA to reflect changes in Data Protection Laws or our processing activities. Material changes will be notified to you via email or through the Services.

14. Contact Information

For questions about this DPA or to exercise your rights:

Data Protection Contact:
Email: hello@foodblog.studio

For EU/UK users: You may also contact your local supervisory authority.

15. Execution

By using Food Blog Studio, you acknowledge and agree to this Data Processing Agreement as part of the Terms of Service.